Now more than ever, we are depending on technology and productivity tools to allow us to operate as effectively as possible under current circumstances.
For those who have already been one step ahead in their remote work environment, it’s a fairly smooth transition but for the rest it’s going to be a bumpy ride.
The good news is that today you can establish a remote work environment in the matter of hours. In this blog I will cover one of the quickest approach to setup a secure VDI solution using Amazon WorkSpaces.
AWS are offering WorkSpaces for free for up to 50 users between 1st April > 30 June
Amazon WorkSpaces is a managed, secure cloud desktop service. Amazon WorkSpaces can be used to provision either Windows or Linux desktops in just a few minutes and quickly scale to provide thousands of desktops to workers across the globe. Charges will occur either as monthly or hourly bases just for the Desktop that is in use, which provides a great cost saving benefit compare to traditional desktops and on-premises VDI solutions. Amazon WorkSpaces helps to eliminate the complexity in managing hardware inventory, OS versions and patches, and Virtual Desktop Infrastructure (VDI), which helps simplify the desktop delivery strategy. With Amazon WorkSpaces users get a fast, responsive desktop of their choice that they can access anywhere, anytime, from any supported devices.
Clean up any unused EBS volumes
There are three critical components that Amazon WorkSpaces service requires to be deployed successfully:
- WorkSpaces client application
Amazon WorkSpaces support supports various range of client devices, some of these clients are as following:
- Windows Client Application
- Web Access
- Android Client Application
- iPad Client Application
- OS X Client Application
- A directory service to authenticate users and provide access to their WorkSpaces
Amazon WorkSpaces currently supports three type of authentication, AWS Directory Services, Microsoft AD and Simple AD.
- Amazon Virtual Private Cloud (Amazon VPC) in which to run the Amazon WorkSpaces
Minimum of two subnets required for WorkSpaces deployment because each AWS Directory Services construct requires two subnets in a Multi-AZ deployment.
VPC Design Consideration:
Amazon WorkSpaces advices the following network consideration items before design and implementing the solution.
Use of separate VPC specifically for the WorkSpaces deployment. It allows the necessary governance and security guardrails to be implemented for each WorkSpaces based on their requirements.
- Directory Services
Each AWS Directory Services construct pairs with minimum of two subnets to provide a highly available directory service split between Amazon AZs.
- Subnet size
WorkSpaces deployments are tied to a directory construct and reside in the same VPC subnets as the chosen AWS Directory Services. Therefore:
- Subnet Sizes are permanent and cannot be changed
- A default security group can be applied on the AWS Directory Service, this Security Group will then apply on all the WorkSpaces that are associated with the specific AWS Directory Service construct
- Multiple AWS Directory Services can consume the same subnet
Using VPC you can create an isolated environment for your WorkSpaces users based on their profile, Amazon WorkSpaces allows you to create a network isolation for your WorkSpaces based on your security requirements, for example you can create a separate subnet set for external users or contractors and the rest for your internal users which requires more access to your environment.
Following diagram provides a high-level network flow for an Amazon WorkSpaces user connecting via public internet.
AD DS DEPLOYMENT SCENARIOS
Active Directory integration with Amazon WorkSpaces is the most critical item in order to have a successful implementation of WorkSpaces. Amazon has three best practices scenarios that recommends that the customers to follow.
- Scenario 1: Using AD Connector to proxy authentication to on-premises AD DS. In this scenario the AD Connectors that are implemented in the AWS environment will authenticates to on-premises AD DS with all authentication proxied via Direct Connect.
- Scenario 2: Extending on-premises AD DS into AWS (Replica). This scenario is similar to scenario 1, but the AD DS replica will be located in AWS VPC in combination with AD Connector, this scenario provides a great improvement in reducing the latency of authentication/query request to AD DS and the AD DS global catalog.
- Scenario 3: Standalone isolated deployment using AWS Directory Service in the AWS Cloud. This is an isolated scenario where it doesn’t require any connectivity back to on-prem AD DS for authentication. Instead this approach uses AWS Directory Services (Microsoft AD) and AD Connector.
