In this article, we'll go over some of the best practices to keep in mind while working with Amazon Workspaces.
Amazon WorkSpaces is a managed Virtual Desktop Infrastructure (VDI) solution. With Amazon WorkSpaces, you can simplify the process of managing inventory, OS updates or any other administrative burdens of standard VDI systems. You can have a desktop experience without the hassle of acquiring or deploying hardware or installing sophisticated software. More detailed article on the advantages of using Amazon Workspaces can be found at our another blog post.
Amazon WorkSpaces helps businesses improve their remote business processes and achieve productivity and organizational security across remote work environments.sufle.io/blog/productive-remote-working-with-amazon-workspaces
To start with, Amazon Workspaces deployment requires an Amazon VPC and minimum of two subnets. A VPC can have two WorkSpace specific private subnets and a public subnet with a NAT gateway. A connection to the internet is required for Amazon WorkSpaces Application Manager deployments and operating system updates. You should have two NAT gateways in order to prepare for failure, design for high availability, and reduce cross-AZ traffic costs. Since you can not resize subnets, it is important to plan for future growth. Reference of high-level VPC design can be seen below:
Fig.1: Example VPC Design
Amazon WorksSpaces requires a minimum of one of Active Directory Connector, AWS managed Microsoft Active Directory or Simple Active Directory. Your WorkSpaces and users' information is stored and managed by WorkSpaces using a directory.
Although multiple AWS Directory Services are supported on the same subnet, using different AD Connector and subnets for separate workloads are encouraged. Each AWS Directory Service allows you to set a default security group. Any WorkSpaces that are linked to that AWS Directory Service object are covered by this security group. Directory Service also allows for the addition of new security groups.
The two protocols that Amazon WorkSpaces supports are PCoIP and WorkSpaces Streaming Protocol (WSP). There can be a mixture of PCoIP and WSP WorkSpaces in a directory. But in the same directory, a user cannot have both a PCoIP and a WSP WorkSpace. In order to achieve this, you must place WorkSpaces in separate directories.
WorkSpaces client does not store any data on the client. You can use AWS KMS to encrypt the storage volumes for your WorkSpaces in order to perform encryption at rest. WorkSpaces leverages Amazon EBS to build and maintain encrypted volumes. TLS 1.2 encryption is used to protect data in transit for PCoIP and WSP for TCP Traffic.
Amazon WorksSpaces PCI DSS Level 1 compliant and HIPAA eligible with Business Associate Agreement.
CloudWatch metrics for WorkSpaces are intended to give administrators more information about the general condition and connectivity of specific WorkSpaces. Metrics are accessible for each WorkSpace individually or collectively for all WorkSpaces within a certain organization and directory. Also it is possible to create alarms depending on selected metrics and thresholds.
Fig.2: Monitoring using Amazon CloudWatch
Viewing, searching, downloading, archiving, analyzing, and responding to user logins is possible with Amazon CloudWatch Events. You can monitor IP addresses, user operating systems for users' logins. After finding out the times, places, and methods of user access to their WorkSpaces. You can make predetermined actions depending how a WorkSpace is accessed.
All of your Amazon WorkSpaces consumption can be analyzed by the Amazon WorkSpaces Cost Optimizer. It will change the WorkSpace to the pricing plan that is the most cost-effective for you automatically, based on how often you use it. This packaged solution enables you to monitor the utilization of your WorkSpaces and minimize expenditures. It also makes use of AWS CloudFormation to automatically create and configure the appropriate AWS services in order to do usage analysis once every 24 hours.
Example VPC Design
Monitoring or logging using Amazon CloudWatch
An AWS Certified Developer Associate, Burak is an experienced software engineer. With his experience in various industries including global technology companies, he follows his passion for going beyond the limits to build excellent products with collaboration and knowledge sharing.
Cookies are small files that are sent to and stored in your computer by the websites you visit. Next time you visit the site, your browser will read the cookie and relay the information back to the website or element that originally set the cookie.
Cookies allow us to recognize you automatically whenever you visit our site so that we can personalize your experience and provide you with better service.