In this workshop, we build out an end-to-end Amazon AppStream 2.0 environment for your organization. We create a master image containing desktop applications, configure a streaming fleet, and streaming stack. We walk through network configuration options, and show how to connect to resources in your VPC. Finally, we show how to create streaming URLs that users need to access their applications. To complete this workshop, you must arrive with an individual AWS account that’s already been provisioned, and a working knowledge of AWS concepts. Also, attending the session "Move Your Virtualized Desktop Apps to the Cloud with Amazon AppStream 2.0" is beneficial.

1. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS re:INVENT
Bui l d an Amazon AppStream 2.0 E nvi ronment to
Stream Desktop Appl i cati ons to Your Users
G r e g L a V i g n e , S p e c i a l i z e d A W S S o l u t i o n s A r c h i t e c t , W o r k s p a c e s a n d
A p p S t r e a m
B A P 2 0 5
N o v e m b e r 2 8 , 2 0 1 7

2. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Amazon AppStream 2.0 workshop agenda
What we’ll cover and build out:
• Service overview
• Common Use Cases
• Pace of Innovation
• Workshop Lab: Overview of Core components
• Workshop Lab: What you need and notes
• Appendix: Supplemental material

3. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Fully managed application streaming service that provides users instant access
to their desktop applications

4. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Stream desktop applications securely
to any web browser from the cloud
Pay-as-you-go
Secure apps and dataRun desktop apps
in a web browser
Scale globally

5. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Use cases
Managed streaming solution
for desktop applications
Business & public sector
Move desktop apps
to cloud with no rewrite
ISVs
HPC and
graphic intensive workloads
Design & engineering

6. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Pace of innovation
Apps
Home Folders with Amazon S3
Identity
Interactive image builder
Storage
Active Directory
SAML 2.0
User pool
Lower costs
Auto-scaling
On-Demand fleets
(cold start)
Amazon CloudWatch
GPUs
Graphics Design
Graphics Desktop (G2)
Graphics Pro (G3)
Networking
Custom security group
Simple network/
default internet
End-user
Streaming modes
Microphone

7. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
The workshop lab: Overview
• Pick a Region
• Create VPC
• 1 public subnet
• 2 private subnets
• Amazon S3 Endpoint (for persistent storage)
• Deploy image builder and install applications
• Execute image assistant and create custom image
• Define fleet
• Define stack
• Provision user in user pools and assign stack
• Launch user streaming session with credential-assigned URL

8. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Supported Regions
Regions
• Oregon
• Northern Virginia
• Ireland
• Tokyo

9. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
The workshop lab: Topology

10. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Administrator workflow

11. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Multiple instance types
• General purpose—knowledge worker apps
• Compute optimized—apps with high compute requirement
• Memory optimized—apps with high memory requirement
• Graphics optimized—apps with high graphics requirements
• Graphics Desktop
• Graphics Pro
• Graphics Design
1 user = 1 VM = consistent performance
Match app workload to instance characteristics:

12. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Simple user interface

13. Learn more/helpful links:
https://aws.amazon.com/appstream2
https://aws.amazon.com/appstream2/resources/
https://aws.amazon.com/documentation/appstream/
https://console.aws.amazon.com/appstream2/
Blogs:
SAML 2.0/ADFS setup: http://saml-doc.okta.com/SAML_Docs/How-to-Configure-SAML-2.0-for-Amazon-AppStream-2-0.html
Scaling Setup: https://aws.amazon.com/blogs/compute/scaling-your-desktop-application-streams-with-amazon-appstream-2-0/
Delivering Graphics Apps: https://aws.amazon.com/blogs/compute/delivering-graphics-apps-with-amazon-appstream-2-0/
Educational videos (Re:Invent 2016):
Deliver Desktop Applications to Any Device, Anywhere with AppStream 2.0
Building SaaS Offerings for Desktop Apps with Amazon AppStream 2.0
Delivering Powerful Graphics-Intensive Applications from the AWS Cloud
Try it now demo/getting started:
https://aws.amazon.com/appstream2/trynow/
http://docs.aws.amazon.com/console/appstream2/get-started/

14. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
reInvent 2017: AppStream 2.0 Sessions
Breakout Sessions:
Chalk Talks:

15. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
The workshop lab: What you will need
• Your AWS Account ID & Password
• The printed Lab Guide PDF
• Access to an email account of your choice
• Curiosity and a willingness to try!!

16. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
The workshop lab: Notes
• Region: Select PDX
• Instance Type: Pick Graphic Design
• Image Builder
• Fleet
• Labconfig.txt file….download to your physical device and/or Image
Builder…optional in both places.
• There are 3 “10-15 minute” breaks: Feel free to stretch
out…supplemental material will be shared.
• We are here to help!!

17. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Appendix

18. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Simple user interface
• Run Windows applications in HTML browser
• No plug-ins
• Firewall friendly—HTTPS/443
• Use multiple apps at the same time
• Clipboard, file upload/download, printing
• Audio and bandwidth controls
• Multiple storage options

19. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
NICE DCV
• High-fidelity visualization delivered to browsers
• Adaptive and responsive streaming
• End-to-end AES-256 encryption
• Supports both 3D and non-graphics applications
• Audio/video encoded using H.264 over HTTPS
• 2K resolution support

20. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Secure network
• Launch in your Amazon VPC
• Managed via Security Groups
• Control access to internet from instances
• Connect to database, license, and file servers on
premises or in your VPC

21. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS SDK/API
Full AWS SDK/API support
• Create, describe, update, delete resources
• Programmatically generate streaming URLs
• Connect AppStream 2.0 to your management
tools

22. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Data management options
AppStream 2.0 Home Folders
• Stores user files in your Amazon S3 buckets
• Automatically mounted when streaming starts
File upload/download from browser
• Users can upload and download files from their local machine
• Uploaded files are not persisted between sessions
Network file shares (on-premises or VPC)
• Users can access network shares for their files
• Access to web-based file services through browser

23. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Optimizing costs through scaling
• Scale environments based on usage
• Dynamic scaling based on fleet utilization,
available instances, insufficient capacity
• Time-based schedules using AWS Lambda
• On-Demand scaling
• Trade instant-on for cost

24. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Network flow
On premises
Public Internet
VPN
or
Direct Connect
Pixels - HTTPS
Identity/SAML
Pixels - HTTPS
Streaming Gateway
Fleet
Utility/License/Database servers
Amazon AppStream 2.0 Network – 198.19.x
Customer/ISV VPC
172.X or 192.x or 10.x
Private Network Access
HPC Cluster
Stack

25. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Graphics instance details
Instance Family
Graphics
Design
Graphics
Desktop
Graphics
Pro
Number of
instance sizes
4 1 3
Price Range $0.25–$2.00 $0.50 $2.05–$8.20
GPU Memory
Range
1–8 GiB 4 GiB 8–32 GiB
vCPU Range 2–16 8 16–32
Memory Range 8–61 GiB 15 GiB 122–488 GiB
GPU Vendor AMD NVIDIA NVIDIA
Libraries
Supported
DirectX; OpenGL;
OpenCL
CUDA; DirectX;
OpenGL; OpenCL
CUDA; DirectX;
OpenGL;
OpenCL

26. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Cost considerations
Pay per hour for streaming resource
• Instant-on experience—warm/running resources
• On-demand experience—cold/standby resources
Price per hour based on streaming instance type
• From $0.25/hr for graphics
• From $0.10/hr for non-graphics
Per user fee
• $4.19/user/month for commercial users
• $0.44/user/month for EDU
• Waived with BYOL (License Mobility)

27. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Learnings from the field/helpful hints
• Different images for Graphics Desktop, Graphics Design, Graphics Pro and other AppStream instance families because
of unique graphics drivers
• Internet Explorer Enhanced Security Configuration
• Application considerations
• Profile specific configurations
• First run experiences
• Auto updates
• Source code
• Activation/licensing servers and database servers
• Amazon CloudWatch metrics
• AD computer object considerations
• App optimization versus AppStream 2.0 optimization
• Alerts for max limits

28. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Authentication flow: SAML

29. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Instance network details
Private network
resources
Amazon AppStream 2.0 Network – 198.19.x Customer/ISV VPC
172.X or 192.x or 10.x
Public
IP
Streaming Gateway
(AWS ALB)
AWS
Security
Group
Controls
Customer
Security
Group
Controls
Customer
Subnet
ETH0 ETH1
Interactive Pixel
stream via HTTPS
Streaming
Instance
(single end-user)
• Instance for streaming is part of AWS-maintained VPC
• Instance is part of AppStream 2.0 fleet
• Instance is short-lived, terminated after user disconnects
• Instance launched from image associated with Fleet
• All outbound network access by user is via ETH1
On-premises network
Streaming traffic
Outbound
Private network and
Internet

30. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Active Directory join benefits
• SSO access to intranet sites
• Access file shares/network
resource
• Print to network printers
• Kerberos support
• User and machine Group Policies
You can join AppStream 2.0 instances to your Active Directory domains
Your Active
Directory

31. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Domain join: User experience
End-User
Customer Active
Directory
Intranet Site/SAML Login
Customer Active
Directory
Access control
through AD Group
SSO or Auth with
AD login + 2FA
User login – once per session AppsApp catalog
Auth with
AD login

32. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Domain join: Administrator workflow
Create OU(s) and service
account in Active
Directory
Configure fleet
instances to join
the domain
Create directory
config in AS2.0
Config =
{fqdn, service account, OU}
Instances are launched
in the designated OU
-Can leverage GPO’s

33. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Thank you!