VDI on AWS: Making the Most of Amazon WorkSpaces
What is VDI on AWS?
Virtual desktop infrastructure (VDI) enables IT departments to design and customize
virtual desktop images, and use them to serve virtual desktops to remote users. Only keyboard, mouse and monitor signals are transferred over the network. Users can access their desktop from any device, retaining their data, settings and applications.
Amazon Web Services (AWS) provides Amazon Workspace, a cloud service that addresses several challenges that arise when managing VDI. It provides virtual desktops on demand, a deployment model called desktop as a service (DaaS), while supporting businesses that require a large-scale VDI infrastructure. End users can access the workspace from Windows and Mac computers, Chrome and Firefox browsers, and mobile devices, with fully synchronous storage.
What is Amazon Workspaces?
Amazon Workspaces enables IT administrators to grant remote access to cloud applications, services, and files on a variety of end-user devices. AWS manages the desktop infrastructure as a service, eliminating the complexity, high cost, and security challenges involved in managing local VDI systems.
The IT team configures Amazon WorkSpaces via the AWS console, and end users connect to their workspaces from any supported device. Administrators assign each user a workstation bundle, which defines compute resources, storage, and applications. Based on each bundle, administrators can create up to five virtual desktop images in each Amazon region.
Supported end-user devices include Windows and Macintosh computers, machines running Ubuntu Linux 18, mobile devices including Chromebook, iPad, Fire tablets and iPad, and zero client devices.
Amazon also provides WorkSpaces Application Manager (WAM), which lets IT teams deliver desktop applications in containers. WAM makes deployment and updates easier, by packaging virtualized applications in containers, which can run like natively installed apps. Amazon provides two tools that let you manage containerized apps:
- WAM Studio packages applications into containers.
- WAM Player validates applications and runs them, with the ability to assign up to 50 applications for each user.
AWS WorkSpaces Pricing
Amazon WorkSpaces is billed monthly or by the hour, based on the bundle used and the number of active user workspaces. It does not require an upfront investment or long-term commitment.
A fixed monthly rate per desktop user, with unlimited usage during the month. This is ideal for workers who use Amazon WorkSpaces as their primary desktop.
For Windows bundles in the US East region, monthly pricing ranges from $25 to $140 per user per month, depending on the resources available to each user.
In an hourly billing model, the organization pays a flat monthly fee to cover the infrastructure and storage costs of each workspace, with an hourly rate for ongoing use. This is suitable for part-time workers, short-term or freelance projects, job-sharing or training scenarios.
For Windows bundles in US East region, hourly pricing ranges from $7.25 per user per month (flat fee) and $0.22 per hour, to $19.00 per user per month (flat fee) and $1.53 per hour.
For both monthly and hourly billing, additional storage is charged at $0.10/GB, and an application bundle including Microsoft Office Professional Plus, Trend Micro security and other utilities is charged at an additional $15 per month.
Check official pricing for the latest Amazon WorkSpaces pricing.
Amazon also provides the Amazon WorkSpaces Cost Optimizer, to help organizations analyze WorkSpaces usage and convert workspaces to the most effective billing option.
Windows Licensing Considerations
Amazon WorkSpaces offers a Bring Your Own License (BYOL) arrangement, so if your organization owns existing Windows 10 Enterprise or Pro licenses, you can use them for your DaaS deployment. BYOL lets you save costs compared to the regular cost of Windows desktops on WorkSpaces, and also helps you deliver a consistent experience to your users.
When using BYOL, take note of the following:
- To be eligible for BYOL, you need to meet several requirements, which are detailed in the Amazon documentation.
- When you use BYOL, AWS runs your WorkSpaces environment on dedicated hardware in the AWS cloud, which meets Microsoft’s hardware requirements.
Enterprise Integrations with Active Directory/AAD
Amazon WorkSpaces integrates with Microsoft Active Directory (AD) in your on-premises data center. It uses the AWS Microsoft AD (AWS Directory Service for Microsoft AD). Amazon WorkSpaces creates a single interforest trust connection that lets you assign users in any domain in your on-premise Active Directory to virtual desktops.
AWS Microsoft AD automatically detects authentication requests and redirects them to the appropriate domain controller. This means that users can log into their workspace with existing Microsoft Active Directory credentials, without specifying a domain name.
Another option is to use a separate AD Connector for each on-premises domain. This setup works well for organizations with a single domain, or POC projects with a small number of users.
The managed Microsoft AD service has several limitations you should be aware of:
- Up to 20 AD directories
- Up to 5 AD snapshots retained up to 180 days
- Up to 20 domain controllers for each directory
- Up to 5 shared domains (for standard Microsoft AD) or 125 (for Enterprise Microsoft AD)
AWS WorkSpaces Best Practices
Use the following best practices to plan a successful Amazon WorkSpaces deployment.
In Amazon WorkSpaces, each workspace is associated with a specific AWS Directory Service and Amazon virtual private cloud (VPC). AWS Directory Service configurations, including Simple
AD, AD Connector, and Microsoft AD, require two subnets, each with a different availability zone.
Before creating subnets, consider the following:
- How many workspaces will you create in the foreseeable future?
- What types of users will use the workspaces?
- How many Active Directory domains need to participate in the setup?
- Where are corporate user accounts stored—in AD or elsewhere?
WorkSpaces Images and Bundles
Each organization should have a clear process for creating and duplicating desktop images. Maintaining golden images is a complex, time consuming process, which can have a dramatic effect on resource utilization in AWS WorkSpaces.
Here are important considerations for managing WorkSpace images:
- An image should never contain passwords or other sensitive data.
- Ensure each workspace instance is in compliance with the relevant software licenses
- Never include license details in the image.
- To save time, it is recommended to use CloudFormation templates or other automated methods to create and update golden images
- Create a modular application package, and use scripts to automatically create images based on these applications.
- Ensure all images have a bootstrap function that allows them to read runtime info when they launch.
- Tag images consistently to facilitate easier organization images and their content.
Amazon WorkSpaces lets you enable self-service workspace administration to give users more control over their experience. This can also reduce the workload for IT support staff.
In Amazon WorkSpaces, users can perform the following activities directly from their local client:
- Store credentials on the client, enabling reconnection without repeated login
- Restarting a workspace
- Increase size of workspace root and user directory
- Change the workspace bundle (compute instance type)
- Change workspace running mode—AlwaysOn, AutoStop, or AutoStop Time
- Rebuild the workspace from the image
Addressing DaaS Challenges with Hysolate Isolated Workspace as a Service
DaaS is a great solution for delivering a desktop experience in the cloud, but is far from perfect. When users work remotely, especially in low bandwidth environments, user experience is lacking, especially when running intensive workloads. Users cannot use desktops offline, and there is still management overhead, although less than in an on-premise VDI deployment.
Another factor to consider is the pricing of these solutions. Hosting desktops and storage in the cloud requires a large infrastructure investment from the DaaS vendor, which is passed on to organizational users, creating a heavy, ongoing OpEx expense.
Hysolate solves these problems with an innovative approach called isolated workspace as a service (IWaaS). Users get a local isolated operating system running on their machine deployed within minutes and managed from the cloud.
- A higher level of freedom on employees corporate devices
- Ability to receive 3rd party generated content in an isolated zone
- Access to IT admins, DevOps, developers, and other privileged users in their everyday environment
- Access to employees from personal, unmanaged devices