Managing WorkSpaces at Scale | AWS Public Sector Summit 2016

© 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved.© 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Jerry Rhoads, Solutions Architect, AWS
Eric Klein Director of Cloud Engineering, March of Dimes
June 20, 2016
Amazon WorkSpaces
Managing Amazon WorkSpaces at Scale

Before we begin: quick survey
Does any of this sound familiar?
• Do you have fleets of terminal servers?
• Why does my new laptop need all these
patches on first boot?
• “Why can’t I use my (fill-in-the-blank
machine with 123,233,233 video drivers)
at work? aka it works great in my house!”
• Hey Helpdesk, I lost my laptop and need
one now !!
If this is you….
stick around!

Agenda
Getting started
• From concept to production
Focus on the basics
• Identity and access
• Networking: Amazon VPC, DX, and security
Image management
• Images and bundles
• Application deployment
The end user experience
• Testing an emotional service
• No laptop? What do I use?
March of Dimes
• Lessons learned

Getting started: identify the team
• Operations / Engineering teams
• Small team: usually 2-3 members
• 2-3 weeks: introduction, overview, deeper dives
• Networking team
• 1-2 members
• 4 weeks +
• Ingress into network via service broker interface
• Integration with network via DX/VPN
• The inbound firewall
• Security team
• 1-2 members
• 4 Weeks +
• Network access from anywhere vs. private broker
• MFA, selective MFA
• Device security, root of trust concerns
This can take some time

Getting started: POC vs. pilot
POC vs. Pilot, aren’t they the same?
POC – concept only, e.g., don’t miss it when it’s gone
• Explore – delete and repeat
• Lessons learned– push the limits, make mistakes –you won’t break
the service!
• Diversity– pick lots of different data points
• Enforce your POCs: artificially-constrained VPC, VPN integration (no
DX); this phase cannot go Prod
Pilot – this could turn into a successful disaster
• Build a platform without the need to refactor
• Smart VPC design, consideration to imaging, prepare a realistic rollout
plan

Getting started: managing the POC
Requirements will be all over the place
• Everyone will want something different
• Everyone is trying to go to the same place
Keep the POC focused, disagree and commit
• Operations / Engineering – Usable desktops. Custom
imaging. Automated provisioning. Process alignment.
Devices.
• Networking – What ports do I open on the firewall?
• Security – The WorkSpaces client acts like a VPN.
What’s the MFA strategy?Don’t try to boil the ocean!

Getting started: studying the POC and its
phases
POC 1 – Limited POC
• 10-15 people: Operations / Engineering,
Networking, security
• Work out the kinks
• Can you work exclusively in your WorkSpace?
POC 2 – Expand the POC
• 50 people, all shapes and sizes
• Executives, compliance, project stakeholder, your boss
• Gather as much positive and negative feedback as
possible
Remember!
• Plan your exit, focus on requirements
• Set up the transition to pilot with parallel efforts during Round 2

Agenda
Getting started
Focus on the basics
• Networking: Amazon VPC, DX, and security
Image management
End user experience
March of Dimes
• Lessons learned

Focus on the basics: a refresher
Rules to remember
• Directory = Amazon Directory Service instance
• A directory spans exactly 2 subnets
• A directory = 2 Amazon EC2 instances (1 per
subnet)
• You can have multiple directories in 1 Amazon
VPC
• Each directory has its own registration code
• Zero client: each registration code needs its
own URL
Key takeaways:
• A WorkSpace is tied to exactly 1 directory
• A WorkSpace will live in 1 of the 2 directory
subnets
TIP: Map 1 Service to 1 Directory
Connector, e.g.,WorkMail, WorkDocs,
WorkSpaces

Focus on the basics: networking
Early discussions
• Access from my existing network
• Access from anywhere (e.g., favorite coffee shop)
Further discussions
• Should I use a public endpoint?
• Private VIF – Can we only access from our existing
network?
• Secure client computing
• Content filtering – can we restrict access?

Focus on the basics: the golden rules of VPC
Q: “What is the best VPC design?”
A: Every use case is different
Rule #1: Don’t over analyze
Rule #2: Eliminate IP waste
• AWS subnet costs 5 IP addresses
• 2 Regions = 2 VPCs minimum = 2 IP blocks
Rule #3: Be flexible to accommodate what you don’t
know
• Treat your end state as an unknown
TIP: Largest VPC size: /16 (65K addresses)

