Microsoft Workloads on AWS

Accelerate Remote Desktop Gateway deployments with AWS Launch Wizard

Introduction

In this blog post, I am going to show you how easy it is to deploy a secure infrastructure to manage your Amazon Elastic Compute Cloud (Amazon EC2) instances for Microsoft Windows Server through the automation provided by AWS Launch Wizard.

AWS Launch Wizard offers a guided way of sizing, configuring, and deploying AWS resources for third-party enterprise applications such as Microsoft SQL Server Always on Clusters, Active Directory, Remote Desktop Gateway, Microsoft Exchange Server, Internet Information Server (IIS), and HANA-based SAP systems. It does this all without the need to manually identify and provision individual AWS resources.

In this blog post, I will walk you through the steps required to deploy a highly available Remote Desktop Gateway (RDGW) farm according to architectural best practices using AWS Launch Wizard. You can use this highly available farm to securely connect to and manage your Amazon Elastic Compute Cloud (Amazon EC2) for Microsoft Windows Server instances through Remote Desktop Protocol (RDP) connections. You can find more information in the AWS Launch Wizard for Remote Desktop Gateway user guide.

Technical background

The purpose of Remote Desktop Gateway (RDGW) component is to encapsulate and proxy the Remote Desktop stream between the RDP client and server, so that there is no need for every individual server to be exposed to the client. See Figures 1 and 2. You can find more info in the Remote Desktop Services – Access from anywhere documentation.

Figure 1: RDP traffic flow without an RD Gateway

Figure 1: RDP traffic flow without an RD Gateway
Figure 2: RDP traffic flow with an RD Gateway proxying the traffic
Figure 2: RDP traffic flow with an RD Gateway proxying the traffic

Remote Desktop Gateway enhances remote desktop secure access by:

  • Masking resources behind it so that the only resource that needs to be exposed for Remote Desktop access is the Gateway and not the individual target server.
  • Leveraging industry-known secure transport protocols between client and RD Gateway. It uses TLS or DTLS encrypted channels over configurable ports; TCP 443 and UDP 3391 by default, respectively.
  • Providing optional Multi-Factor Authentication (MFA). RD Gateway can be integrated with MFA solutions using the RADIUS protocol.
  • Providing granular access control policies through Client Authorization Policies (CAPs) and Resource Authorization Policies (RAPs).
  • Security auditing. Administrators can track and log user activity on the RD Gateway server with information such as the time of the connection, username and the IP address of the client device.
  • Scaling through integration with third-party Load Balancers, including AWS load balancing services.

Solution overview

AWS Launch Wizard for RD Gateway provides a console experience to guide you through the deployment, configuration, and sizing of Windows Server running RD Gateway on AWS, adhering to the AWS Well-Architected Framework. In parallel with the focus on ease of use Launch Wizard deployments highlight best practices for high availability, fault tolerance, and security; resulting in a fully functional, production-ready RD Gateway deployment.

Launch Wizard for Remote Desktop Gateway deployments currently supports two template models, based on the Remote Desktop Gateway on the AWS Cloud Quick Start Reference Deployment:

  • Deploying into a new Amazon Virtual Private Cloud (VPC): This model builds out all necessary AWS infrastructure in order to provision RD GW resources.
  • Deploying into an existing Amazon VPC: This model uses your existing networking infrastructure to only provision RD GW resources.

Both deployment options include Amazon EC2 instances in an Amazon EC2 Auto Scaling group. If more than one instance is deployed, then these instances are deployed in separate subnets across two Availability Zones for high availability. This infrastructure provides a foundation to securely administer any Microsoft Windows-based solution, allowing you to easily architect and expand your environment as your business scales.

The automations in the solution are provided by AWS Systems Manager, AWS CloudFormation, and Windows PowerShell. Figure 3 shows the solution deployed by Launch Wizard.

Figure 3: Architecture diagram of AWS Services deployed through RD Gateway Launch Wizard
Figure 3: Architecture diagram of AWS Services deployed through RD Gateway Launch Wizard

In this tutorial, I will use the first deployment scenario: launching into a new VPC.

AWS Launch Wizard for RD Gateway

Prerequisite

You need to have a certificate generated for the farm name. Instructions can be found in the “How to generate TLS certificates for a highly available Remote Desktop Gateway Farm” blog post.

Step 1: Select the application and deployment type

To get started with an RD Gateway deployment, in the Launch Wizard console, make sure you’ve selected the AWS Region of your choice, then select Choose application button per Figure 4.

