Getting Started with Amazon WorkSpaces

From server-based computing (SBC) to virtual desktop infrastructure (VDI), then to Desktop as a Service like WorkSpaces. The core value of remote desktop is concentrated on three key value points. The most critical one is the "No data landing" feature provided by the remote desktop protocol. By using a remote desktop protocol like PCoIP or WSP, the end user can access enterprise data through a streaming window but cannot download it. The second key value is "Centralized manageability." Some large enterprises have transformed their traditional Desktop PC to thin clients/ zero clients with backend virtual desktops. This infrastructure simplified the IT support mechanism  and proved can reduce support budget and improve efficiency. The third point is the "Flexibility" leveraged from the cloud infrastructure. Customer can timely change the desktop resources investment in the cloud to reflect business need and dynamic working environment. Based on the three key value points, Desktop as A Service (WorkSpaces) has widely used in several  typical using scenarios and rapidly growing in data security sensitive segments. We will further introduce that in the coming part.

From 2020, with the COVID-19 global pandemic, more and more enterprises need to change from a centralized working model to a working from home model to face the challenge. With the WorkSpaces provision and batch deploy features, enterprise can quickly deploy the desktop resources within several days. By using this flexible service model, enterprises can set different strategies promptly and switch between centralized, working from home, or hybrid working models to face the dynamic situation.  

The second scenario is a “Secure R&D environment” inherited from the VDI technology. The primary purpose is to achieve the unique security requirements of “no data landing.” Compared with other technology such as VPNs, firewalls, or gateways, the primary focus is on preventing unauthorized penetration from outside. This unique technology primarily focuses on separating the data access and operation behavior. The remote desktop protocol only transfers the keyboard and mouse input to the remote desktop and moves back the refreshed screen pixels. By using that, employees or authorized outsourced vendors and partners can only operate the data but cannot access or download the data. There is no data transfer within that, so there is no data leakage as a consequence.

The third using scenario is an online call center; as we all know, with the evolution of the call center platform, the original centralized call center is becoming less economical in terms of flexibility and is gradually replaced by decentralized and web-based call center platforms. By using Amazon WorkSpaces and web-based call center application. Enterprises can completely migrate from centralized call centers to home-based online call center systems, which is especially urgent and necessary after the outbreak of the COVID-19 pandemic. Through WorkSpaces plus Call center application, we can help enterprises quickly establish call centers and access enterprise CRM and call center systems on the cloud and can internalize all operational data; to a certain extent, it also alleviates the impact of enterprise data and device management workload and can perfectly realize the end-to-end "online cloud call center" platform.

The secure office environment scenario is suitable for some enterprises with high-level information security standards or some verticals that need to follow information security compliance requirements tightly. Some specific verticals like financial services, medical design, and research institutions. Their environment has produced a large amount of information that needs to be appropriately kept in the enterprise domain scope. And it is difficult to prevent the leakage traditionally completely. With desktop cloud services like WorkSpaces, all information and data remain in the cloud. All downloads and transfers are fully controlled by the enterprise IT policy. In other words, after the enterprise information has centralized on the cloud, it also can run a higher level backup and restore strategy via cloud services.

The 5th using scenario is remote branch access. Many global companies, or large local enterprises in retail, manufacturing, transportation, or energy industry, have many branches globally or domestically. The traditional PC-based environment brings in heavy support workload and efficiency challenges on daily operation. Using WorkSpaces,  PC desktop can be replaced with a thin or zero clients, and the cloud desktop can be accessed via a network. In that case, A small IT group can support thousands of desktops in the center and replace any crashed or not working desktop via several clicks.

Service region selection

The network latency tests the WorkSpace RTT (round-trip delay) from the access equipment (employee PC) to each region of WorkSpaces. The primary purpose of this round-trip test is to verify if the WorkSpaces using experience is quick enough to serve the end user input and output. This indicator is the key to choosing the best experience region. If the delay is slight, the operation will be smoother, and the user will not perceive it. On the other hand, the screen may become stuck if the delay is significant, and the employees will feel obvious. The recommendations are as follows:

• RTT<100ms Fast
• RTT<200ms Acceptable
• RTT<375ms Slow
• RTT>375ms N/A 
  

https://clients.amazonworkspaces.awsapps.cn/Health.html (China)
https://clients.amazonworkspaces.com/Health.html (Global) 