Amazon WorkSpaces Provisioning
Now that we cover some of the critical design consideration and components it’s time to kick off a simple WorkSpaces environment into your AWS account to see how quickly you can create your environment.
The very first thing you need to do is to setup your directory services. As I mentioned before you have few different option to select from, if you have an existing Active Directory and you want to connect to it then you need to choose one of the options that allows you to extend your Active Directory Services into AWS, but for the sake of this tutorial I am going to stand up a Simple AD to be able to bring up my WorkSpaces environment as quickly as possible. Now let’s begin.
1. Login to your AWS account and search for WorkSpaces service in the Services section
2. Click on Directories on the left section and click Setup Directory
3. Select Simple AD and click Next
4. Fill in the information for the AD setup
- Directory Size: Select Small if you have less than 2000 objects and less than 500 users.
- Organization Name: A unique organisation name that is going to be part of your AWS WorkSapces URL.
- Directory DNS name: This is going to be your DNS server address
4. Administrator Username and Password: AD Admin credential
5. Select your VPC and choose your subnets to implement the Directory Services.
Once your directory status changed to created it’s ready to associate your WorkSpaces with it.
For VPCs that are using Internet Gateway and you would like to publish application via AWS marketplace into your WorkSpaces, follow the next steps:
- Click on Directories on the left section and select your new Directory and Action > Update Details
- Enable Access to Internet and Update and Exit
To get started with WorkSpaces select WorkSpaces from the left section and follow the instructions.
- Select the Directory that you created earlier or choose your existing Directory that would like to associate your WorkSpaces with.
- Select Subnet 1 and Subnet 2. Make sure if you are selecting a different Subnet, it has access to your Directory Services with required ports for WorkSpaces to Internet and click Next
- Fill in the information for the new users and add as many as you need. Note, you can either create a new user and add it to your directory or select from existing users in your directory. Once the new users get created your can search for that user in the next section and click on Add Selected
- Select the image which you want to provision your WorkSpaces from in the bundle section
- Leave the rest as default and complete the WorkSpaces provisioning by clicking Create. It might take up to 20 minutes until it fully provisions your WorkSpaces environment.
Access your WorkSpaces
There are different ways to connect to your WorkSpaces over the internet, here is a Link to download
WorkSpaces client on your devices or access your environment over the web browser.
Once you have downloaded your client make sure your client have required network access to be able to successfully connect to your WorkSpaces environment. To check your network access ensure you have a green tick next to the Network on the right-bottom of your client.
If a new user has been added to the WorkSpaces, user will receive an email to activate the account and set a new password. Follow the instructions in the email to activate your account.
Once your WorkSpaces provisioning is completed and you activated your account, type in your WorkSpaces ID into your client and login using your user credential. And it’s ready to be used.
Now that you have a running WorkSpaces environment let’s try to publish an application from Amazon Marketplace into your VDI. Follow the instructions below:
- Go to “C:\Program Files\Amazon” folder and install Amazon WorkSpaces Application Manager
- Once completed you should the application opens in your WorkSpace environment and shows as empty
- Browse to your AWS console and select WorkSpaces under Services. Select Application under Application Manager.
- Click on Add application from AWS Market Place
- Let’s add few application into your Application Manager. Add the following by clicking on the applications and Accept Terms and subscribe
- Once you added these applications return to application catalog and change the source to AWS Market Place and select all their application and click on Action > Assign Application to Users
- Select your Directory and search for your users, and yes you should be able to easily assign set of applications to set of users under a group
- Click on your user and add it to the Selected Users and click Next
- Make sure you can see all of your selected applications and click review
- Click on Confirm and Assign
- Go back to your WorkSpace session and refresh the Application Manager and you should be able to see your applications ready to be installed
With Amazon WorkSpaces you have the power of bringing your own customise VDI solution into cloud in a matter of hours. However, it might get a bit complicated when you have more than few users or have customise application that you would like to publish through your WorkSpaces environment. To reduce the complication and be able to still enable remote work environment as quickly as possible, you have the option to leverage AWS automation capabilities, Cevo has developed an in-house IP to help customers to implement WorkSpaces environment in timely manner with suitable framework to manage the platform once goes live.