Exam AWS Certified Solutions Architect - Professional SAP-C02 topic 1 question 319 discussion

I think this question is not really about Active Directory or AD Connector. A secure VPN connection is all you need in this question. The company has hardware can be used to establish an AWS S2S connection. In order to have a secure connection, the first thing you have to do is to implement a VPN connection between on-premise and target VPC. So C is the answer.

You cannot join an EC2 to On-prem AD just over the VPN. You should be having an AD connector for the same. https://aws.amazon.com/blogs/security/how-to-connect-your-on-premises-active-directory-to-aws-using-ad-connector/

AWS IAM Identity Center (SSO) with On-Prem AD Authentication AD Connector allows AWS services and applications to authenticate users against on-prem Active Directory. When Not to Use AD Connector ❌ If you require high availability, since AD Connector depends on a stable connection to on-prem AD. ❌ If you need Group Policy Object (GPO) support in AWS, as AD Connector does not provide this. ❌ If you need Kerberos authentication or NTLM authentication within AWS, as it only forwards authentication requests. ❌ If you require full AD domain replication, consider AWS Managed Microsoft AD instead.

On-prem AD joining via VPN is the most cost effective compared to AD connector

Once VPN connectivity is established between on-prem and AWS. RDP should be sufficient to connect. Secure Remote Desktop connectivity: The VPN provides a secure, encrypted tunnel for RDP traffic between the on-premises network and the EC2 instances in the VPC. Integration with on-premises Active Directory: By joining the EC2 instances to the existing on-premises Active Directory domain, you leverage the centralized user management that's already in place.

The requirement is to use the on-prem AD integrated with the EC2. Although with VPN, RDP can't be established but the AD sync is not possible within EC2 without AD connector. Hence the right answer is B.

Questin aks to use the existing S2S Vpn. The Site-to-Site VPN ensures secure communication between the on-premises environment and the AWS VPC without exposing the EC2 instances to the internet. I will go with C

B would be correct if we were not told that hardware for creating a VPN is available.

B This solution integrates centralized user management with the company's on-premises Active Directory, meets the requirement of secure Remote Desktop connectivity, and is cost-effective. Configuring AWS Single Sign-On (SSO) with the AD Connector allows users to access EC2 Windows instances using their existing Active Directory credentials, which eliminates the need for additional infrastructure or configuration. Using Systems Manager Fleet Manager to access the target instances through RDP provides a secure and managed way to connect to EC2 instances without requiring a Remote Desktop Gateway or a bastion host.

Solution C is the most cost-effective: Implement a VPN between the on-premises environment and the target VPC, join the EC2 instances to the on-premises Active Directory domain over the VPN, configure RDP access through the VPN, and connect from the company's network. This approach leverages existing infrastructure, requires no additional managed services, utilizes existing hardware for the VPN, and provides direct connectivity without bastion hosts, minimizing costs.

1) using AD connector, AWS cloud IAM is authenticated against the on prem AD. extra Managed AD in AWS cloud is not required. 2) A cost effective, secure remote desktop setup is achieved with a fleet manager, accessed via console by IAM identity centre login against the on prem AD. Saving the cost of bastion host , vpn gateway or rdp gateway.

just c

I do not see any reasons why C would not work. And it is simpler than B.

C is the cheapest option

For me it's C. No need to Managed AD Connector. We have already a VPN, so we can leverage to spend less.

B for me

Ans C. If the VPC and the on-prem network are connected, there is no need for AD Connector, it works like any other interconnected networks. The EC2s must have DNS resolution, usually those will be the AD domain controllers (which in this case are located on prem).