PCoIP: For the best performance of PCoIP, the round-trip time (RTT) from the client network to the region WorkSpaces are located should be less than 100 milliseconds. If the RTT is between 100ms and 200ms, users can access the WorkSpace, but performance will be affected. If the RTT is between 200ms and 375ms, the performance will degrade. Therefore, workSpaces client connections are terminated if the RTT exceeds 375ms. For the best implementation of the WorkSpaces Streaming Protocol (WSP), the RTT should be less than 250ms. If the RTT is between 250ms and 400ms, the user can access the WorkSpace, but performance will be reduced. According to the above standards, if the RTT exceeds 200ms, there will be apparent freezes during use. Therefore, selecting a data center with a network latency of less than 100ms as the access point is recommended, which will have the best experience

Secure Access Design

The WorkSpaces console has two functions: IP Access Control and Access Control. Customers can use these two functions to control the access equipment IP address and the Operating system (OS) of the access equipment. At the same time, you can also enable the TLS/FIPS encryption to build a more secure login path.

Note 1: The remote desktop protocol only transmits the refreshed pixels of the screen and does not transmit any data on the net.

Note 2: WorkSpaces access also supports enabling TLS and FIPS 140-2 encryption methods to encrypt the data of the Login link and improve link security. Customers can turn on this function in the console.

Some large enterprises, especially those that have adopted a centralized office model. To ensure that the access link is not exposed on the Internet (here refers to the link that the user's employees log in to the WorkSpaces through the WorkSpaces client), Customers can use a completely private connection such as Direct Connect or a site-to-site VPN to linkage the office and Amazon Web Services datacenter. 

• Direct Connect+Public VIF. Amazon S3, Glacier, WorkSpaces, and other services all support public VIF access so that we can establish a private channel between the enterprise office and the Amazon Web Services through the Direct Connect dedicated link. And use the public VIF as the endpoint to allow access to equipment log-in from the enterprise office site. 
• If there is no Direct Connect dedicated link,  a third-party IPSec tunnel can be used as an alternative.

Note: Amazon Web Services China (Ningxia) Region, Operated operated by NWCD does not support Site-to-Site VPN or Client VPN. If you want to use the VPN method, you can refer to using IPSEC to establish a tunnel.

WorkSpaces Data Access Design

As a cloud desktop, access to WorkSpaces mainly includes the following three aspects.

• WorkSpace access to the Internet: WorkSpaces use the internet gateway (IGW) for external access by default. At the same time, you can also create a new NAT gateway to initiate external access. This method is suitable for accessing some specific third-party application platforms on the Internet-based application or data.
• WorkSpaces access to on-premise enterprise data: This link is mainly used for WorkSpaces to access local services such as applications, data, or domain control hosted in the enterprise's local data center. In addition, this link can be used as a secure access link to ensure that critical enterprise data is not exposed on the Internet.
• Data access from WorkSpaces to the enterprise system hosted in the Amazon Web Services: VPC peering and VPC routing are used to access the enterprise data hosted in the Amazon Web Services.

Note: WorkSpaces have two ENI NICs. NIC 1 is used for front-end access and external access. After that, it was production traffic NICs. The three data links mentioned above are based on the production traffic NIC 1. The second network card 2 is not exposed and is only used for the built-in process for WorkSpaces management, such as image creation and distribution, application distribution, etc.

A standardized VPC architecture is used at the bottom layer of WorkSpaces in the cloud, so enterprises can also use the VPC built-in multi-layer network layer and application layer security methodology for data isolation and layering.

• Network ACL can isolate and block the IP level. 
• Security Group security policy group design can isolate and block the ip+port level. As a result, access isolation of network applications can be performed on a per-end basis.
• Network Firewall can perform domain allow listing, blocklist isolation, and blocking at the link level. For example, an enterprise needs to write a specific black and white list domain name to control the Internet access part of WorkSpaces. 

Through the template policy that comes with the console above and the security policy design at the three levels of Network ACL+Security Group+Network Firewall, it is possible to connect WorkSpaces, and the Internet, WorkSpaces, and the enterprise's server VPC and subordinate servers on the Amazon Web Services managed cloud according to the needs of the enterprise. Appropriate security isolation and blocking between networks, WorkSpaces, and the enterprise's local data network can be implemented to achieve complete data security policy planning.

