Overview and Whitepaper:

Using the AWS Management Console, you can deploy high-quality cloud desktops for any number of users.

Strategies and Challenges for IT who deploy desktops (whitepaper):

Strategy challenges:

• Timely employee request fulfillment
• Supporting contractors and temporary staff with a productive workspace
• Merger and acquisition assistance
• Increased application development and engineering activity
• Provide and manage temporary desktops

Greatest Challenges:

• Security of endpoints
• Threat Detection/Prevention
• Corporate file access and protection
• Improve collaboration
• Maintain compliance
• Complexity of technology
• Managing a heterogeneous device environment
• SSO to corporate apps
• Rogue employee devices
• Rogue applications housing corporate data
• Supporting LOBs and executive devices and apps

On Premises Virtual Desktop Infrastructure (For example building Terminal Server VDI’s or Citrix)

Upsides to On Premises Virtual Desktop Infrastructure:

• Simplified management, centralized, hosted, managed, executed
• Efficient provisioning and de-provisioning with standardized images allowing quick revoking of access
• Centralized image management, proactive detection, rapid quarantine of suspicious behavior

Downsides to VDI:

• Complex infrastructure that is difficult for IT to plan, configure, manage, and maintain.
• Unfavorable economics that tip ROI equation in the wrong direction with un-utilized capacity, heavy upfront costs and cumbersome ops.
• Unpredictable global access based on proximity of users due to low network bandwidth and unacceptable latency
• Time-consuming implementations that involve multiple IT disciplines and months of planning, testing, and staging of infrastructure.
• Difficult root cause analysis among multiple IT teams.

Amazon Workspaces Desktop as a Service a Viable alternative to VDI (Hosted Desktop Service)

Employee Benefits:

• Employees not tethered to traditional desktops or laptops.
• No cumbersome VPN connections
• Increased collaboration and communication with simplified virtual workspaces

Business Benefits:

• Rapid scale up or down; new employees, mergers and acquisitions, global growth
• Integrate, consolidate, and deliver services and apps
• Reduce capital expenditures, operational costs and streamline IT maintenance and infrastructure management

IT Benefits

• Ability to meet security policy requirements and compliance standards by using protocols to compress, encrypt, and encode data so only images are transmitted and data no longer resides on local devices.
• Enables creation of developer-style environments, granting developers quick an secure access to end-user environments for seamless dev testing, without impeding user productivity.
• Allows devs to move fast and fail fast with access to desktop resources when they need them.
• Keeps business data secure, centrally managed, and accessible to users.
• Places productive workspace in the hands of end-users near instantaneously, while supporting secure access from multiple device types.
• Manages apps centrally with the ability to securely package, deploy, and maintain a productive user environment.
• Deliver a productive environment for users without the task of configuring a desktop asset.

Proof of Concept 

*Note, our org already has a VPN connection between Amazon AWS and our On-Prem domain and domain controllers. This allows me to find our domain with Amazon’s connector. Review the Architectural Diagram below to ensure you’re comfortable with how Workspaces can fit into your AWS presence and VPC’s.

1. Log into AWS, > Workspaces > Get started
2. Create AD connector (use Administrator account to connect) – also add WorkDocs Sync feature
3. Create New Workspace > Choose Directory (local.domain.com) > search for user > jcoltrin (username: domain\jcoltrin) > add selected > Next > Select: Standard with Windows 7 (later I will add MS volume license for Office and other applications and then create an image.)
4. I choose Performance: 2 vCPU, 7.5 GiB Memory – Hourly
5. Download the Workspaces client here: https://clients.amazonworkspaces.com/

I sent myself the connection email which looks like the following:

————————-

Dear Jason,

A new Amazon WorkSpace has been provided for you. Follow the steps below to quickly get up and running with your WorkSpace:

1. Download and install a WorkSpaces Client for your favorite devices:

https://clients.amazonworkspaces.com/

2. Launch the client and enter the following registration code: XXxxXX+xxXXxx

3. Login with your Network/Domain password. Your username is jcoltrin

If you have any issues connecting to your WorkSpace, please contact your administrator.

