Amazon WorkSpaces address the problem of traditional VDI environments – complexity in building, managing, and scaling remote desktops globally – by providing desktops as a service and enabling customers to securely access Microsoft Windows in the cloud from nearly anywhere with nearly any device. WorkSpaces help customers transform their traditional corporate networks into next-generation models that give employees secure access, and solve the difficult challenges with on-boarding third-parties, vendors, and contractors into the corporate network. This presentation will cover how WorkSpaces can be provisioned quickly and at scale from custom images, and work with traditional patch, asset, and software distribution management tools such as Microsoft SCCM.

1. © 2015, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
December 9, 2015 | Los Angeles, CA
Microsoft Windows Desktops in the Cloud

2. What is WorkSpaces?

3. Desktop as a Service
Microsoft Windows desktops on AWS
• realizing the “virtual desktop dream”
The cloud replacement to VDI
• no-hassle performance, capacity
• improved accessibility, security
Decentralization meets consumerization
• “Corporate IT meets Consumer IT”
• device and location independence

4. Why WorkSpaces?

5. Ease of Deployment
On-demand,
pay-as-you-go
Launch the number of
WorkSpaces needed
Heavy lifting taken
care of by AWS

6. Standard Windows Management
Treat like any other Microsoft
Windows desktop environment!
• Policy: Active Directory, GPOs
• Patching: WSUS, SCCM
• Distribution: SCCM, App-V
• Automation: Powershell

7. Template to Desktop
Create custom images
Map to hardware types
Launch from bundles
Simple to Provision

8. Keep Data Secure and Available
No data stored on end-user device
Only streaming protocol pixels
delivered to users (Teradici PCoIP)
User volume backed by Amazon S3

9. Desktop, Laptop: PC, Mac
Tablets: iOS, Android, Kindle, Win
Zero, Thin Clients
Chrome OS
Support Multiple Devices

10. Integrate with Active Directory
IT: Control policies
with familiar tools
Users: Use existing
enterprise credentials

11. Protect with MFA
IT: Integrate with existing
MFA solution
Users: Get to use existing
one-time tokens

12. Automation Support
Manage and provision with CLI or API
(Powershell, .NET, and more)

13. WorkSpaces Monitoring
• Automatically respond to
desktop health and connection
issues
• Alert on custom metrics and
events

14. Monthly Pay as You Go
All WorkSpaces Bundles provide the Windows 7 Experience to users (provided by Windows Server 2008 R2 with RDS).
Monthly Price in N. Virginia and Oregon AWS regions. More here: http://aws.amazon.com/workspaces/pricing/
Value Plus
Value
1 vCPU, 2 GB memory
10 GB storage
$25 - Value
$40 - Value Plus
Performance Plus
Performance
2 vCPU, 7.5 GiB memory
100 GB storage
$60 - Performance
$75 - Performance Plus
Standard Plus
Standard
2 vCPU, 4 GB memory
50 GB storage
$35 - Standard
$50 - Standard Plus

15. The User Experience

16. A Typical User Journey with WorkSpaces
Discover Corporate Pilot Office Access
Home Access Other Devices No More Desktop

17. User Expectations for WorkSpaces
Work Anywhere High Productivity Help, not Hinder
Familiar Robust 100% Available

18. What Users Like
It Just Works Transparent Single Environment
Sense of Permanence Centralized Support Different Experience

19. Moving to WorkSpaces

20. Service Availability
6 Regions
• Oregon
• Northern Virginia
• Ireland
• Tokyo
• Singapore
• Sydney
http://aws.amazon.com/about-aws/global-infrastructure/
(as of December 2015)
Amazon WorkSpaces

21. Common Enterprise Deployment Model
• Regional proximity to users
• Tie into the global
corporate network via DX
• Use existing IP space
• Restrict corporate network
access when necessary
• Enable future expansion
Global Enterprise Corporate Network
(10.0.0.0/8)
10.44.192.0/20
10.44.208.0/20
10.44.224.0/20
10.44.240.0/20
TBD
TBD
This is EC2 at scale.
lots of worldwide users

