Are you tired of maintaining and upgrading the PC infrastructure for your organization? Do you want to provide your users with a fast, fluid desktop that is accessible from anywhere, on any device? With Amazon WorkSpaces, you can do both simultaneously by running your desktops on AWS. In this session, we demonstrate the flexibility of Amazon WorkSpaces and show you how easy it is to get started. We also cover more advanced topics, including using Microsoft Active Directory for end-user management and authentication, and using Amazon WorkSpaces to implement a bring-your-own-device policy.

1. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Migrate Your Desktops to Amazon
WorkSpaces
N a t h a n T h o m a s — G M , A m a z o n W o r k S p a c e s
R o n B l e d s o e — S r . E n g i n e e r , B r i d g e w a t e r A s s o c i a t e s
B A P 3 0 3
N o v e m b e r 2 9 , 2 0 1 7

2. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
How do I g e t all of my de sktop s to the clou d?

3. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
WorkSpaces are cloud desktops
Scalable and consistent
Secure
Pay-as-you-go
Simple to deploy and
manage
Highly interactive secure desktops your
users will love

4. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Identity
Authentication
Network access
Image creation
Apps management
User selection
WorkSpace sizing
Data transfer
Training and
communication
Build Out, Migration, Operations
Build Out Migration Operations
Fleet management
Monitoring and alarms
Patching & image updates
Automation/Integration
End user support
Self-service portals

5. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Build Out

6. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Build Out: Identity
Identity is defined by Active Directory
• SimpleAD, Managed AD, AD Connector
WorkSpaces are domain joined
Existing group policies will apply
• May need to evolve

7. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Build Out: Authentication
Users login with existing AD credentials
Use existing Radius MFA
Optionally add client certificates

8. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Build Out: Network Access
Clients need access to WorkSpaces
• Port 4172 TCP/UDP
• Port 80/443 for Web Access
Active Directory Connector needs AD access
VPC needs access to intranet

9. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Build Out: Image creation
Launch a WorkSpace and configure
• One per high level use case
• Minimize images with WAM
Create an image from that WorkSpace
Bundle the image with desired hardware
Launch new WorkSpaces from bundle

10. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Build Out: Apps management
Existing Windows apps work
Existing tools like SCCM work fine
WAM can package and deploy apps too

11. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Migration

12. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Migration: User selection
Start with POC and Opt-In
Identify initial wins
• M&A
• Remote offices
• Dev and test
• Training and labs
Move on to broader scope
• Other teams
• Default for new hires

13. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Migration: WorkSpace sizing
Evaluate user groups and categorize
• Memory
• CPU
• Disk
SSM and other third-party tools help
Map users and groups to bundles
Value, Standard, Performance, Power, Graphics
Migrate users to bigger bundles as needed

14. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Migration: Data transfer
Migrate data with cloud storage
• Windows shares
• Amazon WorkDocs
• Third-party storage solutions
Consider evolving data access

15. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Operations

16. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Migration: Training and communication
Message the change
Explain the shift in experience
Explain the value to the end user
• Remote access
• Persistent apps and data
Make content available online for new users

17. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Operations: Fleet management
Use the AWS Console and APIs
Evaluate fleet size and usage
Migrate users to bigger or smaller bundles
Shift usage between AlwaysOn and AutoStop to save money
Terminate WorkSpaces with no usage
• Phase the termination process

18. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Operations: Monitoring and alarms
Integrate via API
Use SSM in WorkSpaces for detailed metrics
Use third-party solutions for further monitoring and
awareness
Monitor key network links and AD for health

19. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Operations: Patching & updating images
Windows and other included apps patched by default
Override with your own policies if needed
Rebuild bundles with new images regularly to
minimize patching impact
Continue other security best practices
• Security group configuration
• Network controls, proxy, filtering
• AV and other in-WorkSpace tools

20. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Operations: Automation/Integration
Use APIs to automate common actions
• New WorkSpaces for new users
• Removing WorkSpaces
• Migration to AutoStop/AlwaysOn
• Integrate with existing tools

21. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Operations: End user support
Evolve your helpdesk and support services to handle
WorkSpaces
• Provide training
• Build SOPs and documentation
Add key links for support to the WorkSpaces client or
other visible location for users

22. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Operations: Self-service portals
Build Web portals for users
• Launch a WorkSpace
• Check WorkSpace health
• Reboot
• Change compute/add storage
• Rebuild
• Links to help/password reset

23. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
How Bridgewater Associates Is Moving
Their Desktops to Amazon WorkSpaces
Ron Bledsoe, Sr. Engineer, Bridgewater Associates

24. Business Drivers
Need for a more enjoyable and flexible working
environment for end users
Need for a Windows solution for Macintosh
users
Need for an easier to use, less complex remote
access solution
Need to deliver IT services more efficiently

25. Why WorkSpaces
Aligned with our cloud first technology strategy
Builds on our existing investment in AWS infrastructure
Straightforward architecture that’s easy to understand
and implement
Strong belief in Amazon as a strategic partner
We gave it to our users and they liked it

26. Design Considerations
Global footprint — single and multi region, AZs
VPC Design
VPC planning and setup
Planning IP subnets (CIDR)
BYOL considerations
AD Connector
Planning and setting up

27. WorkSpaces Setup
AD
Connector
Active
Directory
corp
servers
Customer
Corp Net
Users
Customer
MFA (RADIUS)
MDM
WorkSpaces - 1
AZ-1
AZ-2
WorkSpaces - 2
172.16.0.0/16
172.17.0.0/16
Each AD Connector
connects to on Microsoft
AD OU – consider use
cases

28. What We’ve Seen So Far
Greater segregation between work and personal
Reduced operational overhead
People are lining up to get onboard

29. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Thank you!