Enterprise Deployment of AWS WorkSpaces at Scale (39

© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Well-architected Amazon WorkSpaces:
Enterprise deployment at scale
Greg Lavigne
Senior Specialized SA for
End User Compute
AWS
S V C 3 0 4
Manuel Velez
Senior Customer Success Manager for
End User Compute
AWS

Agenda
Well-Architected review presentation
Q&A, whiteboard, and discussion

Amazon WorkSpaces
Highly interactive cloud
desktops that users love
Scalable and
performant
Simple to deploy and
manage
Pay-as-you-go
Secure cloud desktops

Ways that you can use Amazon WorkSpaces
Security and
compliance
Secure applications
and data
Meet regulatory
requirements (HIPAA,
GDPR, PCI)
Project-based
work
Fast, secure access for
consultants & contractors
Accelerate development &
testing
Modern
organizations
Replace VDI
Support a global
workforce
Enable BYOD &
mobile workers

Why would you want to apply the AWS Well-Architected
Framework?
Build and
deploy faster
Lower or
mitigate risks
Make informed
decisions
Learn AWS
best practices

Amazon WorkSpaces Well-Architected review
An assessment of the environment for
Amazon WorkSpaces deployment across
relevant categories
Questions in each category that are
designed to inform the most secure, high-
performing, resilient, and efficient DaaS
architecture
Rating criteria is a measurement of how
you are doing today vs. best practices; the
grading is a judgment call comparing with
similar customers

Amazon WorkSpaces Well-Architected review process
Initial data
collection
Workshop
Analysis and high-
level design
Review session
Remediation steps
for issues
Who participates?
• Project management
• Security
• Client engineering
• Directory services
• Networking
• Help desk
• Amazon solutions
architects
Benefits
Final document on a
design and schedule
Your team on the same
page—the people who
architect it and the
people who use it
An optimized Amazon
WorkSpaces
environment
Implementation of best
practices

General
Questions Considerations
What is the business driver
for this project?
Understand why the business unit is implementing Amazon
WorkSpaces, but not from a technical perspective.
Understand what is actually the compelling event or business
driver.
Do you have an existing VDI solution?
You need to map existing technical knowledge to Amazon
WorkSpaces. What can you leverage from tools and support
models?
What are your expected adoption and
growth rates?
Understand what limit increases need to be requested to
help meet deployment timelines.

AWS account
Do you have AWS accounts today?
Understand the purpose and management of different
accounts, and have familiarity with AWS accounts.
How do you segregate access control
between different administrative groups
today, e.g., infrastructure, network, and
client engineering?
Manage AWS accounts to deploy different AWS services
without issues with administrative controls.
How do you access and secure the AWS
console?
Establish account security.

Security
Are there any other security, audit, or
compliance requirements that should be
considered?
What, if any, information needs to be captured for audit and
compliance? Is periodic reporting required? If so, how often?
Do logs need to be retained, and do they need to be retained
in any specific location?
Are there any specific security
requirements for accessing applications,
e.g., segregation by environment, line of
business, or information classification?
This feeds into the general VPC design, how security groups
are applied, or the possibility of requiring different Amazon
WorkSpaces deployments that are aligned to the
requirements.
Do you need to restrict access to certain
types of users, to certain locations, or to
corporate only?
Multi-factor authentication, IP whitelisting, and private
endpoints—remember that Amazon WorkSpaces uses public
endpoints.

Network
Do you allow routing to Internet IP
addresses across your corporate network?
Direct routing of Internet IP addresses across the corporate
network is required for the Amazon WorkSpaces client to
connect to the streaming gateway.
Do you allow access to TCP/UDP
port 4172 from your corporate network or
devices?
Typically, proxies break PCoIP connections, so the
port 4172 traffic may need to be whitelisted and/or directly
routed.
If you have existing network connections
(Internet, AWS Direct Connect, VPN), what
is the bandwidth available on each of the
links?
You need sufficient network bandwidth on the links to
support Amazon WorkSpaces client access and access from
clients to applications.

Directory
What does your Active Directory
environment look like, how many
forests/domains are there, and what types
of forest/domain are there?
Understand the complexity of the environment to determine
the most appropriate connectivity strategy: AD Connector,
Microsoft AD, or both.
Where do your Active Directory domain
controllers sit today? If not on AWS, is
there a plan to move or replicate a set to
AWS?
It is recommended that you place a set of domain controllers
in your AWS environment to reduce authentication latency,
though it is possible to use Amazon WorkSpaces without
doing this.
Do you have any security policies related to
creating and delegating access to an OU for
an external service?
With AD Connector, Amazon WorkSpaces requires an OU
and permissions to create computer objects. User
credentials for this service account must be granted to the
Amazon WorkSpaces service and are used by the AD
Connector.

Clients
What are the current desktop hardware
configurations?
Consider CPU, memory, storage, GPU, and peripherals to try
to match the correct Amazon WorkSpaces bundle. Look for
performance implications.
What type of user onboarding
experience would you like to offer to your
users?
You need to determine the levels of automation that may be
required and how to interact with existing support teams for
the handoff of Amazon WorkSpaces to end users.
Will you allow users to have clipboard
access between Amazon WorkSpaces and
the client?
Determine policies that need to be adjusted to fit your
business case.

Forensics
Do you have defined procedures and
processes for desktop forensics today?
Determine if there is a need to lock out users, perform
investigations, or archive disks. These items require
additional engineering and possibly third-party tools.
Do you monitor user behaviors and
changes?
You need to determine if the tools currently being used will
still apply and if testing is needed.
What is your data retention policy for
desktops?
Plan on how to manage user drives/volumes and back up
processes.

Operations
How do you plan to license Amazon
WorkSpaces? Win7, Win10, or Desktop
Experience with a license included (or is
Linux an option to consider)?
Plan licensing coverage. Keep in mind that Microsoft EA and
SA are required with dedicated hosting, and a minimum
commitment of 200 seats must be considered.
Do you have standard corporate image(s)?
How will you build and maintain them?
Consider that your Amazon WorkSpaces images use a server
OS. Consider 64-bit requirements, image management for
thin and thick clients, and update management.
How will users request a WorkSpace? Do
you have a ticketing system or portal? How
will you manage reboots, changes, and
rebuilds?
Plan whether you need to have automation or integration
with existing systems (Portal, ServiceNow, etc.).

Applications
Do you have a defined portfolio of
applications in scope for deployment onto
Amazon WorkSpaces?
Business units have different environments to support the
application during the systems development life cycle.
Are the application licenses transferable so
that you can use them within a cloud
environment?
Consider whether there are any specific licensing restrictions
that would prevent software from running on Amazon
WorkSpaces.
Do you know the application
communication protocols?
Firewall rules are needed, routes are needed, etc.

Enterprise Deployment of AWS WorkSpaces at Scale (39

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Similar to Enterprise Deployment of AWS WorkSpaces at Scale (39

Similar to Enterprise Deployment of AWS WorkSpaces at Scale (39 (20)

More from Amazon Web Services

More from Amazon Web Services (20)

Enterprise Deployment of AWS WorkSpaces at Scale (39