Use Amazon managed AD

Using Amazon Managed AD is our primary recommended method. Customers can enable Managed AD directly on the Amazon Web Services and directly use the Managed AD to create and manage WorkSpaces users. The domain controller is created using the WorkSpaces policy template, and the security policy template has been preset in it, which can implement policy control for WorkSpaces. The policies here include whether to allow logged-in users to modify WorkSpaces configuration and install software, whether to allow WorkSpaces, logged-in users, to access the Internet, whether to allow access to local USB read-write devices and so on. 

Use AD Connector

For many middle and large-size enterprises, AD domain control is already being used for user and device policy management. WorkSpaces can also connect to the user's domain controller in the local data center through the ADC (AD Connector) domain controller connector. After China Unicom is connected, the ADC will synchronize all domain policies from the local AD domain controller of the enterprise, automatically use the enterprise users connected to the domain controller, and apply the device management policy to the WorkSpace instance. Using ADC is an excellent way to integrate with the company's existing IT structure and can fully comply with the company's existing management strategy template. 

Build trust relationship

Another way is to use Amazon Managed AD and establish a trust domain relationship between the Amazon Managed AD and the enterprise's on-premises AD. After the trust relationship is established, the Amazon Managed AD and the enterprise local AD can establish the domain policy parent-child trust and tree root trust synchronization relationship according to the same forest, two-way trust, or transit trust relationship. This method is more suitable for the complex domain structure of some vast enterprises and builds a more complex domain control relationship.

In terms of terminal selection, Amazon WorkSpaces supports various clients, such as windows/Linux/mac/android/iPad/PCoIP zero/web. It has provided an extensive range of terminal device support. Here we mainly give some in-depth introduction to Thinclient (because Thinclient has existed for many years as a VDI access device). The operating systems of Thinclient are mainly Windows embedded and Linux embedded. Each Thinclient manufacturer tailors the operating system, mainly installing VDI or WorkSpaces connection clients. Although these embedded systems do not use applications as the accessing client of VDI or WorkSpaces, there is an important problem of redirection of peripherals. The main problem is that Windows Embedded is much more robust than Linux Embedded in the peripheral redirection. To better access different peripherals, it is recommended to use Windows Embedded as the Thinclient system. 

For future access devices, ARM CPU-based notebooks. Its main functions are always-on and long-term use (can be used continuously for 24 hours) brought by low power consumption. A suitable Mobile Thinclient device type also considers some flexibility to use applications locally. After installing the WorkSpaces client, it can be used as a perfect WorkSpaces native access device. 

Overall redirection design. When planning the overall redirection design of WorkSpaces, enterprises need to match the technical solutions provided by Amazon according to their own specific needs for "data not landing." For example, an enterprise user needs to avoid the redirection of USB storage devices to prevent data copying and avoid printer outputting drawings. These specific requirements can be controlled by switches in the overall redirection design. More redirection policy control is currently available on the Windows 10 operating system, and there are fewer control options on Linux. In terms of access protocol, PCoIP now has more redirection control policies and fewer WSP protocol control policies. See the table below for details.

Windows WorkSpaces

Linux WorkSpaces

Use API to integrate management platform

Large enterprises can use the WorkSpaces API to integrate WorkSpaces management capability into their internal management platform. For example, when enterprises need to activate employee accounts automatically, automatically activate WorkSpaces, then assign application authorities, or they need automatically back up employee data and release resources after employees leave. Because Amazon Web Services provides modular services, customers can rely on WorkSpaces API calls to integrate that into a streamlined process within their platform. Please refers to  the API reference documentation.

Remote Assistant Package

Besides central management capability in WorkSpaces Console. Customer also can enable remote assistant capability to diagnose single WorkSpaces issues or help employee solve complex personal WorkSpaces problem. It can be installed via a solution package as below. Please refers to the Blog.

Large and middle-sized enterprises may need to bring their own Windows desktop licenses (BYOL) to implement in WorkSpaces. For BYOL permission applications, please get in touch with your Amazon Web Services account manager or sales representative, or contact Amazon Web Services Support Center. The re-customized release process is relatively complicated, and it is recommended to follow the BYOL manual strictly.