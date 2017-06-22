© 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Andrew DeFoe AMAZON WEB SERVICES SENIOR SOLUTION...
What customers are telling us they want Ability to improve service levels Support for different user types Flexibility for...
Customer success story Use case | Arizona Department of Transportation  Arizona Department of Transportation (ADOT) opera...
A cost-effective, managed cloud desktop Secure Pay as you go Simple management Highly interactive cloud desktops your user...
A desktop experience your users will love Securely access a persistent, nonvolatile desktop with a consistent CPU, memory,...
Improved security Amazon WorkSpaces encrypts data and streams, keeps information off of devices, supports VPC security gro...
Plays well with on-premises services and your VPC Active Directory SCCM and Amazon EC2 Systems Manager On-premises network...
No servers to manage Scale on demand Amazon WorkSpaces removes the burden of infrastructure management and scales instantl...
Amazon WorkSpaces regions
Automated provisioning components Image Windows 7 Desktop Experience Windows 10 Desktop Experience Plus Software Bundle Cu...
Amazon WorkSpaces images Included with AWS provided bundles:  Windows 7 Desktop Experience (Windows Server 2008 R2)  Win...
Amazon WorkSpaces software Strategies include:  Preinstalled (image)  Group Policy Software Installation (GPSI)  Amazon...
Amazon WorkSpaces hardware Things to consider:  Selection is based on software system requirements for each user.  Consi...
Amazon WorkSpaces pricing model  Always On - fixed monthly fee for unlimited usage during the month. This is best for wor...
Example provisioning architecture Use case | Arizona Department of Transportation
Active Directory  Group Policy Objects  Organizational units  Deployment groups  Local Administrator groups  Service ...
Scripts  Boot, login, and logout  WorkSpaces API actions  AWS CloudTrail  Amazon CloudWatch  AWS Lambda  Tags  AWS ...
Example user management components  A GPO to control the appearance of the Desktop, Start Menu, and lockdown policies  A...
Clients  Teradici zero client  Teradici PCoIP Connection Manager (EC2)  Teradici PCoIP Management Console (VMware)  Wo...
Management  Image lifecycle (manual)  WorkSpaces create  WorkSpaces reboot/rebuild  WorkSpaces start/stop  WorkSpaces...
Desktop application streaming Securely stream desktop applications without rewriting to any web browser with instant-on ac...
AppStream 2.0 key features  Image Builder  Multiple Streaming Instance Types  Amazon VPC Support  Identity Federation ...
Amazon WorkSpaces Cost Optimizer AWS offers the Amazon WorkSpaces Cost Optimizer, a solution that analyzes all of your Wor...
Thank you!
  1. 1. © 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Andrew DeFoe AMAZON WEB SERVICES SENIOR SOLUTIONS ARCHITECT June 14, 2017 Automating Amazon WorkSpaces Desktop and AppStream 2.0 Application Provisioning with the End User Lifecycle Your Cloud-based Desktop Experience Is Ready Alex Pereluka ARIZONA DEPARTMENT OF TRANSPORTATION SERVER MANAGEMENT TECHNICIAN
  2. 2. What customers are telling us they want Ability to improve service levels Support for different user types Flexibility for different client devices Improved security Agility without app changes
  3. 3. Customer success story Use case | Arizona Department of Transportation  Arizona Department of Transportation (ADOT) operates hundreds of remote offices with thousands of agents, and additionally supports hundreds of Authorized Third Party locations.  Migration from on-premises VDI to Amazon WorkSpaces eliminates on-premises server and storage infrastructure and reduces operating costs.  Using zero client and BYOD devices for Amazon WorkSpaces greatly reduces endpoint management and, in most cases, eliminates the requirement for VPN connectivity from Third Party locations. This further reduces costs and improves network security.  Amazon WorkSpaces provides consistent performance, regardless of office location, with high-speed, low-latency connectivity to cloud-based or on-premises applications.  ADOT has fully automated provisioning of Amazon WorkSpaces desktops. This improves service levels and reduces maintenance and operating costs (vs. traditional VDI and PC desktops).
