AWS Active Directory: Cannot access from another VPC

Question

I've setup an Active Directory service in AWS in 2 private subnets in a VPC.

I have another VPC in the same account that I want to be able to access the AD from. However for some reason it just isn't accessible from anywhere outside it's own VPC.

I've setup peering between the VPC's, and confirmed that EC2 instances in the VPC's can communicate.

Is there something particular to Active Directory that prevents it from being reached from outside it's own VPC? I can't see any other configuration I can make to fix this. I've confirmed the routing tables, ACL's etc. are all correct.

Any help would be greatly appreciated.

Answer 1

I found the issue. It was quite non-intuitive.

When the Active Directory is created, AWS automatically creates an associated security group.

The SG was called "d-9462#####_controllers" and had the description "AWS created security group for d-9462##### directory controllers". (d-9462##### being the ID for the directory)

What makes it counter-intuitive is that this SG is not displayed anywhere (as far as I can tell) within the Directory Services console. You would have to know that it existed, and know to search for it within the VPC security groups.

By default this SG grants access only to the VPC in which the Directory resides.

To fix the issue you need to explicitly grant access to whatever other VPC's you need.

Answer 2

Following your answer I was able establish a ping to AD from an instance of another VPC.

Using the following AWS doc: One VPC Peered to Specific Subnets in Two VPCs

However, I still have one problem and that is I cannot ping the AD using the directory name but can when I use one of the IP addresses.

I wonder if you had to deal with that as well?