Now more than ever, we are depending on technology and productivity tools to allow us to operate as effectively as possible.
For those who have already been one step ahead in their remote work environment, it’s a fairly smooth transition – but for the rest it’s going to be a bumpy ride.
The good news is that today you can establish a remote work environment in a matter of hours. In this blog I will cover one of the quickest approaches to set up a secure Virtual Desktop Infrastructure (VDI) solution using Amazon WorkSpaces.
AWS are offering WorkSpaces for free for up to 50 users between 1st April > 30 June.
Amazon WorkSpaces is a managed, secure, cloud desktop service. It can be used to provision either Windows or Linux desktops in just a few minutes, and quickly scale to thousands of workers across the globe. Charges occur as either monthly or hourly just for the Desktop in use, which provides a great cost saving benefit compared to traditional desktops and on-premises VDI solutions.
Amazon WorkSpaces helps to eliminate the complexity in managing hardware inventory, OS versions and patches, and VDI, thereby simplifying the desktop delivery strategy. With Amazon WorkSpaces users get a fast, responsive desktop of their choice that they can access anywhere, anytime, from any supported device.
There are three critical components that the Amazon WorkSpaces service requires to be deployed successfully:
- WorkSpaces client application
Amazon WorkSpaces supports a range of client devices, including:
- Windows Client Application
- Web Access
- Android Client Application
- iPad Client Application
- OS X Client Application
- A directory service to authenticate users and provide access to their WorkSpaces
Amazon WorkSpaces currently supports three type of authentication; AWS Directory Services, Microsoft AD and Simple AD.
- Amazon Virtual Private Cloud (Amazon VPC) in which to run the Amazon WorkSpaces
Minimum of two subnets required for WorkSpaces deployment because each AWS Directory Services construct requires two subnets in a Multi-AZ deployment
VPC Design Consideration:
Amazon WorkSpaces advises the following network consideration items before designing and implementing the solution:
Use of separate VPC specifically for the WorkSpaces deployment. It allows the necessary governance and security guardrails to be implemented for each WorkSpaces based on their requirements.
- Directory Services
Each AWS Directory Services construct pairs with a minimum of two subnets to provide a highly available directory service split between Amazon AZs.
- Subnet size
WorkSpaces deployments are tied to a directory construct and reside in the same VPC subnets as the chosen AWS Directory Services. Therefore:
- Subnet Sizes are permanent and cannot be changed
- A default security group can be applied on the AWS Directory Service, this Security Group will then apply on all the WorkSpaces that are associated with the specific AWS Directory Service construct
- Multiple AWS Directory Services can consume the same subnet
Using VPC you can create an isolated environment for your WorkSpaces users based on their profile. Amazon WorkSpaces allows you to create a network isolation for your WorkSpaces based on your security requirements – for example you can create a separate subnet set for external users or contractors and the rest for your internal users who require more access to your environment.
The following diagram provides a high-level network flow for an Amazon WorkSpaces user connecting via public internet.
AD DS DEPLOYMENT SCENARIOS
Active Directory integration with Amazon WorkSpaces is the most critical item in order to have a successful implementation. Amazon has three best practice scenarios they recommend customers follow:
- Scenario 1: Using AD Connector to proxy authentication to on-premises AD DS. In this scenario the AD Connectors that are implemented in the AWS environment will authenticate to on-premises AD DS with all authentication proxied via Direct Connect.
- Scenario 2: Extending on-premises AD DS into AWS (Replica). This scenario is similar to scenario 1, but the AD DS replica will be located in AWS VPC in combination with AD Connector. This scenario provides a great improvement in reducing the latency of authentication/query request to AD DS and the AD DS global catalog.
- Scenario 3: Standalone isolated deployment using AWS Directory Service in the AWS Cloud. This is an isolated scenario which doesn’t require any connectivity back to on-prem AD DS for authentication. Instead this approach uses AWS Directory Services (Microsoft AD) and AD Connector.
Amazon WorkSpaces Provisioning
Now that we’ve covered some of the critical design consideration and components, it’s time to kick off a simple WorkSpaces environment into your AWS account to see just how quickly it can be created.