  4. 4. A cost-effective, managed cloud desktop Secure Pay as you go Simple management Highly interactive cloud desktops your users will love Scale consistently
  5. 5. A desktop experience your users will love Securely access a persistent, nonvolatile desktop with a consistent CPU, memory, and storage from zero clients, Windows, macOS, an iPad, an Android tablet, a Chromebook, a Fire tablet, and Chrome or Firefox running on Windows, macOS, or Linux. Persistent desktop Consistent performance Available on any device
  6. 6. Improved security Amazon WorkSpaces encrypts data and streams, keeps information off of devices, supports VPC security groups, and supports RADIUS for user MFA authentication. No sensitive data on client devices WorkSpace data encrypted at rest Desktop stream encrypted in transit Multi-factor authentication (RADIUS)
  7. 7. Plays well with on-premises services and your VPC Active Directory SCCM and Amazon EC2 Systems Manager On-premises network and applications Amazon WorkSpaces integrates easily with Active Directory for domain joins, user authentication, and GPOs. Use SCCM or Amazon EC2 Systems Manager to patch your WorkSpaces, and privately access on-premises or cloud applications using your VPC.
  8. 8. No servers to manage Scale on demand Amazon WorkSpaces removes the burden of infrastructure management and scales instantly. It provides the flexibility to pay monthly or hourly to support full-time and temporary users. You can mix monthly and hourly billing within your AWS account, and you can also switch between billing options at any time during a billing period to optimize your AWS bill. Available globally Cloud economics Pay only for what you use
  9. 9. Amazon WorkSpaces regions
  10. 10. Automated provisioning components Image Windows 7 Desktop Experience Windows 10 Desktop Experience Plus Software Bundle Custom Preinstalled Software BYOL Software Preinstalled (Image) Group Policy Software Installation Amazon WAM Amazon AppStream 2.0 Hardware Value Standard Performance Graphics Pricing Model Always On Hourly Active Directory Group Policy Objects Organizational Units Deployment Groups Local Admin Groups Service Accounts Scripts Boot, Login, and Logout WorkSpaces API Actions AWS CloudTrail Amazon CloudWatch AWS Lambda Tags AWS IAM Roles AD Service Account Clients Teradici Zero Client Teradici PCoIP Connection Manager (EC2) Teradici PCoIP Management Console (VMware) WorkSpaces Client Web Access Management Image Lifecycle (Manual) WorkSpaces Create WorkSpaces Reboot/Rebuild WorkSpaces Start/Stop WorkSpaces Modify WorkSpaces Terminate Monitoring
  11. 11. Amazon WorkSpaces images Included with AWS provided bundles:  Windows 7 Desktop Experience (Windows Server 2008 R2)  Windows 10 Desktop Experience (Windows Server 2016)  Additional default software includes Firefox and WinZip  Plus Software Bundle additionally includes Microsoft Office Professional and Trend Micro Worry-Free Business Security Services  Images are maintained by Amazon BYOL images:  Windows 7 or Windows 10 image and OS license are provided by the customer and require dedicated hardware  Create custom bundles using BYOL images Custom preinstalled software:  Start with AWS provided bundle or custom bundle using a BYOL image  Configure software and prepare for imaging  Create custom images and bundles  Images are maintained by the customer Image + Hardware = Bundle
  12. 12. Amazon WorkSpaces software Strategies include:  Preinstalled (image)  Group Policy Software Installation (GPSI)  Amazon WorkSpaces Application Manager (WAM)  Amazon AppStream 2.0  User installed Things to consider:  Image maintenance  Number of applications and combinations for different user groups  Size of application packages  System requirements  Usage pattern
  13. 13. Amazon WorkSpaces hardware Things to consider:  Selection is based on software system requirements for each user.  Consider baseline vs. peak system requirements and software usage pattern.  Consider Amazon AppStream 2.0 to offload and scale compute resources for specific applications.
