DEV Community

Arun Kumar for AWS Community Builders

Posted on

AWS Workspaces overview


This document briefs about high level overview, design and architecture of AWS Workspaces.





  • Provision either Windows or Linux desktops and quickly scale to provide thousands of desktops to workers.


  • Users access their WorkSpaces by using a client application from a supported device or, for Windows WorkSpaces, a web browser, and they log in by using their directory credentials.


  • Create your own custom image which you can use for provisioning new Amazon WorkSpaces.


  • Use MFA for additional security. Use AWS KMS to encrypt data at rest, disk I/O, and volume snapshots.


  • You can pay either monthly or hourly, just for the WorkSpaces you launch.


  • Create a standalone managed directory for your users, or connect your WorkSpaces to your on-premises directory using Active Directory Connector, Create a new directory using Microsoft AD and add users, assign Amazon WorkSpaces to users in your Microsoft AD.

  • There must be a VPN or Direct Connect circuit in place between your VPC and your on-premises environment.

  • Also, various ports have to be opened between your VPC and your on-premises environment to allow AD Connector to communicate with your on-premises directory.


  • Each WorkSpace is associated with a virtual private cloud (VPC), and a directory to store and manage information for your WorkSpaces and users.

  • Directories are managed through the AWS Directory Service, which offers the following options:

  • Simple AD, AD Connector, or AWS Directory Service for Microsoft Active Directory, also known as AWS Managed Microsoft AD to authenticate users.


  • The login information is sent to an authentication gateway, which forwards the traffic to the directory for the WorkSpace.
  • After the user is authenticated, streaming traffic is initiated through the streaming gateway.


  • Each WorkSpace has two elastic network interfaces (ENI) associated with it: an ENI for management and streaming (eth0) and a primary ENI (eth1).
  • The primary ENI has an IP address provided by your VPC, from the same subnets used by the directory.
  • This ensures that traffic from your WorkSpace can easily reach the directory.
  • Access to resources in the VPC is controlled by the security groups assigned to the primary ENI.


  • It creates VPC, IGW by default.
  • Sets up a Simple AD directory in the VPC.
  • Creates the specified user accounts and adds them to the directory.

Clean Up:

  • Remove WorkSpaces, Deregister/Delete directory.

Top comments (0)