Build an AppStream 2.0 Environment to Deliver Desktop Applications to Any Computer (BAP330) - AWS re:Invent 2018

© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Before we get started today….
• Each table has a sheet of paper on it…..please simply write your AWS Account
number on it
AWS Account Numbers only….no names are required
• Our AppStream 2.0 Service team will quickly validate and ensure your account has
the appropriate limits set for this Workshop
• A laptop device is required for this workshop
• An email address that is accessible to you now
• Preferably a new or “clean” AWS Account
• If you need to create a new one:
• Credit Card
• Cell Phone

The workshop lab: What you will need today
• An AWS account ID & password
• A Laptop device
• Access to an email account of your choice
• Access to this URL to download lab files:
http://labguide.appstreamlabs.com/
• The Lab Guide: Hard copy provided or:
http://labguide.appstreamlabs.com/AS2_Labguide_2018ReInvent.pdf
• Curiosity and a willingness to try!!
NOTES:
• Optionally, it will help to temporarily disable your browser’s pop up blocker setting
• There are TWO “15-20ish minute” breaks as instances provision: Feel free to stretch
out…supplemental material will be shared.
• We are here to help!!

B A P 3 3 0
Greg LaVigne
Sr. Specialized
Solutions Architect
End User Computing
AWS
Justin Stokes
Sr. Specialized
Solutions Architect
End User Computing
AWS
Gurinder Raju
Sr. Manager, Software
Development
AppStream
Build an AppStream 2.0
Environment to Deliver Desktop
Applications to Any Computer
Vinoth Narasimhan &
Murali Rathinasamy
Sr. Product Managers
AppStream

Fully managed application streaming service that provides users instant
access to their desktop applications

What we’ll cover and build out:
•Brief Amazon AppStream 2.0 service overview
•Workshop Lab: Overview and steps 1-3
•Build out break #1-(15ish minutes):
• Features and Innovations
•Workshop Lab: Step 4
•Build out break #2-(15-20ish minutes):
• Cost Considerations, Networking, Identity and Domain Join
•Workshop Lab: Steps 5-9
•Workshop Wrap-up
AppStream 2.0 workshop agenda

How Amazon AppStream 2.0 Works

Easy app import through the AWS Console
• Launch an Image Builder, connect, and install your apps
• Create the app and Windows settings you want your users to have
• Optimize and test the app experience
• Create an image and use it for your fleets
• AppStream agent software can be managed for you
Example apps
• Client/Server: SAP GUI, SQL WorkBench and other data warehouse clients
• Security/Bastion: Putty, Remote Desktop, etc
• 3D Engineering – SolidWorks, AutoCAD, Ansys suite, Siemens NX, etc
• Engineering Analysis – Matlab, R Studio, PHET, etc
Bring your desktop apps to Amazon AppStream 2.0

Managed Service: No hardware or software to
manage
ConsoleSDK/API
• Works with your IT environment
• Manage through AWS SDK or Console
• No h/w or s/w to deploy, patch, or
upgrade
• Automatically scale on demand
• Monitoring support
• Use nearest region to reach global
Audience

Import existing
apps with no
changes or
rewrites and start
streaming
Integrates with
existing apps,
identity, storage
and network
No infrastructure
to install or
manage, add your
apps and start
streaming
Consistent
performance - one
streaming instance
per user − no
shared instances
and global scale
Familiar look,
windows apps in a
browser
Benefits of Amazon AppStream 2.0

Pace of innovation in 2018
Apps
• Google Drive (G Suite)
• OneDrive for Business
• Amazon FSx (File Shares)
• Amazon WorkDocs Drive
Identity
• Default application settings
• App settings persistence
• Regional settings
Storage
• User Pool APIs
• AWS SSO
Pricing
• Scheduled Scaling
• Faster instance launches
Graphics
• Dual Monitor
• USB devices
• Keyboard shortcuts
Admin
• Image copy
• Image sharing
• CloudFormation
End-User
• Custom branding
• Seamless clipboard
• Safari on Mac OSX
• AWS Region expansion
(Singapore, Sydney, Frankfurt)

