Amazon RDS for Db2 is a fully managed solution that offers high performance within minutes, featuring an optional Multi-AZ deployment that synchronously replicates data to a cold standby DB instance providing high availability and reliability.
You can create an Amazon RDS for Db2 instance by using methods such as the AWS Management Console, AWS CLI, AWS CloudFormation, Terraform by Hashicorp.
In this post, AWS Managed Microsoft AD from an AWS account is used to provide Microsoft AD authentication to Amazon RDS for Db2 in another account.
To join an RDS instance across accounts, several high-level steps include creating and sharing an AWS Managed Microsoft AD directory, setting up the networking environment and creating an RDS for Db2 instance to domain-join the shared directory.
AWS Managed AD directory sharing between AWS accounts requires proper network setup comprising information such as VPC ID and AWS account ID of requester and accepter accounts, and identifying subnets to use while creating a peering connection between two VPCs with different CIDR address ranges.
AWS offers several methods to connect two or more VPCs such as VPC peering, AWS Transit Gateway, AWS Private Link, a VPN connection, AWS Direct Connect, a Load Balancer and a Shared VPC. Users can choose a method appropriate for their requirements.
The final steps involved in joining RDS across accounts include editing DNS settings, editing route tables of VPCs, adding a route in the security group, and testing connectivity between the two accounts.
To get a shared directory name, users can use the AWS CLI command 'aws ds describe-directories' and create an IAM Role named AmazonRDSDirectoryServiceRole through the CLI.
To connect users and groups with or without Kerberos authentication, users can use the same AWS Managed Microsoft AD directory to serve multiple accounts.
This post was authored by Vikram S Khatri, Kanda Zhang, Sumit Kumar, and Vikrant Dhir from Amazon Web Services.