Introduction
This document briefs about high level overview, design and architecture of AWS Workspaces.
Architecture
Design
Desktop:
- Provision either Windows or Linux desktops and quickly scale to provide thousands of desktops to workers.
Client:
- Users access their WorkSpaces by using a client application from a supported device or, for Windows WorkSpaces, a web browser, and they log in by using their directory credentials.
SOE:
- Create your own custom image which you can use for provisioning new Amazon WorkSpaces.
Security:
- Use MFA for additional security. Use AWS KMS to encrypt data at rest, disk I/O, and volume snapshots.
Pricing:
- You can pay either monthly or hourly, just for the WorkSpaces you launch.
AD:
Create a standalone managed directory for your users, or connect your WorkSpaces to your on-premises directory using Active Directory Connector, Create a new directory using Microsoft AD and add users, assign Amazon WorkSpaces to users in your Microsoft AD.
There must be a VPN or Direct Connect circuit in place between your VPC and your on-premises environment.
Also, various ports have to be opened between your VPC and your on-premises environment to allow AD Connector to communicate with your on-premises directory.
Association:
Each WorkSpace is associated with a virtual private cloud (VPC), and a directory to store and manage information for your WorkSpaces and users.
Directories are managed through the AWS Directory Service, which offers the following options:
Simple AD, AD Connector, or AWS Directory Service for Microsoft Active Directory, also known as AWS Managed Microsoft AD to authenticate users.
Gateway:
- The login information is sent to an authentication gateway, which forwards the traffic to the directory for the WorkSpace.
- After the user is authenticated, streaming traffic is initiated through the streaming gateway.
ENI:
- Each WorkSpace has two elastic network interfaces (ENI) associated with it: an ENI for management and streaming (eth0) and a primary ENI (eth1).
- The primary ENI has an IP address provided by your VPC, from the same subnets used by the directory.
- This ensures that traffic from your WorkSpace can easily reach the directory.
- Access to resources in the VPC is controlled by the security groups assigned to the primary ENI.
Workspace:
- It creates VPC, IGW by default.
- Sets up a Simple AD directory in the VPC.
- Creates the specified user accounts and adds them to the directory.
Clean Up:
- Remove WorkSpaces, Deregister/Delete directory.
Top comments (0)