The workshop lab: Overview-The Steps
• Pick a Region: (preferably: US-West Oregon)
• Create a Virtual Private Cloud via AWS CloudFormation
• Deploy an Image Builder instance and install business applications
• Pause #1 to watch the paint dry….er wait Image Builder Instance to provision
• Execute Image Assistant and create custom image
• Pause #2 to watch the grass grow….er wait for the image to be created
• Define and provision a fleet via AWS CloudFormation
• Provision a Stack with custom branding via the AWS console
• Provision a new User in User Pools and assign a Stack
• AWS Console
• Optionally (PowerShell and AWS API)

Performance: Stream from nearest location
Regions supported:
• Oregon
• Northern Virginia
• Ireland
• Tokyo
• Sydney
• Singapore
• Frankfurt

What we’re creating today: The AppStream 2.0 Lab topology

The Amazon AppStream 2.0 workflow
Image Builder
Used to install and
configure Business
Applications
Image Assistant
Used to define
and optimize Apps
presented,
configure default
user settings and
create an image
Define a Fleet
Configurations
include image,
instance types,
networking,
scaling
configurations
Provision a Stack
Configurations
include Fleet, user
storage, access
permission
options
and customer
branding
User Pools
Used to define
users and grant
stack access
User
User
User
Administrator

• Provision an image builder instance thru AWS
Management Console via your browser
• Microsoft Windows Server 2012 R2
• Install and test applications
• Define application display names, icons and launch
parameters
• Optimize app launch time and configure apps using
the Image Assistant
Admin Workflow: Install and configure applications
$> aws appstream create-image-builder <name><instance-type>

Streaming Protocol: NICE DCV
HTTPS secure access
Adaptive quality of service
Encrypted pixel stream
(AES-256)
Adaptive multi-codec
3D and business apps
Optimized image quality

Security: Streams, instances….your environment
Secure access via
streaming gateways
Firewall friendly
HTTPS/443
AES-256 Encrypted
Launch in your Amazon
VPC
Control network access for
users/apps via Security
Groups and Routing Tables
Non-persistent
instances
Instances terminated after
every user session
Data movement
controls
Control file transfer, clipboard,
and printing

Persistent Home
Folders
(Amazon S3)
Network file shares
Microsoft OneDrive for
Business
File upload/download
from local device
Google Drive (G Suite)
AWS Storage Gateway
Data Management: Storage Options

Each user gets a full virtual
machine
1 user  1 VM
Performance: Dedicated instances

Standard
2 – 4 vCPU cores
4 – 8 GiB memory
Starts at $.10/hr
Memory
2 – 32 vCPU cores
15 – 244 GiB memory
Starts at $.25/hr
Graphics Design
AMD FirePro virtualized GPU
2 – 16 vCPU cores
7.5 – 61 GiB memory
1 – 8 GiB GPU
Starts at $.25/hr
Graphics Pro
NVIDIA Tesla M60 GPU
16 – 64 vCPU cores
122 – 488 GiB memory
8 – 32 GiB GPU
Starts at $2/hr
Compute
2 – 32 vCPU cores
4 – 60 GiB memory
Starts at $.25/hr
Instance Types: Match performance to app workloads

The workshop lab: Overview-The Steps
• Pick a Region
• Create a Virtual Private Cloud via AWS CloudFormation
• Deploy an Image Builder instance and install business applications
• Pause #1 to watch the paint dry….er wait Image Builder Instance to provision
• Execute Image Assistant and create custom image
• Pause #2 to watch the grass grow….er wait for the image to be created
• Define and provision a Fleet via AWS CloudFormation
• Provision a Stack with custom branding via the AWS console
• Provision a new User in User Pools and assign a Stack
• AWS Console
• Optionally (PowerShell and AWS API)

• Image contains your applications + any
associated runtimes and configurations
• Image contains persistent application settings
• Define the Application Catalog (apps)
• Applications are automatically optimized for
launch and performance
$> aws appstream describe-images
Admin Workflow: Define Apps and Create Image