Figure 4: Start of the Launch Wizard

Figure 4: Start of the Launch Wizard

Select the Remote Desktop Gateway option from the Available workloads drop down menu, followed by the Deploy into a new VPC choice for Deployment Types, and finally, choose Create deployment, as shown in Figure 5:

Figure 5: solution selection

Figure 5: solution selection

Step 2: Review and ensure your IAM permissions are sufficient to deploy the workload

The permissions review page will open (as shown in Figure 6) as the first step in the deployment configuration wizard. Here you can check that your current user role has sufficient AWS Identity and Access Management (IAM) permissions for this deployment (each Launch Wizard workload may require different permissions). Choose Next.

Figure 6: IAM

Figure 6: IAM

Step 3: Configure application settings

The Configure application settings step as shown in Figure 7 allows you to configure all features of this workload, including General settings, Network configuration, and Microsoft Remote Desktop Gateway Configuration.

General settings

  1. Enter a custom Deployment name for your environment.
  2. Select an existing or create a new Amazon Simple Notification Service (SNS) topic Amazon Resource Name (ARN) to receive notifications of application state changes, if desired.
  3. By default, if a deployment fails any provisioned resources will be deleted. You can change this behavior by selecting the checkbox in the Deactivate rollback on the failed deployment section.
  4. Add any custom tags for deployment resources in the Tags section. Launch Wizard automatically adds some relevant tags using which you can determine which resource belongs to which Launch Wizard deployment.
  5. Optionally, you can set CloudWatch Application Insight monitoring to have better visibility into the workload performance.

Figure 7: General Settings

Figure 7: General Settings

Network configuration

  1. As shown in Figure 8, select or create a new key pair for Key Pair name, which will be used for securely accessing any Amazon EC2 resources deployed. This Key Pair will grab the password for the built-in “Administrator” account on each of the Amazon EC2 instances deployed.
  2. Select the Availability Zones (AZ) you’d like to use for this deployment. Choose two from the list of Availability Zones available in your Region. This will tell the Launch Wizard to create one Virtual Private Cloud (VPC) instance in your Region with one public subnet and one private subnet in each AZ, resulting in four total subnets.
  3. Leave VPC tenancy as default.
  4. Enter the VPC CIDR block, followed by all CIDR ranges for the private and public subnets. The default selections allow these entries to be skipped if you prefer an even quicker deployment.
  5. For Allowed Remote Desktop Gateway external access, enter the CIDR IP range that is permitted to access the RD Gateway instances. If you are unsure of which range to use, you can identify your public IP address, and add ‘/32’ to the end. For example, 127.0.0.1/32. To allow connecting to your gateways from anywhere on the internet, use 0.0.0.0/0.
    NOTE: This IP will be put in the Security Group (SG) that will be attached to your instances and Load Balancer later, exposing relevant ports to that IP range. You should avoid using 0.0.0.0/0 if you don’t require it.

Figure 8: Networking

Figure 8: Networking

Microsoft Remote Desktop Gateway configuration (Figure 9)

  1. For Number of Remote Desktop Gateway hosts, choose the number of Amazon EC2 instances you want deployed. Anything equal or more than two will trigger the auto scaling group to deploy similar Amazon EC2 instances in the AZs of your choice above, giving you a highly available infrastructure. The maximum number of selectable instances is 4.
  2. For Admin User Name, type a name for a local Administrator account that will be created in every Amazon EC2 node of this deployment. This username will be a second local user with administrative permissions, on top of the built-in Administrator account. You can use either the “Administrator” account or this account you define here to access each individual node.
  3. For Admin Password, define a strong password to include with the previously mentioned admin account. The guidelines for the password are written in between the edit box title and edit box itself. Contrary to the local “Administrator” password, which is unique on each node and you have to decrypt using Key Pair you defined before, this password is the same on all nodes in the farm.

Figure 9: Gateway Settings

Figure 9: Gateway Settings

 

Step 4: Configure the infrastructure settings to select the instance types used in the deployment

Once you have completed configuring all applications settings, press Next (Figure 10). On the following page, it will prompt you to select the appropriate instance types used for each Amazon EC2 resource included in the deployment.

The Launch Wizard provides you with two options to select the instance type:

  • Based on Infrastructure suggestion: Instance types are suggested based on the specifications provided in the related dropdowns for vCPU count, network performance, and memory. You can customize each individual specification by clicking on its dropdown button and selecting a different baseline value to update the recommended instance type.
  • Based on Static values: You can manually select the instance types from a predefined list of values representing the offerings available for this deployment.

Figure 10: Size Selection

Figure 10: Size Selection

Depending on the number of instances and the type chosen (either statically or through suggestion), you will see an estimated cost of the Amazon EC2 instances. Click Next.

