Written by Arun Kumar, Associate Cloud Architect at Powerupcloud Technologies
Amazon WorkSpaces is managed & secured Desktop-as-a-service (DaaS) provided by AWS cloud. WorkSpace eliminates the need for provisioning the hardware and software configurations, which becomes the easy tasks for IT admins to provision managed desktops on cloud. End users can access the virtual desktop from any device or browser like Windows, Linux, iPad, and Android. Managing the corporate applications for end users becomes easier using WAM (Workspace Application Manager) or integrating with existing solutions like SCCM,WSUS and more.
To manage the end user’s and provide them access to WorkSpaces below solutions can be leveraged with AWS.
- Extending the existing on-premises Active Directory by using AD Connector in AWS.
- Create & configure AWS managed Simple AD or Microsoft Active Directory based on size of the organization.
WorkSpaces architecture with simple AD approach
In this architecture, WorkSpace is deployed for the Windows and Linux virtual desktop both are associated with the VPC and the Directory service (Simple AD) to store and manage information of users and WorkSpace.
The above architecture describes the flow of end users accessing Amazon WorkSpaces using Simple AD which authenticates users. Users access their WorkSpaces by using a client application from a supported device or web browser, and they log in by using their directory credentials.The login information is sent to an authentication gateway, which forwards the traffic to the directory for the WorkSpace. Once the user is authenticated, a streaming traffic is processed through the streaming gateway which works over PCoIP protocol to provide the end users complete experience of the desktop.
To use the WorkSpace the following requirements need to be completed.
- A directory service to authenticate users and provide access to their WorkSpace.
- The WorkSpaces client application is based on the user’s device and requires an Internet connection.
For this demo we have created the Simple AD, this can be created from the workspace console.
- Create the Simple AD
- Choose the Directory size based on your organization size.
- Enter the fully qualified domain name and Administrator password make note of your admin password somewhere for reference.
- We’ll need a minimum of two subnets created for the AWS Directory Service which requires Multi-AZ deployment.
- Directory is now created.
Now let’s create the WorkSpace for employees.
- Select the Directory which you need to create WorkSpace for the user access.
- Select the appropriate subnets that we created in the previous section to provision the workspaces in a Multi-AZ deployment.
- Ensure that the self-service permissions is always set to “NO”, else the users will have the privilege to change the workspaces configurations on the fly without the workspaces admin knowledge.
- Enabling WorkDocs based on the user’s requirement.
- You can select the user from the Directory list or user can create a new user on the fly.
- Select the Bundle of compute, operating system, storage for each of your users.
You can select the running mode of the WorkSpaces based on your company needs. This can directly impact the monthly bill as selecting “Always -On “ mode will have a fixed pricing whereas ‘AutoStop’ mode is an on-demand pricing model. Ensure right running mode is selected during the workspaces creation based on business requirements of the user.
- Review and launch your workSpace.
- Now your WorkSpace is up and running. Once it is available and ready to use. You will receive an email from amazon with workspaces login details.
- By selecting the URL to create a password for your user to access the WorkSpace.
- Download the client based on your device or you have web login.
- Install the WorkSpace agent in your local.
- Open the WorkSpace client and enter the registration code which you received in the email.
- It prompts for username and password.
- Now you are prompted to your Virtual Desktop
Security and compliance of WorkSpace
- By default encryption at transit.
- KMS can be used to encrypt our data at rest.
- IP based restrictions.
- Multi-factor authentication(RADIUS)
- PCI DSS Level 1 Complaint.
- HIPAA-Eligible with business level agreements
- Certification- ISO 9001 and ISO 27001
- No upfront payment.
- On- Demand pricing – Autostop of the WorkSpaces – In this model when the user is not using the virtual desktop Amazon automatically gets stopped based on the Autostop hours selected for the user.
- Fixed Pricing – Always-On model – In this model the WorkSpace virtual desktop cost is calculated on a fixed monthly basis based on the selected bundle.
- Built in license – Which allows us to select the right Windows bundle as per business needs.
- WorkSpaces additionally supports BYOL( bring your own license) license model for Windows 10.
- CloudTrail can monitor the API calls.
- CloudWatch Monitoring can see the number of users connected to WorksSpaces and latency of the session and more.
- API support(SDK, AWS CLI)
- WorkSpace Application Manager(WAM).
- Custom images.
- Audio input.
- Pre Built applications in AWS Marketplace, we can add those applications to our WorkSpace.
- User control in Directory level.
- Integration with WorkDocs.
By adapting to the AWS WorkSpaces we can enable the end-users to securely access the business applications, documents that they are currently using within their organization devices or existing VDI solutions and experience a seamless performance of their desktop on cloud and also access the workspaces in the most secure way which prevents any data breach by enabling encryption options and also restricting client devices for users.
Benefits like reducing the overhead of maintenance of existing hardware and purchasing new hardware. Monitoring and managing the end-user workspaces becomes an easy task by integrating with AWS native services.