Workspaces deployment in multi account - Control Tower
I am helping a customer with their Workspaces deployment. The customer has AWS Control Tower, with an account for networking (where AD will be deployed) and one for Workspaces. I am running through the setup now and I can’t seem to get AD to register.
I created 4 subnets (2 private, 2 public) in the Workspaces account which I shared (using RAM) to the Network account. I set up managed AD on the Network account and selected the 2 private subnets that were shared from the Workspace account ( each subnet is in different AZ). I also shared managed AD with the Workspace account and set VPC peering.
The last step prior to deploying Workspaces is to Register the AD directory, which requires two subnets in different AZs. When attempting to do so, the only subnets displayed on the register window are a private and public subnet which are in the same AZ.
Additionally, when I attempt to launch a Workspace in the Workspace account it does not recognize the shared AD, instead it prompts to create a new directory.
Questions: Are there any concerns with the architecture approach I have taken so far? How do I bypass/fix the issue I am facing with Registration of AD? I checked that the shared VPC has all 4 subnets (a private and public in one az, and another set of private and public subnet in a separate AZ).
- 최신
- 최다 투표
- 가장 많은 댓글
Are there any concerns with the architecture approach I have taken so far?
You cannot use WorkSpaces with Shared VPC, Shared Managed AD.
How do I bypass/fix the issue I am facing with Registration of AD?
In order to make this work for your setup, you need to setup AD Connector for WorkSpaces. This will require you to enable traffic routing to the AWS Account/VPC where the Managed AD is deployed. You can achieve this with VPC Peering or Transit Gateway.
When attempting to do so, the only subnets displayed on the register window are a private and public subnet which are in the same AZ.
Amazon WorkSpaces is not supported in all available AZ in certain regions. In US-EAST-1, the only AZ that is supported by Amazon WorkSpaces are use1-az2, use1-az4, and use1-az6. You can find this AZ mapping in RAM for the account.