Step 5: Review post-deployment steps

For each application offered by Launch Wizard, there may be additional actions or configuration needed to complete the deployment. You can click on the Learn more link provided in the wizard to review any recommended post-deployment steps.

NOTE: As discussed in the Prerequisite section, you need to update the RD Gateway certificate once the deployment is complete.

Click Next (Figure 11).

Figure 11: Post-deploy

Figure 11: Post-deploy

Review and deploy

This page (Figure 12) provides a consolidated view of all configuration details entered to this point. You can review each section to determine whether any updates need to be made.

Figure 12: Review

Figure 12: Review

If the settings are correct, select Deploy (Figure 13). The Launch Wizard will begin the deployment, requiring no further action until completion.

Figure 13: Deploy Banner

Figure 13: Deploy Banner

Although the banner on top of the Launch Wizard says “It may take up to 2 hours to complete,” it usually takes less than 30 minutes, depending on the options configured. While waiting, you can monitor the progress of the deployment from different panes, such as the Launch Wizard console itself or the CloudFormation console (Figures 14 and 15).

Figure 14: Deployment Progress, Launch Wizard Console

Figure 14: Deployment Progress, Launch Wizard Console

Figure 15: Deployment Progress, CloudFormation Console

Figure 15: Deployment Progress, CloudFormation Console

You can select any of the related stacks and review the details of the deployment by selecting the Events tab (Figure 16).

Figure 16: Deployment Progress, CloudFormation Events

Figure 16: Deployment Progress, CloudFormation Events

Once the deployment completes successfully, the Launch Wizard console will display a status of Completed (Figure 17).

Figure 17: Deployment Done.

Figure 17: Deployment Done.

You can highlight the deployment, click Action and then click View Resource Group with SSM to see a list of all resources deployed as part of this Launch Wizard Deployment (Figures 18 and 19):

Figure 18: Deployment List

Figure 18: Deployment List

Figure 19: Deployment Result.

Figure 19: Deployment Result.

As you can see in the previous screenshot, the Launch Wizard has tagged all of these resources with a tag of LaunchWizardResourceGroupID and a value. You can find the value in the location highlighted above. You can use this at any console to determine which resources were created as part of this launch wizard deployment. There are other tags on the resources depending on their functionality and dependencies as well. I encourage you to examine these resources and see what tags are there.

Step 7: Post-deployment RD Gateway certificate configuration

As mentioned in the Prerequisites section, you need to install a certificate on each RD Gateway node to support a secure connection to the load-balanced name of the deployment. You will need to know the public DNS name of your load balancer to create a CNAME for it in your own DNS domain. The quickest way to determine this value is to use the Resource Group window in the previous step, find the resource of type “Load Balancer” and click on it. It will take you to the Amazon EC2 Load Balancer console, and from there you can grab the DNS name as Figures 20 and 21 show:

Figure 20: Resource list

Figure 20: Resource list

Figure 21: Load Balancer DNS name

Figure 21: Load Balancer DNS name

 

Cleanup

When you have completed your testing, follow these steps to clean up the resources you created in this tutorial to avoid incurring unintended charges.

  1. Navigate to AWS Launch Wizard, choose Deployments, and then choose Remote Desktop Gateway.
  2. In the list of Deployments, select your deployment name and choose Delete. Confirm when prompted by typing delete (Figure 22).Figure 22: Deletion confirmation
    Figure 22: Deletion confirmation
  3. Refresh the webpage in your browser and check the ‘Provisioning status.’ Initially, you should see it update to ‘Delete in Progress.’ Once all resources have been removed, the status will then update to ‘Deleted.’

Conclusion

In this blog post, I showed you how to use the AWS Launch Wizard for Remote Desktop Services Gateway to quickly deploy a highly available RD Gateway deployment, ready for production once the post-deployment configuration is done. You can continue building on top of all existing resources to define your environment to your standard since the infrastructure follows AWS best practices.

To learn more about other available Launch Wizard enterprise application deployments, see the AWS Launch Wizard Documentation. For best practices running Windows on AWS, please review the Best practices for Windows on Amazon EC2 documentation.


AWS has significantly more services, and more features within those services, than any other cloud provider, making it faster, easier, and more cost effective to move your existing applications to the cloud and build nearly anything you can imagine. Give your Microsoft applications the infrastructure they need to drive the business outcomes you want. Visit our .NET on AWS and AWS Database blogs for additional guidance and options for your Microsoft workloads. Contact us to start your migration and modernization journey today.