Cost Considerations: Overview
Pay per hour for pool of streaming instances
• Image Builder
• Choose your Fleet Type
• Running and stopped instances
• Instant-on experience – warm/running resources
• On-demand experience – cold/standby resources
Price per hour based on streaming instance type
• From $0.25/hr for graphics
• From $0.1/hr for non-graphics
• Auto scale out or scale in instances to match user demand.
Monthly per user fee (Microsoft RSOD CAL)
• $4.19/user/month for commercial users
• $0.29/user/month for EDU
• Waived with BYOL (License Mobility)

On Demand Fleet
1 – 2 minute launch time
Uses stopped instance fleet
Pay streaming fees when
connected + small hourly fee for
standby instances
Always On Fleet
Instant connection
Uses running instance fleet
Pay streaming fees
Cost Considerations: Fleet Types

Cost Considerations: Optimize through Scaling
Auto Scale pool of streaming instances based
on usage when you need them
• Utilization-based scaling to automatically
grow your fleet
• Time-based scaling when your can forecast
demand
• Pay only for running or stopped instances in
fleet
Use both together to manage availability &
costs
Trade instant-on for cost!!

Instance network details
Private network
resources
Amazon AppStream 2.0 Managed Service
Network—198.19.x
Customer/ISV VPC
172.X or 192.x or 10.x
Public IP
Streaming Gateway
(AWS ALB)
AWS
Security
Group
Controls
Customer
Security Group
Controls
Customer
Subnet
ETH0 ETH1
Interactive Pixel
stream via HTTPS
Streaming
Instance
(single end-user)
• Instance for streaming is part of AWS-maintained VPC
• Instance is part of AppStream 2.0 fleet
• Instance is short-lived, terminated after user disconnects
• Instance launched from image and instance type associated
with fleet
• All outbound network access by user is via ETH1
On-premises network
Streaming traffic
Outbound
Private network and
Internet

Network flow
On-premises
Internet
VPN
or
AWS Direct Connect
Streaming
Connection
Streaming Gateway
Fleet
File share, license servers,
databases, design vaults
Amazon AppStream 2.0 Managed
Service Network 198.19.x
Private Network Access
Simulation, Rendering
Amazon EC2 Clusters
Stack
AD (optional)
AD (optional)
User Storage (Optional)
Customer Amazon S3
bucket
Streaming
Connection
ID = SAML, User
Pool or Custom
xN
Customer VPC: 172.X or 192.x or 10.x

SAML 2.0 Built-in User Pool Custom Identity
Identity: Bring your own or built-in

• Join Amazon AppStream instances
to your domain (optional)
• SSO access to intranet sites
• Access network resources
• File shares
• Databases
• Licensing Servers
• Print to network printers
Identity: Connect to your domain

© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Domain Join: User Experience
End User
Customer Active
Directory
Intranet Site/SAML Login
Customer Active
Directory
Access control through
AD Group
SSO or Auth with
AD login + 2FA
User login – once per session AppsApp catalog
Auth with
AD login

© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Domain Join: Administrator Workflow
Create OU(s) and service
account in Active
Directory
Create directory
config in AS2.0
Config =
{fqdn, service account, OU}
Launch Image
Builder and Fleet
instances to join to
the domain

SAML 2.0: Authentication Flow
https://eng-apps.exampleco.com
SAML ID Provider
backed by Active
Directory
1
2
4
Redirects with SAML Assertion,
stack=ENG-STACK, user
Public AWS SAML
endpoint for AWS
account
5
AuthN Request
3
SAML assertion
Redirects to Amazon
AppStream 2.0 with auth
token tied to IAM role
ENG, user
• https://eng-apps.exampleco.com can be
internal/external site
• ID Provider can Implement MFA
• Admin defines AWS IAM role ENG that has access to
stack
• All web connections are HTTPS
Amazon AppStream 2.0
checks if IAM role ENG
has access to ENG-
STACK
Assume AWS IAM Role ENG, user
AWS IAM checks SAML
assertion, Role
requested
Auth token valid
for IAM role ENG, user
6
7
User visits internal
page for streamed
apps
Redirect to user’s
ENG-STACK website
8
Launch and interact
with apps
9

