Amazon WorkSpaces is AWS’s Desktop as a Service (DaaS) solution, which offers secure and cost-effective capabilities for desktop delivery. Amazon WorkSpaces architecture works in a way that enables you to deploy desktops in a virtual private cloud (VPC) and assign a storage directory to each desktop. This means you can easily authenticate desktop users.
In this post, we’ll explain how AWS WorkSpaces architecture works, and examine key security considerations for workspaces deployments. We’ll also show how NetApp Cloud Volumes ONTAP can help simplify AWS DaaS management for any deployment, including multi-clouds and hybrid architectures.
In this article, you will learn:
The top cloud providers, including AWS, offer a range of DaaS solutions Amazon WorkSpaces is AWS’s managed desktop as a service (DaaS) solution. It is a subscription service that you can use to provision Linux or Windows desktops. Using this service, you can centrally administer virtual desktops at scale without worrying about infrastructure management, security, or maintenance.
Related content: read our blog post about AWS VDI
When evaluating WorkSpaces, several features stand out, including flexible licensing, permissions management, and storage capabilities.
Bring your own license
Amazon WorkSpaces offers a bring your own license (BYOL) option for Windows that allows you to leverage previous investments in virtual desktop software. Through this option, you can save up to $4 a month per workspace provided you meet the requirements set forth by Microsoft. Note that to take advantage of BYOL, you need to provision 200 or more workspaces per month in the region you are operating from.
Active Directory and RADIUS integration
Many organizations are already using Active Directory (AD) for identity and permissions management. Rather than having to recreate your policies and roles when moving to Amazon WorkSpaces, you can integrate your system with AWS. To connect AD, you can use the AWS Directory Service AD Connector, or you can establish a trust relationship between AD and your AWS Directory Service for Microsoft AD (Enterprise Edition) domain controller.
Once connected, you can continue using your existing configurations and Group Policies. This includes using existing RADIUS servers to support multi-factor authentication (MFA).
Persistent storage
The amount of storage available to your workspaces depends on the bundle you select. Regardless of the amount of storage, each user volume connected to a workspace provides persistent storage for that user. Any data stored on the user volume is backed up to S3 and is accessible the next time the user connects.
Another available storage option is the Amazon WorkDocs Drive, a managed service for shared content management. This drive is mounted on to Amazon WorkSpaces and is designed to simulate locally saved files. With WorkDocs you can access files through Windows File Explorer and perform all the same actions as a standard, local file. To ensure persistence, any files stored in WorkDocs are synced to the WorkDocs hub for access on-demand.
In addition to optimizations for particular use cases, there are several benefits that organizations can gain from adopting Amazon WorkSpaces services. These benefits include simplified delivery, cost efficiency, increased security, and flexible deployment.
Related content: read our guide on on-premise VDI vs DaaS.
Amazon WorkSpaces desktops are deployed within a virtual private cloud (VPC) and are assigned to a directory that enables you to store and manage deployments and user information. You can manage these directories through the AWS Directory Service using AWS Managed Microsoft Active Directory (AD), AD Connector, or Simple AD.
Through the directory you choose, you can authenticate your users. When users log in to their assigned workspace, the credentials are sent through an authentication gateway and passed on to your directory. If the user is authenticated, the desktop is streamed to the user client via a streaming gateway.
Each desktop is associated with two elastic network interfaces. You use these interfaces to connect the desktop to the network, manage the desktop, and stream the desktop contents to the client. The IP address assigned to your primary network interface (used for connectivity) is assigned by your VPC and matches the subnets your directory is using. You can control access to your VPC resources by modifying the security groups assigned to this primary interface.
Below you can see a diagram outlining the various components of Amazon WorkSpaces and how those components interact.
Image Source: AWS
AWS includes many built-in security mechanisms to ensure that your data and desktops remain secure. While some of these are pre-configured and managed for you, others rely on you to configure and enforce.
Amazon WorkSpaces security groups
These security groups are created by default when you launch Amazon WorkSpaces, and are assigned according to the directory that your workspaces are in. If you need to modify group settings, you can do so through your directory service. Any changes are applied immediately and affect all workspaces in that directory group.
Access control options and trusted devices
In Amazon WorkSpaces, you can limit the devices that your users can access desktops through. This limitation is achieved through digital certificates or by device type. By default, your users can access desktops from zero clients, Windows, macOS, iOS, Android, and ChromeOS. Default settings block access from Linux and web clients.
If you choose to restrict devices using certificates, you must enable this feature. Once enabled, Amazon WorkSpaces will only allow connections to devices with an authenticated certificate. If a certificate cannot be validated, login or reconnection attempts are blocked.
IP access control groups
IP access control groups enable you to define and manage your users according to the IP address they are trying to connect from. You can use these groups to ensure that users are only coming from known and trusted IPs, reducing the chance that unauthorized users are granted access.
You can manage your IP access controls from the WorkSpaces Management Console or via the Amazon WorkSpaces API. From either interface, you can create, modify, or delete access groups and define accepted IPs individually or with ranges.
NetApp Cloud Volumes ONTAP, the leading enterprise-grade storage management solution, delivers secure, proven storage management services on AWS, Azure and Google Cloud. Cloud Volumes ONTAP supports up to a capacity of 368TB, and supports various use cases such as file services, databases, DevOps or any other enterprise workload, with a strong set of features including high availability, data protection, storage efficiencies, Kubernetes integration, and more.
To find out more about DaaS and how Cloud Volumes ONTAP can help you run virtual desktops on cloud resources, download our guidebook on Virtual Desktop Infrastructure in the Cloud. You can also learn about case studies of major companies who turned to Cloud Volumes ONTAP to make their DaaS deployments cost-effective, highly available, and easy to orchestrate with the flagship NetApp cloud solution.
NetApp’s Virtual Desktop Service (VDS) is a global control plane for virtual desktop management that functions as an extension of the cloud. VDS supports Remote Desktop Services (RDS) on Azure, AWS, GCP as well as on-premise environments. It also provides native support for Microsoft's Windows Virtual Desktop (WVD) solution in Microsoft Azure. To learn more visit the NetApp VDS solution page.