Authentication
Gateway
Active
Directory
Agency
servers
AWS Direct
Connect
Agency
network
Users
Agency
network
Streaming
Gateway
WorkSpaces Service Broker
A) AWS-managed (public)
B) Agency-managed (public and/or private)
MFA
Accessing Amazon WorkSpaces
WorkSpacesVGW
Internet
Session
Gateway
secure protocols, analogous to VPN
(SSL and PCoIP w/ IPSec AES-256)
1
2
3
Client authenticates (AD and MFA) via Authentication Gateway (SSL)
Client brokers desktop session with Session Gateway (SSL)
Client accesses desktop through Streaming Gateway (PCoIP w/ IPSec AES-256)
How client traffic flows
access from Agency
(wired, wireless, VPN)
Government-
provided hardware
From your Agency’s network
Zero Client
Gateway
B
Agency VPC
A
Content
filtering
source filtering
by IP
Transit
InfoSec Logging
all Agency network access
untrusted prior to filtering
US East
end users
us-east-1
• regional proximity
• tie into network via DX
redundant
private VIFs
• use existing IP space
10.x.x.x/2010.x.x.x/8 • restrict network access
KEY POINT
Kerb/TGT
ticket
Streaming
Gateway IP

Authentication
Gateway
Active
Directory
corp
servers
Direct Connect
Corp Net
Users
Corporate
Streaming
Gateway
WorkSpaces Service Broker
A) AWS-managed (public)
B) Agency-managed (public and/or private)
MFA
Accessing Amazon WorkSpaces
WorkSpacesVGW
Internet
Session
Gateway
secure protocols, analogous to VPN
(SSL and PCoIP w/ IPSec AES-256)
1
2
3
Client authenticates (AD and MFA) via Authentication Gateway (SSL)
Client brokers desktop session with Session Gateway (SSL)
Client accesses desktop through Streaming Gateway (PCoIP w/ IPSec AES-256)
How client traffic flows
access from ANY network
GFE hardware
From ANY network
Zero Client
Gateway
B
Agency VPC
A
Content
filtering
source filtering
by IP
Transit
InfoSec logging
All agency network access
untrusted prior to filtering
Standalone
Network
• BYOD: use ANY device, not just
GFE hardware
• BYON: more than just BYOD …
bring your own network
-or-
BYOD
• NEXT-GEN: the new network for
your agency

Focus on the basics: the public endpoint
 Most public VIFs / DX tie into an agency’s
network
 Inbound is free
 Keep network traffic separate from outbound
traffic
 Larger general Internet pipes, go north of the
border
 Broader carrier selection, more competitive
pricing
 BYOD can be accomplished

Focus on the basics: the private VIF
 Cost – are you paying for managed infrastructure
 Security – do you offer public VPN endpoint
connectivity?
 Use a public VIF to access AWS endpoints from your
agency’s network
 WorkSpaces access your agency’s on-prem
resources via private VIFs
 Doesn’t WorkSpaces client act like a VPN?

Focus on the basics: secure client computing
• Transparent filtering – firewall/filter: WorkSpaces binding
• Internally NAT’d networks – leads to regionalization
• Centralized logging – catch it before it goes to the border
• On-premises or in AWS – understanding who owns the
border
This is possible today
• L3-L7: Sophos, Ocedo, etc. …
• L7: Squid, WebSense, etc. …
• Most advanced configuration, operationally challenging

Authentication
Gateway
Active
Directory
Agency
servers
Direct Connect
Corp Net
Users
Agency
Net
Streaming
Gateway
MFA
WorkSpacesVGW
Internet
Session
Gateway
Zero Client
Gateway
B
Agency VPC
A
Sophos
source filtering
by IP
Transit
InfoSec logging
10.44.208.0/2010.x.x.x/8
Focus on the basics: restrictive access and
content filtering
• Secure client computing – users get
access only to what they’re entitled
• Firewalling – Layer 3 through 7
• Filtering – Layer 7 only

Agenda
Getting started
Focus on the basics
• Networking: VPC, DX, and security
Image management
The end user experience
March of Dimes
• Lessons learned

Image management: the old way
1. Start from stock image
2. Install security and other patches
3. Install malware protection, patch and asset
management, and software distribution agents
4. Create a golden image
5. Deploy image to new workstations
Are we done? Nope! It’s Patch Tuesday, time for a new image.

Image management: how to make an image
1. Thick: OS + security patches and all software
2. Thin: OS + light footprint
(management and security patches)
3. Bare bones: Core OS + software distribution agents
(push software, patches, management/protection agents)
TIP: Find the balance between “get going” and automation
Experiments are good. Ask yourself, “Can I work from a
base image or should I regenerate every time?”

