In this article, we will introduce AWS WorkSpaces.
What is AWS Workspaces?
Amazon Workspaces is Desktop-as-a-Service (DaaS) solution. It provides a remote desktop environment for the employees of your company. This is a VDI style tool. The user launches an application on their main device (computer, phone or tablet). And this application connects to a remote workspace on AWS Cloud. That workspace is a standard computer based on Windows or Linux operating systems.
What are the benefits?
All data is stored securely on the cloud. That prevents an unauthorized physical connection to the computer, and prevent data leakage.
Your company can provide a company image with all the tools the employee needs. And this can run on any device the user has.
What are the typical use cases?
- Fast onboarding new employees
You can quickly provision an environment with the desired company tools.
- Bring your own device
The employee can use their preferred computer, and still, have access to the company. This also works well for contractors
- Secure company data
Data will be stored encrypted on high availability disks on the cloud. This improves data persistence and makes data leakage more difficult
- Access to specific applications
There are specific applications that can’t be installed directly in users’ desktop computers (because of HW requirements, OS, or compatibility with other applications). AWS WorkSpaces provide a new environment where these applications could be installed.
How to access the workspace?
There are clients developed for PC, Mac, iPad, Kindle Fire, Android tablet, Chromebook. The user can also access them using web browsers like Firefox, and Chrome.
Note that the Remote Desktop Protocol (RDP) is not used.
AWS WorkDocs integration
AWS Workspaces is also integrated with AWS WorkDocs. This tool offers a drive automatically mounted on their workspaces. It keeps a backup of their files on the cloud. And it also offers collaboration tools. This tool is similar to Dropbox or Microsoft One Drive.
AWS Workspaces offers 50 GB capacity per month included. Then capacity is charged $2 / TB / Months.
For more information, you can go to AWS WorkDocs product page
What types of Workspaces are available?
There are several options available. These are the main characteristics to choose
- Operating System This could be Windows Server 2010 or Amazon Linux
- vCPUs Workspaces have 1 to 16 vCPUs
- Memory. You can choose between 2 to 122 GB of memory
- SSD Root Volume This is the space used by the Operating System. It’s usually between 80 and 10 GB.
- SSD User Storage This is the space to store user data. It could be between 10 and 2000 GB
- Software There are 2 bundles: The standard, and Pro.
- Region This is the AWS Region where the workspaces will be hosted.
All the workspaces have utilities preinstalled. Workspaces with Windows OS have Internet Explorer 11, Firefox and 7-Zip preinstalled. And Amazon Linux bundles have Firefox, LibreOffice, Evolution, Python preinstalled as well. These are standard computers with Windows 2010 or Amazon Linux. So you can also install the applications that you need.
Deploying a Workspace
Deploying a new workspace is quite simple. After logging into AWS Console, you need to Choose the characteristics of the new Workspace (OS, vCPUs, RAM, and other mentioned above Add user detail (name and email). That’s all. A new workspace will be running in seconds. And the user will receive the workspace connection information by email.
Deploying your software
By default, the workspace has installed some basic applications. But you might need to install additional software on the workspaces. There are some ways to do it:
- User Installation
By default, the workspace user has Administrator rights on the workspace. So the user can install any application as necessary. Note that this rights might be limited using Group Policies for Windows
- Base Image
A systems administrator can prepare a base image with all the applications required by the company or user. Then, this base image could be used to create the rest of the workspaces.
- Amazon WAM
This is an AWS tool designed to deploy applications on WorkSpaces. It might have an additional cost.
A third option could be using a tool to manage software configuration on multiple devices. For example Microsoft System Center Configuration Manager (SCCM), or AWS Systems Manager.
Active Directory Integration
The most simple way to authenticate users is by email. It might be the company email or an external one. But many companies have all their users managed by an Active Directory. AWS WorkSpaces can integrate with the company Active Directory. So the users can log in into AWS WorkSpaces using the Active Directory credentials. And also other user-specific configurations (eg Group Policies) can be deployed to the WorkSpace based on Active Directory settings.
AWS Workspaces is pay per use, similar to other AWS Products. You only pay for the Workspaces that are provisioned. There are 2 pricing models
- Fixed price per Month
You can use the workspaces the whole day. And you pay a fixed price per month. This option is better for full-time employees or people that use the workspaces during most of the workday hours.
- Hourly Based
In this case, you pay a lower fixed price, plus a price for each hour the Workspace is used. It automatically suspends it not used for 1 hour. This is most convenient for workspaces with low usage per day, part-time workers, or short term projects. If it needs to be used over 4 hours daily, this option will probably be more expensive than the previous one. These prices include all traffic between the user and the WorkSpace. But AWS will additionally charge the traffic between the WorkSpace and internet, using EC2 data transfer rates.
Round-trip delay is an important factor to consider. This is the time it takes for the information to travel from the user to the Workspace, and return. This is very important because the user is accessing a graphic interface, similar to their computer workspace, but remotely. And it should behave fast. Although a latency up to 250m might work well, AWS recommends a latency below 100ms for great user experience. You can use AWS WorkSpaces Connection Health Check to measure the latency from your computer to different regions. The closest the region, the faster the response.
You want the users to have a workspace experience similar to using a local one. For this reason, Amazon WorkSpaces clients support:
- Keyboard, mouse, and touch input
- Audio output to the client device
- Analog and USB headsets Note that in case of web browser (Chrome or Firefox) access, only mouse and keyboard work. In this case, printers, USB drives, webcams, and microphones, won’t be available.
Do users need an AWS Account?
User’s don’t need an AWS Account. They only need an email account. After the Workspace is provisioned, the user will receive access instructions by email.
Is VPN needed?
No. The users don’t need to use a VPN to access the Workspace. And data is also encrypted both in-transit and at-rest
How to restrict user access?
AWS WorkSpaces also supports additional methods to limit the WorkSpace access:
- User IP Restriction You can restrict the range of IPs that users have to connect
- MFA You can also set up Multi-Factor Authentication by using One-time passwords. Note that you need to integrate your On-premises Radius Server to AWS.
- Certificates You can create digital certificates (issued by a certificate authority), and upload them to AWS WorkSpaces. The client must present a certificate to connect to WorkSpaces
How PCoIP Zero Clients work?
PCoIP Zero Clients are small terminals. They work as a video card that connects to a remote computer over IP. The terminals support peripheral connections (screen, mouse, and keyboard), network and power connection as a normal computer. But they don’t have RAM, hard disk, or a standard CPU. It only allows you to plug in your main peripherals, and access a remote computer. And their reduced HW characteristics make them unexpensive.
AWS WorkSpaces works with PCoIP clients. So the user doesn’t need to have an expensive computer to access the workspace. The company can provide a PCoIP Zero Clients (with Screen, Mouse, and keyboard). And that is all required to connect to AWS WorkSpaces. This is also very secure because the terminal doesn’t process data (only graphic), and can’t also store it.
Below you will find more information related to AWS WorkSpaces
If you enjoyed this article, please click below to share!