Thoughts on AWS Directory Service

I'm using the AWS Directory Service at work. We've been using it for a while and it has been running pretty smoothly. I'm starting to migrate away from it and wanted to write a post about why, so others might be spared the headache that I'm now having.

The good

Now AWS Directory Service isn't all bad. Active Directory can be a bit of a handful, especially if you're dealing with a domain that has evolved over the years. AD was my bread and butter as a consultant, but a lot of people don't have that background, so I can understand why the AWS Directory Service appeals.
It's so locked down, it's difficult for anything to go wrong. If you want a simple, pain-free AD then this is probably for you.

The bad

Sadly, I have run into a few reasons that it is not so good.

One.It's expensive. For the price of Directory Service I could get a bunch of instances running that would be more than capable of running as domain controllers.

Two.The control that Amazon have to maintain (and rightly so; this is, after all, an -as-a-Service product) means that you can't modify the schema. This means Exchange is out. A big one for me (and for many other start-ups) is that I can't use Google's sync tool to sync our users from AD, because the sync tool needs to be installed on the domain controllers and AWS won't allow access to the domain controllers. For many people this will not be limiting, but it was for me.

Three.You have to run the service in a single VPC. This just isn't Ok in my book. I want to run domain controllers in every region where I have instances. I want to run domain controllers in my offices as well. I don't want to run a different AD domain in every region! I'm not going to go into getting traffic from one VPC to another right now, but Amazon really needs to have a think about this.
Update: Amazon recently announced inter-region VPC peering, so at least they've fixed that thorny issue

The ugly

Here comes the really bad part. You're locked in!

When my company started using AWS Directory Service, the Enterprise option was the only AD option. This is good for ~5000 directory objects. They've now release a smaller Standard version, which is better for my <50 directory objects, but still overkill. I asked Amazon how we can migrate to the smaller version and they advised me that there is no migration path. Their advice is to build a brand new domain and migrate your infrastructure over. It blows my mind that they think this is an acceptable solution.

Knowing what I know now, I want to run my own AD. It's not worth it to me to have AWS run it for me and, after all, I have the skills; I might as well put them to good use. There is still no migration path away from AWS Directory Service.

TL;DR

The upshot of it all is, use it for what it's intended. I don't think Amazon want you to run all your AD from the AWS directory service; rather, they expect you to run an AWS directory service in each region for your instances in that region, and to create a complex web of AD forests to allow users to access the various services. They just don't make it particularly clear.