Image management: image-bundle relationship
A bundle maps to an image
An image can be used by multiple bundles
Bundles can have 1 or more active WorkSpaces
TIP: You cannot remove a bundle with active WorkSpaces
What will my bundle look like in 2 years?
• Use patch management to keep older
WorkSpaces updated
• Provision new WorkSpaces from the latest image
• Remember: 1 bundle, 1 image
• Version by creating a new image and associating
it with user bundles

Image management: application deployment
 No technical restrictions on software installation
 Manage WorkSpaces like any other desktop
 Use your existing toolset to distribute applications
and patches
 WorkSpaces Application Manager (WAM)
 WorkSpaces Marketplace for Desktop Apps

Image management: managing applications with WAM
Amazon WorkSpaces
Application Manager
(Amazon WAM)
Deploy and manage applications
Package your own applications
Upload applications where you own
the license
Subscribe from the AWS Marketplace
for Desktop Apps

Agenda
Getting started
Focus on the basics
• Networking: VPC, DX, and security
Image management
End user experience
March of Dimes
• Lessons learned

The most emotional service in any workplace
• Everything is in the human context
• People like their hardware
• “From my cold dead hands…”
• Ask me about my stickers
• “What about offline?”
• How offline are you?
• Hotspot, iPhone/Android tethering?
• “I don’t like Windows.”
• It’s not that bad…
It’s all about customer choice
• Not every user needs a remote desktop
• Be clinical: stay focused on your testing!

End user experience: the devices
• PC, Mac, and tablet
• Familiar, eases transition, full options
• Patch and device management concerns
• Zero client
• Silicon and firmware, nothing local
• Fixed asset scenarios
• Universal across OEMs
• Thin client
• Intel or ARM, very small Linux kernel
• Both fixed and mobile
• Very specific to OEMs
• Chromebooks
• The new thin
Future state
• WI-FI and mobile
• No local data
• Easy device management
• No local patching required

End user experience: the zero client
• The approach
• Silicon and firmware
• Manufacturing
• Teradici designs Tera2 processor
• LeadTek labs in Asia
• OEMs source units, build systems
• Form factors and features
• Standalone, AiO
• Mostly DVI, some DisplayPort
• No HDMI, Bluetooth, or Wi-Fi
• Management
• PCoIP Management Console
• MC 1.0 w/ firmware 4.x
• MC 2.0 w/ firmware 5.x
PROs
• Truly zero, no patching, MDM
CONs
• Fixed asset
• No MFA support

User experience: The Chromebook
• The approach
• Browser-based OS
• Manufacturing
• Intel or ARM (Intel’s winning)
• OEMs build units, license Chrome
• Form factors and features
• Standalone, AiO, laptop, stick
• HDMI, Bluetooth, Wi-Fi
• Management
• Google Apps: Chrome Device Management
• License fee per device
• $50 annual per device
• $150 perpetuity per device (3-year)
PROs
• Zero enough, no patching, MDM
• Modern, mobile, plenty of forms
• MFA support, fast updates
• Bootstrapping is a breeze
CONs
• Available only on net-new purchases

March of Dimes
Amazon WorkSpaces Rollout
Lessons Learned

Background
•Migration from Xenapp Published Desktop Environment to
Amazon WorkSpaces
•About 200 Offices Nationally
•Transitioning Smaller (2 Person) Offices to Telecommuters
•1200 WorkSpaces Currently

Getting Started
•Make sure you size your VPC with plenty of room for
growth when setting up pilot – more than you would ever
need
•Create images frequently and keep several available in
case you need to rollback.
•Develop Printing Strategy

Managing Workspaces
•Assign WorkSpace Operators in AWS Identity and Access
Management (IAM) to delegate simple tasks and improve
responsiveness to issues.
•Leverage Group Policy for global setting/changes
•Basic scripting skills can help overcome obstacles
•Automate provisioning of workspaces when users are onboarded. Also
automate deletion of workspaces when accounts are disabled to limit
costs.
•Use Amazon CloudWatch to monitor Unhealthy WorkSpaces and
InSessionLatency and proactively address issues

Fine Tuning
•Consider migrating services that WorkSpaces depend
upon to AWS Region to improve performance
•Re-evaluate Network and ISP needs periodically as
services move between on-prem, data center and cloud

Thank
you
https://www.marchforbabies.org/team/InformationTechnology

Managing WorkSpaces at Scale | AWS Public Sector Summit 2016

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Viewers also liked

Viewers also liked (20)

Similar to Managing WorkSpaces at Scale | AWS Public Sector Summit 2016

Similar to Managing WorkSpaces at Scale | AWS Public Sector Summit 2016 (20)

More from Amazon Web Services

More from Amazon Web Services (20)

Recently uploaded

Recently uploaded (20)

Managing WorkSpaces at Scale | AWS Public Sector Summit 2016

Editor's Notes