Sincerely,

Amazon WorkSpaces

————————–

After verifying the registration code, log into the new virtual workspace with your domain credentials:

After logging in you may receive the following notice if resuming the workspace:

After logging in I received the following desktop:

Notice the following in the desktop image:

• Network Drives mapped
• Local and Remote Printers are created
• Corporate desktop background
• The computer is now a member of the domain with the computer name IP-AC1F5261
• Icons available for AWS applications and Directory Sync (share files with my local workstation)

Finalizing for Production and Production Notes:

• Finalize image with all necessary applications and test. Build your gold Images
• Enlist a user to test running the workspace in production and adjust applications/workspace as necessary
• Deploy to a set of users.
• Rent before buy, buy before build.
• Aligned with cloud technology
• Builds on existing AWS infrastructure
• Straightforward architecture
• Give it to users and see how they like it
• Multi-Region vs Single Region – within each region are availability zones. One workspace is not available in all regions. When building VPC, figure out which subnets support workspaces.
• Subnets are fixed, build to allow for growth.
• Workspaces are attached to AD connectors. You cannot move an old Workspace between AD Connectors. If availability zone becomes unavailable, then workspaces are unavailable. Use multiple availability zones to allow for this.
• Only allow windows devices with certificates to connect. Etc. You’re going to have several AD connectors. Have a production AD connector and a testing AD Connector. Setup pure sandbox somewhere else for testing.
• Each AD connector drops the computer into single OU, options are separate AD connector per department. Eg. Only accounting can connect from a certain dept. Or you cannot auth from outside, only on-prem. Create AD connector for consultants which drop them into separate subnet, monitoring.
• Workspaces IP addresses stay there forever. IP addresses persist on rebuild etc. Cannot assign IP’s.
• One VPC for workspaces.
• Better segregation between work and personal side of things. BYOD is nice – pane of glass. Devs have good separation.
• This gets Windows on Mac better than bootcamp
• Reduced operational overhead, light-weight devices, drop them in mail ready to go. Send the registration code. People are lining up to get onboard. Tougher to please users are ecstatic about workspaces. Once implemented, IT itself will not go back to before.
• Run pilots.
• Replace end-of-life desktops
• Great for Mergers and acquisitions
• Users could connect with Zero client at the office and Home computer at home
• Allow deployment of Zero clients in all facilities and retrofits
• Hoteling/shared workspace areas. Smaller sites only need internet connectivity, not a WAN-enabled site.
• Scalable and global
• No upfront CapEx
• Capacity-on-demand
• Rate of innovation – customers drive features at Amazon
• Instrumentation and controls – complexity and cost of on-prem is daunting
• Cost savings – financial benefits – get out of the business of providing physical PC’s, building and configuring VDI service is complicated and costly, focus on service not infrastructure.
• Workspaces API & CLI integration
• Same image/applications leverage multiple Geos, ability to grow into other areas
• Having desktop in cloud allows patch compliant capacities
• Enabling support staff opportunities – support users all over world, help desk reps
• Enable end users – automate the whole thing & allow user to migrate their data.

Pricing:

https://aws.amazon.com/workspaces/pricing/

https://aws.amazon.com/directoryservice/pricing/

There are two main options for Workspaces, Monthly pricing and Hourly Pricing.

At 160 hours per month, a “Performance-grade” workspace under the Hourly Pricing model would cost $7.25 + $0.57/hour = $98.45.

The same “Performance-Grade” workspace under the “Monthly” pricing would cost $55.

$55 x 12 months = $660

A new Dell 7050 PC typically costs $800

So it would take approximately 1 1/2 years of monthly payments to reach the cost of a normal desktop PC.

Hardware Options

Conclusion

Overall, I really like Workspaces, it was simple to setup and run. I believe the remote workspace from AWS can work very well for the enterprise and provides a flexibility to expand, create different images for different users easily and keep  data safe at AWS by only sending graphics/pixels over the wire. People can use their own BYOD devices such as Chromebooks etc. to perform their jobs.

The only drawback I’ve encountered is workspaces does not provide a pass-through video / camera devices for Skype video calls. If a user needs to use Skype or other video conferencing, they will have to start their call “outside” of Workspaces.

Let me know what you think about the product and this write-up.