[aws days microsoft-la 2015]: amazon workspaces-running microsoft windows desktops in the cloud

© 2015, Amazon Web Services, Inc. or its Affiliates. All rights reserved.

December 9, 2015 | Los Angeles, CA

Microsoft Windows Desktops in the Cloud

What is WorkSpaces?

Desktop as a Service

Microsoft Windows desktops on AWS

• realizing the “virtual desktop dream”

The cloud replacement to VDI

• no-hassle performance, capacity

• improved accessibility, security

Decentralization meets consumerization

• “Corporate IT meets Consumer IT”

• device and location independence

Why WorkSpaces?

Ease of Deployment

On-demand,

pay-as-you-go

Launch the number of

WorkSpaces needed

Heavy lifting taken

care of by AWS

Standard Windows Management

Treat like any other Microsoft

Windows desktop environment!

• Policy: Active Directory, GPOs

• Patching: WSUS, SCCM

• Distribution: SCCM, App-V

• Automation: Powershell

Template to Desktop

Create custom images

Map to hardware types

Launch from bundles

Simple to Provision

Keep Data Secure and Available

No data stored on end-user device

Only streaming protocol pixels

delivered to users (Teradici PCoIP)

User volume backed by Amazon S3

Desktop, Laptop: PC, Mac

Tablets: iOS, Android, Kindle, Win

Zero, Thin Clients

Chrome OS

Support Multiple Devices

Integrate with Active Directory

IT: Control policies

with familiar tools

Users: Use existing

enterprise credentials

Protect with MFA

IT: Integrate with existing

MFA solution

Users: Get to use existing

one-time tokens

Automation Support

Manage and provision with CLI or API

(Powershell, .NET, and more)

WorkSpaces Monitoring

• Automatically respond to

desktop health and connection

issues

• Alert on custom metrics and

events

Monthly Pay as You Go

All WorkSpaces Bundles provide the Windows 7 Experience to users (provided by Windows Server 2008 R2 with RDS).

Monthly Price in N. Virginia and Oregon AWS regions. More here: http://aws.amazon.com/workspaces/pricing/

Value Plus

Value

1 vCPU, 2 GB memory

10 GB storage

$25 - Value

$40 - Value Plus

Performance Plus

Performance

2 vCPU, 7.5 GiB memory

100 GB storage

$60 - Performance

$75 - Performance Plus

Standard Plus

Standard

2 vCPU, 4 GB memory

50 GB storage

$35 - Standard

$50 - Standard Plus

The User Experience

A Typical User Journey with WorkSpaces

Discover Corporate Pilot Office Access

Home Access Other Devices No More Desktop

User Expectations for WorkSpaces

Work Anywhere High Productivity Help, not Hinder

Familiar Robust 100% Available

What Users Like

It Just Works Transparent Single Environment

Sense of Permanence Centralized Support Different Experience

Moving to WorkSpaces

Service Availability

6 Regions

• Oregon

• Northern Virginia

• Ireland

• Tokyo

• Singapore

• Sydney

http://aws.amazon.com/about-aws/global-infrastructure/

(as of December 2015)

Amazon WorkSpaces

Common Enterprise Deployment Model

• Regional proximity to users

• Tie into the global

corporate network via DX

• Use existing IP space

• Restrict corporate network

access when necessary

• Enable future expansion

Global Enterprise Corporate Network

(10.0.0.0/8)

10.44.192.0/20

10.44.208.0/2010.44.224.0/20

10.44.240.0/20

TBD

TBD

This is EC2 at scale.

lots of worldwide users

Authentication

Gateway

Active

Directory

corp

servers

Direct Connect

Customer

Corp Net

Users

Customer

Streaming

Gateway

WorkSpaces Service Broker

A) AWS-managed (public)

B) customer-managed (public and/or private)

MFA

Accessing Corporate WorkSpaces

WorkSpacesVGW

Internet

Session

Gateway

secure protocols, analogous to VPN(SSL and PCoIP w/ IPSec AES-256)

1

2

3

Client authenticates (AD and MFA) via Authentication Gateway (SSL)

Client brokers desktop session with Session Gateway (SSL)

Client accesses desktop through Streaming Gateway (PCoIP w/ IPSec AES-256)

How Client Traffic Flows

access from Corp (wired, wireless, VPN)

customer-provided hardware

From the Enterprise Corporate Network

Zero Client

Gateway

B

Customer VPC

A

Sophos

source filtering

by IP

Transit

InfoSec Logging

all corporate network access

untrusted prior to filtering

US East

Employees

us-east-1

• regional proximity

• tie into corp via DX

redundant

private VIFs

• use existing IP space

10.44.208.0/2010.x.x.x/8 • restrict corp network access

KEY POINT

Kerb/TGTticket

Streaming Gateway IP

Authentication

Gateway

Active

Directory

corp

servers

Direct Connect

Customer

Corp Net

Users

Customer

Streaming

Gateway

WorkSpaces Service Broker

A) AWS-managed (public)

B) customer-managed (public and/or private)

MFA

Accessing Corporate WorkSpaces

WorkSpacesVGW

Internet

Session

Gateway

secure protocols, analogous to VPN(SSL and PCoIP w/ IPSec AES-256)

1

2

3

Client authenticates (AD and MFA) via Authentication Gateway (SSL)

Client brokers desktop session with Session Gateway (SSL)

Client accesses desktop through Streaming Gateway (PCoIP w/ IPSec AES-256)

How Client Traffic Flows

access from ANY networkBUT customer corporate

customer-provided hardware

From ANY Network Outside of the Enterprise

Zero Client

Gateway

B

Amazon.com VPC

A

Sophos

source filtering

by IP

Transit

InfoSec Logging

all corporate network access

untrusted prior to filtering

Standalone

Network

• BYOD: use ANY device, not just corporate hardware

• BYON: more than just BYOD … bring your own network

-or-BYOD

• NEXT-GEN: the new corporate network

The Evolution of Automation

CLI Tools on A-Linux

#!/usr/bin/ruby

#!/usr/bin/perl

#!/bin/bash

• fast and easy start – “just go”

• many operations need data (dir-id, wsb, region) CSV files over API calls

• as data increases, fast and easy not so fast and easy anymore

• oh, right … no AWS SDK support for Perl

• object notation, AWS SDK support

Web-Based UI

Self-Service Portal for End-Users

Admin Portal for Helpdesk

(Python)

(Ruby)API Gateway Lambda DynamoDB

create-workspaces

describe-workspaces

reboot-workspaces

terminate-workspaces

Public APIs

{ “key1”: “val1”, “key2”: “val2” }json transport

Common API Development

Event Handling

create-workspace

terminate-workspace

• delete object from Active Directory

• email users

• post-install hooks for other activities

poll API with cron

CloudTrail

CloudWatch Logs

Kinesis

Lambda

API events

create-workspace ENI

terminate-workspace

25-30 minutes

IP ready only at end

Implement workflow-driven behavior.

Code

User Migration Efforts

WorkDocs

DFS File Share

cloud-based Sync Storage

• install WorkDocs sync agent on

existing desktops and WorkSpace

• data stored securely in S3,

synced across all devices

Zero Clients, Tablets,

Chromebooks

• initial access from existing desktops, laptops

• Chromebooks solve a lot of problems

• customer explores tablets, zero clients

• Amazon does not support full

desktop migrations today

• excitement around thin client solutions

Thank You!

• Questions?

• Comments?

• Feedback and thoughts?