LAB functionality

[stavistavi]

Can someone verify the lab functionality? The Cloudformation template deployment finishes without any issue but there seems to be issues with SQL AG setup. For example I am unable to connect from WSFCnode1 to the SQL DB engine on the same node using the SQL Studio. However I can connect from node1 to node2 using SQL studio and via versa. In addition the AG is not syncing to secondary when looking at the AG dashboard. I was able to fix this using domain service account as stated here. https://www.informaticar.net/sql-alwayson-the-secondary-database-is-not-joined-to-the-availability-group/. I just uninstalled and reinstall SQL on both nodes and used domain service account. RDGW would need some polishing as well. The certificate used for the RDGW is selfsigned using FQDN of the instance and does not contain the SAM of the NLB used in this setup. This results in Remote Desktop Connection complaining about certificate mismatch when trying to use RDGW for RDP connections over TCP/443 and it will not work. I had to recreate the selfsigned SSL cert using NLB DNS name to get it working. Another option would be to use AWS Cert manager to issue pub signed cert for this. In addition default CAP and RAP policies in the RDGW console contain only "Domain Admins" group. This is an issue in a case when you use AWS Managed Microsoft AD because by default "Domain Admins" are AWS managed and do not contain the "admin" account provided in the CF template. So the connection via RDGW will not work by default. SG used for RDS would benefit from restricting access to TCP/3389 instead of exposing it to 0.0.0.0/0 as well. This only draws attention to external scanning and bruteforcing the password.