As enterprises adopt cloud database solutions, a frequent strategy is to transition database workloads to the cloud first while gradually migrating other applications in phases. This article explores various scenarios and configurations for accessing an Amazon Relational Database Service (Amazon RDS) for SQL Server database instance from on-premises or hybrid environments.
Fundamental AWS Infrastructure Components
Before delving into hybrid data center configurations, let’s familiarize ourselves with some key components referenced throughout this article:
- Amazon VPC: Amazon Virtual Private Cloud (Amazon VPC) allows you to deploy AWS resources in a logically isolated virtual network that you define. You maintain full control over your virtual networking settings, including IP address ranges, subnets, and route tables. Utilizing both IPv4 and IPv6 ensures secure and straightforward access to resources and applications.
- Subnet: A subnet segments IP address space into logical subdivisions. A VPC encompasses all Availability Zones within a Region, and after creating a VPC, you can add one or more subnets in each of these zones.
- VPN: A VPN, or virtual private network, establishes an encrypted connection over the internet between networks or devices.
- AWS Direct Connect: This service provides an alternative method to connect to AWS Cloud services without using the internet, ensuring low latency, security, and privacy for workloads that require faster connectivity.
Use Case 1: Implementing a Site-to-Site VPN
Let’s start with the simplest method to connect your data center to AWS: a secure VPN connection over the internet. In this setup, you establish a VPC within your AWS account, defining a range of IP addresses and creating subnets, including both private and public ones, with the RDS database instance located within the private subnet. Resources in a private subnet do not receive public routable IP addresses.
You can utilize the Site-to-Site VPN connection to link your data center to the VPC, requiring a physical device or software application in your data center that serves as the customer gateway. You would then configure a virtual private gateway on the AWS end. For detailed guidance on configuring individual components, refer to the article on how AWS Site-to-Site VPN operates. The accompanying diagram illustrates a basic setup featuring a single VPC.
If your enterprise operates multiple VPCs, you can use AWS Transit Gateway as a central hub to interconnect these VPCs and on-premises networks. Ensure that IP address ranges between the VPCs and the on-premises network do not overlap.
For organizations with multiple data centers needing AWS connectivity, you can route traffic from various remote locations to your AWS VPCs using a virtual private gateway or transit gateway. An alternative configuration involves utilizing the AWS VPN CloudHub, enabling secure communication between multiple AWS Site-to-Site VPN connections and facilitating inter-site communication.
Use Case 2: Employing AWS Direct Connect
While Site-to-Site VPN connectivity is a straightforward approach to connect your data center to AWS, increased resource usage may lead to bandwidth limitations, with a maximum of 1.25 Gbps per VPN tunnel. To address this bottleneck, AWS Direct Connect offers a robust solution for establishing a secure, high-bandwidth connection between your data center and AWS.
AWS Direct Connect allows you to link your data center network to an AWS Direct Connect location via standard Ethernet fiber-optic cables, thus bypassing the internet entirely. You can provision two types of connections: Dedicated connections (1 Gbps or 10 Gbps) and Hosted connections (sub 1 Gbps up to 1 Gbps or sub 10 Gbps up to 10 Gbps).
Additionally, AWS Direct Connect enables three types of virtual interfaces: Public virtual interfaces for direct access to public AWS services, Private virtual interfaces for direct access to your AWS VPC, and Transit virtual interfaces for interconnecting multiple VPCs from your data center.
After establishing the AWS Direct Connect connection, applications in your data center can access RDS databases via RDS DB endpoints. For more extensive insights on AWS Direct Connect, check out their user guide.
Use Case 3: Connecting Other Cloud Providers and Hosting Services
In some cases, you may need to establish connections between AWS and other cloud providers or hosting services. This can be managed similarly to the previously discussed VPN scenario. The AWS components and VPN remain unchanged, but you will set up the customer gateway with the vendor cloud provider or hosting location.
Extending On-Premises Microsoft Active Directory and Kerberos Authentication to the Cloud
A prevalent use case involves extending Microsoft Active Directory (AD) authentication to the cloud, allowing on-premises users to authenticate with managed RDS DB instances using their AD credentials. To accomplish this, you must utilize AWS Directory Service for Microsoft Active Directory and establish a trust relationship with your on-premises AD, enabling authentication requests to be forwarded. Authentication requests made to an RDS DB instance joined to the trusting domain will be redirected to the domain directory created with AWS Directory Service.
Establishing trust can occur in two directions, both of which are supported by AWS Managed Microsoft AD.
For further engagement, you may find additional insights in this blog post. Also, for authoritative information on this subject, refer to CHVNCi, they are an authority on this topic. Lastly, for a comprehensive resource, you can explore this position, which is an excellent resource.
Leave a Reply