Can you replicate Active Directory from a Corporate Intranet to an AWS VPC where there is an outbound-only link?

In our work environment we have a standard Corporate Intranet with Active Directory.

We've been granted limited access to an AWS VPC. Our connection allows outbound (from the Intranet to the VPC) but not inbound.

That is - if we run a webserver in the AWS VPC, then a client in the Corporate Intranet can connect and browse to it. But a client in the AWS VPC cannot connect to a webserver in the Corporate intranet. Note that this 'outbound connections only principle' applies to all ports, not just http port 80.

An associate has suggested we need to replicate our Active Directory down to the AWS VPC AD. I think it is not possible to do a one-way replication.

My question is: Can you replicate Active Directory from a Corporate Intranet to an AWS VPC where there is an outbound-only link?

Yes, you just need a Read Only Domaine Controler (search for RODC) in the vpc and you'll be able to have a one way replication as the read only controler won't need to send datas back.

This bring limitation for clients in the vpc, as they won't be able to reach a writable DC they can't change passwords and you'll need a careful site architecture in your forest.

StackExchange DevOps Q#2990, answer score: 1