DEV Community

AWS Community Builders profile image Arun Kumar
Arun Kumar for AWS Community Builders

Posted on

AWS Workspaces overview

#aws #workspace #desktop #activedirectory

Introduction

This document briefs about high level overview, design and architecture of AWS Workspaces.

Architecture

1

Design

Desktop:

  • Provision either Windows or Linux desktops and quickly scale to provide thousands of desktops to workers.

Client:

  • Users access their WorkSpaces by using a client application from a supported device or, for Windows WorkSpaces, a web browser, and they log in by using their directory credentials.

SOE:

  • Create your own custom image which you can use for provisioning new Amazon WorkSpaces.

Security:

  • Use MFA for additional security. Use AWS KMS to encrypt data at rest, disk I/O, and volume snapshots.

Pricing:

  • You can pay either monthly or hourly, just for the WorkSpaces you launch.

AD:

  • Create a standalone managed directory for your users, or connect your WorkSpaces to your on-premises directory using Active Directory Connector, Create a new directory using Microsoft AD and add users, assign Amazon WorkSpaces to users in your Microsoft AD.

  • There must be a VPN or Direct Connect circuit in place between your VPC and your on-premises environment.

  • Also, various ports have to be opened between your VPC and your on-premises environment to allow AD Connector to communicate with your on-premises directory.

Association:

  • Each WorkSpace is associated with a virtual private cloud (VPC), and a directory to store and manage information for your WorkSpaces and users.

  • Directories are managed through the AWS Directory Service, which offers the following options:

  • Simple AD, AD Connector, or AWS Directory Service for Microsoft Active Directory, also known as AWS Managed Microsoft AD to authenticate users.

Gateway:

  • The login information is sent to an authentication gateway, which forwards the traffic to the directory for the WorkSpace.
  • After the user is authenticated, streaming traffic is initiated through the streaming gateway.

ENI:

  • Each WorkSpace has two elastic network interfaces (ENI) associated with it: an ENI for management and streaming (eth0) and a primary ENI (eth1).
  • The primary ENI has an IP address provided by your VPC, from the same subnets used by the directory.
  • This ensures that traffic from your WorkSpace can easily reach the directory.
  • Access to resources in the VPC is controlled by the security groups assigned to the primary ENI.

Workspace:

  • It creates VPC, IGW by default.
  • Sets up a Simple AD directory in the VPC.
  • Creates the specified user accounts and adds them to the directory.

Clean Up:

  • Remove WorkSpaces, Deregister/Delete directory.

Top comments (0)

Read next

thesohailjafri profile image

How to use AWS S3 pre-signed URLs to upload and download files

Sohail Jafri -

env0team profile image

Using Terraform, Kubernetes, and Helm: The Power Trio

env0 Team -

prasadkpd profile image

High Availability in DynamoDB

Prasad Lakshan -

wesleycheek profile image

Deploy a Cognito Secured WebSocket API with AWS CDK

Wesley Cheek -