  14. 14. Amazon WorkSpaces pricing model  Always On - fixed monthly fee for unlimited usage during the month. This is best for workers who use their Amazon WorkSpace full-time or as their primary desktop.  Hourly - small fixed monthly fee per WorkSpace to cover infrastructure costs and storage, and a low hourly rate for each hour the WorkSpace is used during the month. Hourly billing works best when Amazon WorkSpaces are used, on average, for less than a full working day or for just a few days a month.
  15. 15. Example provisioning architecture Use case | Arizona Department of Transportation
  16. 16. Active Directory  Group Policy Objects  Organizational units  Deployment groups  Local Administrator groups  Service accounts Things to consider:  Create OUs for WorkSpaces machine accounts to configure settings and install software. Consider using the Active Directory Group Policy loopback feature to apply Group Policy Objects (GPOs) to users logging in to WorkSpaces.  Consider a “Request Administrative Rights” workflow or use Group Policy Preferences to selectively allow users to be part of their own WorkSpaces local Administrators group on a temporary or permanent basis.  Use separate OUs with blocked GPO inheritance when you create WorkSpaces images (separate WorkSpaces directory- id). Active Directory
  17. 17. Active Directory  Group Policy Objects  Organizational units  Deployment groups  Local Administrator groups  Service accounts Things to consider:  Create Active Directory security groups for every WorkSpaces bundle and environment lifecycle, and provision based on user membership in a deployment group.  Install the pcoip.adm Group Policy administrative template to apply settings that are specific to Amazon WorkSpaces.  Use a domain service account with WorkSpaces directory-ids to authenticate users and join computers to the domain. Use additional service accounts for WorkSpaces image creation and to run provisioning automation scripts. Active Directory
  18. 18. Scripts  Boot, login, and logout  WorkSpaces API actions  AWS CloudTrail  Amazon CloudWatch  AWS Lambda  Tags  AWS IAM roles  Active Directory service account Things to consider:  Run login (user profile), logout (profile cleanup), and boot (public profile) scripts to maintain the WorkSpaces user environment.  Execute Amazon WorkSpaces API and other actions (CreateTags, CreateWorkspaces, DeleteTags, DescribeTags, DescribeWorkspaceBundles, DescribeWorkspaceDirectories, DescribeWorkspaces, DescribeWorkspacesConnectionStatus, ModifyWorkspaceProperties, RebootWorkspaces, RebuildWorkspaces, StartWorkspaces, StopWorkspaces, and TerminateWorkspaces) using AWS SDKs and audit activity with AWS CloudTrail.  Run scripts on a scheduled basis from Amazon EC2, or use AWS Lambda functions to poll for changes to deployment group membership. Or run scripts based on auditing security events on domain controllers when users are added or removed from deployment groups. Security logs can be delivered to Amazon CloudWatch Logs and processed using AWS Lambda.
  19. 19. Scripts  Boot, login, and logout  WorkSpaces API actions  AWS CloudTrail  Amazon CloudWatch  AWS Lambda  Tags  AWS IAM roles  Active Directory service account Things to consider:  Use tags to manage and track Amazon WorkSpaces. Tags help categorize WorkSpaces so you can easily identify their purpose and track costs accordingly. For example, tags can help you identify all of the WorkSpaces for a particular department, project, application, vendor, or use case. You can also use tags to control billing options using the Amazon WorkSpaces Cost Optimizer.  Create AWS Identity and Access Management (IAM) roles and policies for Amazon EC2 or AWS Lambda functions to execute WorkSpaces API and other actions. To directly interact with Active Directory, protect Active Directory service account credentials in Amazon EC2 Systems Manager Parameter Store and AWS Key Management Service (KMS).