22. Authentication
Gateway
Active
Directory
corp
servers
Direct Connect
Customer
Corp Net
Users
Customer
Streaming
Gateway
WorkSpaces Service Broker
A) AWS-managed (public)
B) customer-managed (public and/or private)
MFA
Accessing Corporate WorkSpaces
WorkSpacesVGW
Internet
Session
Gateway
secure protocols, analogous to VPN
(SSL and PCoIP w/ IPSec AES-256)
1
2
3
Client authenticates (AD and MFA) via Authentication Gateway (SSL)
Client brokers desktop session with Session Gateway (SSL)
Client accesses desktop through Streaming Gateway (PCoIP w/ IPSec AES-256)
How Client Traffic Flows
access from Corp
(wired, wireless, VPN)
customer-provided
hardware
From the Enterprise Corporate Network
Zero Client
Gateway
B
Customer VPC
A
Sophos
source filtering
by IP
Transit
InfoSec Logging
all corporate network access
untrusted prior to filtering
US East
Employees
us-east-1
• regional proximity
• tie into corp via DX
redundant
private VIFs
• use existing IP space
10.44.208.0/2010.x.x.x/8 • restrict corp network access
KEY POINT
Kerb/TGT
ticket
Streaming
Gateway IP

23. Authentication
Gateway
Active
Directory
corp
servers
Direct Connect
Customer
Corp Net
Users
Customer
Streaming
Gateway
WorkSpaces Service Broker
A) AWS-managed (public)
B) customer-managed (public and/or private)
MFA
Accessing Corporate WorkSpaces
WorkSpacesVGW
Internet
Session
Gateway
secure protocols, analogous to VPN
(SSL and PCoIP w/ IPSec AES-256)
1
2
3
Client authenticates (AD and MFA) via Authentication Gateway (SSL)
Client brokers desktop session with Session Gateway (SSL)
Client accesses desktop through Streaming Gateway (PCoIP w/ IPSec AES-256)
How Client Traffic Flows
access from ANY network
BUT customer corporate
customer-provided hardware
From ANY Network Outside of the Enterprise
Zero Client
Gateway
B
Amazon.com VPC
A
Sophos
source filtering
by IP
Transit
InfoSec Logging
all corporate network access
untrusted prior to filtering
Standalone
Network
• BYOD: use ANY device, not just
corporate hardware
• BYON: more than just BYOD …
bring your own network
-or-
BYOD
• NEXT-GEN: the new corporate
network

24. The Evolution of Automation
CLI Tools on A-Linux
#!/usr/bin/ruby
#!/usr/bin/perl
#!/bin/bash
• fast and easy start – “just go”
• many operations need data (dir-id, wsb, region)  CSV files over API calls
• as data increases, fast and easy not so fast and easy anymore
• oh, right … no AWS SDK support for Perl
• object notation, AWS SDK support
Web-Based UI
Self-Service Portal for End-Users
Admin Portal for Helpdesk
(Python)
(Ruby)
API Gateway Lambda DynamoDB
create-workspaces
describe-workspaces
reboot-workspaces
terminate-workspaces
Public APIs
{ “key1”: “val1”, “key2”: “val2” }
json transport
Common API Development

25. Event Handling
create-workspace
terminate-workspace
• delete object from Active Directory
• email users
• post-install hooks for other activities
poll API with cron
CloudTrail
CloudWatch Logs
Kinesis
Lambda
API events
create-workspace  ENI
terminate-workspace
25-30 minutes
IP ready only at end
Implement workflow-driven behavior.
Code

26. User Migration Efforts
WorkDocs
DFS File Share
cloud-based Sync Storage
• install WorkDocs sync agent on
existing desktops and WorkSpace
• data stored securely in S3,
synced across all devices
Zero Clients, Tablets,
Chromebooks
• initial access from existing desktops, laptops
• Chromebooks solve a lot of problems
• customer explores tablets, zero clients
• Amazon does not support full
desktop migrations today
• excitement around thin client solutions

27. Thank You!
• Questions?
• Comments?
• Feedback and thoughts?