Amazon WorkSpaces is a managed, secure Desktop-as-a-Service (DaaS) solution. As a remote or office-based worker, you can ‘remote desktop’ into your own Virtual Desktop Infrastructure (VDI) environment and work from wherever, on whatever local device you want.
The sweet spot for Amazon WorkSpaces is meeting the need to run a highly controlled, security compliant, performant desktop workstation remotely. If you’re needing to only centrally manage applications or you’re wanting to do high amounts of GPU intensive tasks without the governance requirements then perhaps AppStream is for you. [https://cevo.com.au/aws-appstream-secure-high-performance-remote-work]
Cevo’s Ali Atighi recently wrote a detailed blog on standing up Amazon WorkSpaces within an hour. He explains that you need an appropriately sized AWS VPC, a user ‘directory’, and then you need to provision the workspace itself.
So you’ve kicked the tires, now here are some questions and considerations to make before rolling out Amazon WorkSpaces in your large enterprise.
Do you have a local intranet with custom desktop or browser apps?
Some organisations have specific desktop applications – for instance our financial customers might have mainframe ‘greenscreen’ applications that talk to a general ledger mainframe.
Generally what we need to do is design the VPC topology and network routing that connects into the corporate data center. For example:
Networking to on prem
Here, we might need to implement a Direct Connect (https://aws.amazon.com/directconnect/) (DX) to our on-premises data centre, and augment our VPC routes to route to and from the data center over DX. We’d also want to do this in a fault tolerant way, for instance either having redundant DX’s or having a site to site backup over the open internet.
I recently blogged on the value of having a multi account strategy within AWS as a way to track costs and simply management. [http://beta.cevo.com.au/post/2019-10-05-thoughts-on-aws-control-tower/]
When augmenting your office network and running in a hybrid cloud environment then implementing Transit Gateway will significantly reduce the network complexity and management overhead. https://aws.amazon.com/transit-gateway/
Active Directory user and group
Most places use Windows Active Directory for staff account information. In his blog (https://cevo.com.au/from-zero-to-vdi-in-an-hour-using-amazon-workspaces) Ali provisioned a simple user directory; most organisations may want to leverage the existing AD setup. For performance and fault tolerance, Amazon WorkSpaces requires access to a domain controller in the VPC itself. The best way to do this is to provision AD Connectors (https://docs.aws.amazon.com/directoryservice/latest/admin-guide/directory_ad_connector.html) in the subnets of the Workspaces VPC. This provides low latency AD user authentication and authorisation into the WorkSpaces itself, even if the routing back to on-premises is not working (if cached).
For some of those desktop or browser based ‘intranet’ applications, there is an internal DNS name. To provide this capability into WorkSpaces, we can either route DNS traffic over that DX or provision a managed DNS slave into AWS. There are a few patterns here for performing DNS resolution into WorkSpaces which are mostly defined here https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/resolver.html
Baking your custom desktop applications into the Workspace
By default, AWS provides the most common OS’s, however you may prefer or require your own custom desktop SOE to be used as a Workspaces image. There are two approaches here.
- Bundle the software into the default OS image. https://docs.aws.amazon.com/workspaces/latest/adminguide/create-custom-bundle.htm; or
- Bundle your custom application as a Workspace Application and empower your staff to self manage the installation onto the Workspace https://docs.aws.amazon.com/wam/latest/adminguide/what_is.html
Other Things to Consider
There are other key items that I think are worth considering:
Active Directory Workspaces administration
Designing your Active Directory hierarchy to include Amazon WorkSpaces is important from the start. This will allow you to then manage the entire WorkSpaces elegantly using Group Policy.
Group Policy controls are where you will continue to manage security controls like restricting software install.
Dashboards of Usage
While Amazon provides the ability to identify who is using a WorkSpace and how long it has been idle, it is important for a way to manage and track the fleet. AWS exposes utilisation as Cloud Watch Metrics however it is worthwhile investing in some dashboarding to better visualise usage and spend then provides opportunities to save cost by downsizing or terminating hibernated instances.
Providing a small serverless based website to enable your staff to self-provision their own WorkSpace in future reduces that arduous task of desktop support provisioning and deprovisioning gear. If possible investigate how to automate this task so you can focus your staff on high value work!
The Pricing Model
Amazon WorkSpaces has two key pricing models. Monthly billing with unlimited hours per workstation or hourly billing with a small monthly fee to cover the persistent things like disk storage. Thus, consider your usage pattern to ensure that you’re saving money over the longer term. The pricing details for WorkSpaces can be found here: https://aws.amazon.com/workspaces/pricing/
Cevo can help
Cevo can help you get started and build out a solution that is fit for you. Check out our Amazon WorkSpaces Solution overview here https://cevo.com.au/wp-content/uploads/2020/03/Cevo-Amazon-Workspaces.pdf and reach out if you want to know more!