  20. 20. Example user management components  A GPO to control the appearance of the Desktop, Start Menu, and lockdown policies  A default profile created by the “WorkSpaces Builder” during the imaging process  A roaming profile to retain the user’s customization (excluding data)  Folder Redirection to a network share running in an accessible VPC for My Documents, Desktop, and Favorites folders  Boot scripts controlling the Public Desktop folder and the Public Start Menu for all users  A Login script controlling users’ individual Start Menu, Desktop, and mandatory Favorites folders  Region-based GPO Software Restriction Policies (SRPs) to control access to applications installed on the WorkSpaces image based on Active Directory security group membership, in order to reduce the number of images required  A Logout script to clean the user profile (Temporary Internet Files, Downloads, Cookies, etc.) at logout to reduce the size of the user profile and maintain a consistent user experience Use case | Arizona Department of Transportation
  21. 21. Clients  Teradici zero client  Teradici PCoIP Connection Manager (EC2)  Teradici PCoIP Management Console (VMware)  WorkSpaces client  Web access Things to consider:  Teradici zero clients require Teradici PCoIP Connection Manager to authenticate users and connect to Amazon WorkSpaces. PCoIP Connection Manager is available in the AWS Marketplace.  Teradici PCoIP Management Console is an on-premises VMware appliance that enables administrators to quickly and easily provision new devices, report on inventory, review metrics, configure settings, and update firmware from a single console. This means that Teradici zero clients can be automatically provisioned for use with Amazon WorkSpaces in a plug-and-play model.  You can access all Amazon WorkSpaces clients and the web access client at https://clients.amazonworkspaces.com/. Users or desktop administrators need to know their WorkSpaces Registration Code to configure the client and access the WorkSpace.  Web access must be enabled on the Amazon WorkSpaces Directory.
  22. 22. Management  Image lifecycle (manual)  WorkSpaces create  WorkSpaces reboot/rebuild  WorkSpaces start/stop  WorkSpaces modify  WorkSpaces terminate  Monitoring using CloudWatch Things to consider:  Rebuild Amazon WorkSpaces periodically as part of scheduled maintenance.  When a rebuild occurs, the system is restored to the most recent image of the bundle that the WorkSpace is created from.  Any applications that have been installed or system settings that have been made after the WorkSpace was created are not retained.  During a rebuild, the user data drive (D:) is recreated from the last automatic snapshot taken of the data drive. The current contents of the data drive are overwritten. Automatic snapshots of the data drive are taken every 12 hours, so the snapshot can be as much as 12 hours old.
  23. 23. Management  Image lifecycle (manual)  WorkSpaces create  WorkSpaces reboot/rebuild  WorkSpaces start/stop  WorkSpaces modify  WorkSpaces terminate  Monitoring using CloudWatch Things to consider:  Use folder redirection for redirecting user Documents and Desktop folders to an EC2-based file share or DFS in the same VPC as the WorkSpaces. Also, consider Amazon WorkDocs for file sharing and collaboration. Restrict user-installed software so that rebuilds or complete WorkSpaces replacements don’t impact user productivity. Keep WorkSpaces updated by updating images and rebuilding. Alternatively, use SCCM or EC2 Systems Manager to update WorkSpaces in place.  WorkSpaces start/stop actions are used with WorkSpaces in AutoStop mode (hourly billing). Scheduled starts of WorkSpaces can make them ready for use so that users don’t have to wait when logging in.  Send notifications to users or administrators as part of the automated provisioning process using Amazon SNS when WorkSpaces are ready for use or are impacted by other lifecycle events.
  24. 24. Desktop application streaming Securely stream desktop applications without rewriting to any web browser with instant-on access. Pay as you go Scale globally Secure apps and dataRun desktop apps in a web browser
  25. 25. AppStream 2.0 key features  Image Builder  Multiple Streaming Instance Types  Amazon VPC Support  Identity Federation  Monitoring  Fleet Auto Scaling  Programmatic Control  Simple End-User Interface  NICE DCV for Streaming  HTTPS Secure Access
  26. 26. Amazon WorkSpaces Cost Optimizer AWS offers the Amazon WorkSpaces Cost Optimizer, a solution that analyzes all of your WorkSpace usage data and automatically converts the WorkSpace to the most cost-effective billing option (hourly or monthly), depending on the user's individual usage.
  27. 27. Thank you!

