DEV Community

loading...
AWS Community Builders

AWS Workspaces overview

Arun Kumar
AWS Community Builder
・2 min read

Introduction

This document briefs about high level overview, design and architecture of AWS Workspaces.

Architecture

1

Design

Desktop:

  • Provision either Windows or Linux desktops and quickly scale to provide thousands of desktops to workers.

Client:

  • Users access their WorkSpaces by using a client application from a supported device or, for Windows WorkSpaces, a web browser, and they log in by using their directory credentials.

SOE:

  • Create your own custom image which you can use for provisioning new Amazon WorkSpaces.

Security:

  • Use MFA for additional security. Use AWS KMS to encrypt data at rest, disk I/O, and volume snapshots.

Pricing:

  • You can pay either monthly or hourly, just for the WorkSpaces you launch.

AD:

  • Create a standalone managed directory for your users, or connect your WorkSpaces to your on-premises directory using Active Directory Connector, Create a new directory using Microsoft AD and add users, assign Amazon WorkSpaces to users in your Microsoft AD.

  • There must be a VPN or Direct Connect circuit in place between your VPC and your on-premises environment.

  • Also, various ports have to be opened between your VPC and your on-premises environment to allow AD Connector to communicate with your on-premises directory.

Association:

  • Each WorkSpace is associated with a virtual private cloud (VPC), and a directory to store and manage information for your WorkSpaces and users.

  • Directories are managed through the AWS Directory Service, which offers the following options:

  • Simple AD, AD Connector, or AWS Directory Service for Microsoft Active Directory, also known as AWS Managed Microsoft AD to authenticate users.

Gateway:

  • The login information is sent to an authentication gateway, which forwards the traffic to the directory for the WorkSpace.
  • After the user is authenticated, streaming traffic is initiated through the streaming gateway.

ENI:

  • Each WorkSpace has two elastic network interfaces (ENI) associated with it: an ENI for management and streaming (eth0) and a primary ENI (eth1).
  • The primary ENI has an IP address provided by your VPC, from the same subnets used by the directory.
  • This ensures that traffic from your WorkSpace can easily reach the directory.
  • Access to resources in the VPC is controlled by the security groups assigned to the primary ENI.

Workspace:

  • It creates VPC, IGW by default.
  • Sets up a Simple AD directory in the VPC.
  • Creates the specified user accounts and adds them to the directory.

Clean Up:

  • Remove WorkSpaces, Deregister/Delete directory.

Discussion (0)