• Configuration Options:
• Image
• Instance type
• Fleet scaling policies for cost optimization
• VPC
• Security Groups
• Domain Join
• Non-persistent instances: 1 instance per user
• Running instances deliver instant-on connection
$> aws appstream create-fleet <instance type> <subnets> <image>
Admin Workflow: Define and provision a Fleet

$> aws appstream create-stack <fleet>
Admin Workflow: Configure the Stack
• Configuration Options:
• Fleet
• Storage Options
• Home Folders, Google drive, One drive
• Custom URL for Feedback and end of session
redirection
• User Settings
• clipboard, Local printing, file transfer
• Apply Custom Branding

• User Pools
• Active Directory/LDAP + SAML
• Create Streaming URL
$> aws appstream create-user <username><authentication-type>
Admin Workflow: Provision Stack to Users
$> aws appstream create-streaming-url <fleet><stack><userid>

Tear down or “stop the meter”
In order to prevent/limit additional charges:
• Ensure your Image Builder instance status is “stopped”
• (Amazon AppStream console, Images, image builder tab, select your running Image
Builder, actions-Stop )
• Ensure your Fleet status is “stopped”
• (Amazon AppStream console, Fleets, select your running fleet, actions-Stop)
• Un-assign Stack to User Pool User
• (Amazon AppStream console, User Pool, select your user, actions-unassign)
• See Step 9 in Lab Guide

Related breakouts
Tuesday, November 27th
BAP320, Deliver Instant Demos and Trials of Your Desktop Application with AppStream 2.0
1.45 PM – 2.45 PM | MGM, Level 3, South Concourse 301
BAP204-L, Leadership Session: Using AWS End User Computing Services for Your Modern Workforce
10.00 AM – 11.00 AM | Venetian, Level 2, Titian 2202
BAP205-S, Build Cloud-Native Applications in an Enterprise Environment
11.30 AM – 12.30 PM | Venetian, Level 4, Lando 4202
BAP306, Enhance your Amazon AppStream 2.0 Environments: Branding, Automation, and More
8.30 AM – 9.30 AM | Aria West, Level 3, Starvine 3, Table 1

Related breakouts
BAP318, Learn how to accelerate engineering workloads with AppStream 2.0
4.45 PM – 5.45 PM | Aria East, Level 2, Mariposa 8
Friday, November 30th
BAP323, Move Your Desktops and Applications to AWS with Amazon WorkSpaces and AppStream 2.0
10.00 AM – 11.00 AM | Venetian, Level 4, Lando 4202
Overflow Viewing: Mirage, Mirage Events Center A, Green or Venetian, Level 3, Lido 3004, Green
Wednesday, November 28th
BAP312-R1, Move to SaaS: Deliver Desktop Apps with Amazon AppStream 2.0
3.15 PM – 4.15 PM | Bellagio, Level 1, Gauguin 2
Thursday, November 29th
BAP201, Securely deliver desktop applications with Amazon AppStream 2.0
11.30 AM – 12.30 PM | Venetian, Level 4, Delfino 4005

Get Started…
• Try the AppStream demo experience
• Follow the simple getting started guide
• Download the new AppStream client
• Learn to deploy Solidworks, SAP GUI,
Mathworks Matlab, ESRI ArcGIS, Siemens NX
• Learn about best practices and new features –
Follow our blog!
Visit https://aws.amazon.com/appstream2/ Engage a partner

Thank you!
Greg LaVigne
lavigneg@amazon.com
Justin Stokes
stokjust@amazon.com
Vinoth Narasimhan,
Murali Rathinasamy,
Gurinder Raju
Amazon AppStream
2.0
Product Team

Build an AppStream 2.0 Environment to Deliver Desktop Applications to Any Computer (BAP330) - AWS re:Invent 2018

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Similar to Build an AppStream 2.0 Environment to Deliver Desktop Applications to Any Computer (BAP330) - AWS re:Invent 2018

Similar to Build an AppStream 2.0 Environment to Deliver Desktop Applications to Any Computer (BAP330) - AWS re:Invent 2018 (20)

More from Amazon Web Services

More from Amazon Web Services (20)

Build an AppStream 2.0 Environment to Deliver Desktop Applications to Any Computer (BAP330) - AWS re:Invent 2018