The very first thing you need to do is to set up your directory services. As I mentioned before you have few different options to select from. If you have an existing Active Directory and you want to connect to it then you need to choose one of the options that allows you to extend your Active Directory Services into AWS, but for the sake of this tutorial I am going to stand up a Simple AD to be able to bring up my WorkSpaces environment as quickly as possible.
1. Login to your AWS account and search for WorkSpaces service in the Services section
2. Click on Directories on the left section and click Setup Directory
3. Select Simple AD and click Next
4. Fill in the information for the AD setup
- Directory Size: Select Small if you have less than 2000 objects and less than 500 users.
- Organization Name: A unique organisation name that is going to be part of your AWS WorkSpaces URL.
- Directory DNS name: This is going to be your DNS server address
4. Administrator Username and Password: AD Admin credential
5. Select your VPC and choose your subnets to implement the Directory Services.
Once your directory status is changed to created it’s ready to associate your WorkSpaces with it.
For VPCs that are using Internet Gateway and if you would like to publish applications via AWS marketplace into your WorkSpaces, follow the next steps:
- Click on Directories on the left section and select your new Directory and Action > Update Details
- Enable Access to Internet and Update and Exit.
To get started with WorkSpaces select WorkSpaces from the left section and follow the instructions.
- Select the Directory that you created earlier or choose your existing Directory that would like to associate your WorkSpaces with.
- Select Subnet 1 and Subnet 2. Make sure if you are selecting a different Subnet, it has access to your Directory Services with required ports for WorkSpaces to Internet and click Next
- Fill in the information for the new users and add as many as you need. Note, you can either create a new user and add it to your directory or select from existing users in your directory. Once the new users get created you can search for that user in the next section and click on Add Selected
- Select the image you want to provision your WorkSpaces from in the bundle section
- Leave the rest as default and complete the WorkSpaces provisioning by clicking Create. It might take up to 20 minutes until it fully provisions your WorkSpaces environment.
Access your WorkSpaces
There are different ways to connect to your WorkSpaces over the internet, here is a Link to download WorkSpaces client on your devices or access your environment over the web browser.
Once you have downloaded your client make sure it has the required network access to be able to successfully connect to your WorkSpaces environment. To check your network access ensure you have a green tick next to the Network on the bottom-right of your client.
If a new user has been added to the WorkSpaces, they will receive an email to activate the account and set a new password. Follow the instructions in the email to activate your account.
Once your WorkSpaces provisioning is completed and you activated your account, type your WorkSpaces ID into your client, and login using your user credential.
Now that you have a running WorkSpaces environment let’s try to publish an application from Amazon Marketplace into your VDI. Follow the instructions below:
- Go to “C:\Program Files\Amazon” folder and install Amazon WorkSpaces Application Manager
- Once completed the application should open in your WorkSpaces environment and shows as empty
- Browse to your AWS console and select WorkSpaces under Services. Select Application under Application Manager.
- Click on Add application from AWS Market Place
- Let’s add few applications into your Application Manager. Add the following by clicking on the applications and Accept Terms and subscribe
- Once you add these applications, return to application catalog and change the source to AWS Market Place, select all the applications and click on Action > Assign Application to Users
- Select your Directory and search for your users, and you should be able to easily assign a set of applications to users under a group
- Click on your user and add it to the Selected Users and click Next
- Make sure you can see all of your selected applications and click review
- Click on Confirm and Assign
- Go back to your WorkSpaces session and refresh the Application Manager and you should be able to see your applications ready to be installed
With Amazon WorkSpaces you have the power of bringing your own customised VDI solution into the cloud in a matter of hours. However, it might get a bit complicated when you have more than few users or have customised applications that you would like to publish through your WorkSpaces environment.
To reduce the complication and be able to still enable remote work environments as quickly as possible, you have the option to leverage AWS automation capabilities. Cevo has developed an in-house IP to help customers to implement WorkSpaces environment in timely manner with suitable framework to manage the platform once goes live – please contact us to find out more.