In the lockdown, AWS Workspaces is “Desktop As A Service ” that was tested in most of the companies to carry out the office work from home. It is a secure, reliable, and scalable solution.
Every organization has to invest heavily to set up a VDI infrastructure. To avoid Infra cost and management overhead, AWS workspaces is the best option. It is PaaS Based Service that gives less administrative and management overhead to do.
AWS workspaces give you the option to choose Windows and Linux along with specific hardware, software, and regions. It works on PCoIP (port 4172) or WSP (port 4195). MFA provides additional security. Client application authenticates on port 443 with workspaces.
Use story :
If a company gives you a laptop or desktop to work from home. After some days, it stops working and the company does want you to use a personal laptop considering the validity of the software and security policies.
You can go for Amazon workspaces, where you can create a virtual desktop with a licensed copy of windows OS, Ms office, Antivirus, and 7-zip. Along with it, you can use simple AD or AWS directory service for authentication and authorization.
You will access it by using the windows client or any other client based on OS running on your personal laptop.
AWS Workspaces reference Architecture and Components
Below are major components:
- Identity – Simple AD, AWS Directory PaaS-based service, or AD connector with an external identity provider can be used to provide authentication and authorization
- VPC – Isolated virtual network to setup workload
- Nat Gateway – Does internet address translation if AWS workspace needs to send traffic to the internet (public network)
- Internet Gateway – Provide capability subnet as per VPC to reach the internet
Every service comes with pros and cons. I could gather the below details based on my experience.
1. Less H/W inventory
2. No VDI infrastructure management
3. On-demand access
4. 7 bundles based on need
5. OS offering with BYOL option available
6. Auto Start and Stop to save hourly cost
7. MFA and Encryption on Data at rest
8. Customize image and Bundle
9. WAM to deploy and manage custom apps and ready apps from the AWS marketplace
1. Need to configure simple AD, Directory service, or Ad connector as an identity source
2. One user can access one workspace at a time.
3. Cannot change the hostname of the workspace if you want to change it based IT standard naming convention.
4. Not compliant with all security standards. In some cases, need to sign BAA with AWS to make it compliant
5. No backup provision
6. Disk size can be modified in the given pattern.
Next thing, we will see how to implement and test AWS workspaces.
AWS workspaces Installation, configuration and testing
Go to AWS console and open AWS workspaces service, you get two options, quick setup or advanced setup.
If you go with a quick setup, it takes 20 mins to set it up initially. At the backend, it creates simple AD, VPC, and AD accounts based on user email id, IAM role, network interfaces, create workspaces and provides access user to it.
Let’s plan to go with an advanced setup, first thing is to set the directory as shown below.
- Click on create workspaces and select directory or you can create new as well
2. To proceed, create a new user or select an existing one from the directory, who need access.
3. Select a bundle out of available bundles
4. Make workspaces configuration as shown below, choose the running mode and do encryption on EBS volume. After configuration, you will have to review the setting and click on create.
5. select workspace and start workspaces.
6. To access the AWS workspaces, AWS will send a mail to your email id. it contains the client, registration code, user name
7. Download and install the workspaces client. If you open it, will ask for the registration code got in the mail. It is one-time code and limited to one device only. After providing it, you have to pass login credentials.
This will complete your AWS workspaces setup and testing.
In continuation of it. as an admin, you can restrict users based on their location by using IP access Controls option. The bring your own license (BYOL) option is to be used to save cost.. You can create an application and assign it to user under the Application manager setting.
To access AWS workspaces, you can start with a free tier. You have to pay for a bundle you choose and the number of workspaces. Simple AD and AD connector pricing are included in the quick setup. You have to pay an additional amount if you go with the AWS directory service.