Virtual Desktops at Scale
With the sudden transition from the office to remote work locations with the COVID-19 pandemic, organizations had to struggle with getting equipment, shipping it to employees, ensuring they had the onsite infrastructure for VPN connections, and more. Amazon Workspaces simplifies this process not only in emergency and business continuity situations but in a “normal” operating model as well.
Even without the challenges of suddenly moving your employees from an office to a remote work setting, organizations have to deal with the capital expenditures of buying workstations, laptops and other equipment to support their computing needs. This capital outlay can become expensive and difficult to manage.
Security procedures have to be put in place to monitor those workstations to prevent malware, viruses, and the theft of corporate information. Many data breaches have been caused by employees downloading sensitive information to their local device and later having that device stolen.
What if we could lower the cost of deploying desktop environments to the workforce, simplify security and operational procedures, and even provide “Bring Your Own Device” capabilities while minimizing the potential for data breaches through downloaded files?
What is Amazon Workspaces?
Amazon Workspaces is a “desktop as a Service” approach, where users can access a virtual Linux or Windows virtual desktop. The service has support for client hardware including:
- Microsoft Windows;
- Apple macOS;
- Google Chromebook;
- Ppl iPadOS and iOS;
- Google Android OS;
- Amazon Fire Tablets;
- Zero clients; and,
- Web Access.
This means that from virtually any client device, the user can access their AWS Workspace, and perform their assigned business tasks.
Why use Amazon Workspaces?
I will admit the business case sounds “fuzzy” at first glance. The organization has to provide some form of a computing device and a network to have access to their virtual desktop. However, the majority of employees in an organization don’t need or use the “massive” computing capabilities of today’s laptops. Consider the executive assistant or managers who spend their days processing email, creating documents, and doing web searches to support their work assignments or manage their employees. Even some developers don’t need the computing power on their desks.
The truth is, the vast majority of computing hardware deployed in an organization today is capable of far more than what the average employee does with it. Even software developers who spend the majority of their time writing code often use build systems that are not local to their workstation.
This is where the business case of AWS workspaces makes sense. Employees can be provided lower cost, lower compute capability devices which can then access higher power devices in Amazon Workspaces. Devices such as chrome books, lower-end Apple iPads cost significantly less than modern PCs or workstations. Additionally, you have the built-in capability of ensuring any sensitive data downloaded to the virtual workstation is still on that workstation, and not on the local device.
Finally, there is the “work anywhere” side of things. Employees and support individuals can carry a lighter, lower-cost device to their clients. So long as they have network access, they can get to their virtual desktop.
Virtual Desktop Environments
Amazon Workspaces supports Microsoft Windows and Amazon Linux 2 virtual desktop environments, with different CPU, memory, storage, and base application sets available. Creating the Workspace involves selecting one of the available bundles, or creating a custom bundle suitable for your organization.
The available bundles include Windows 10 and Linux, available on a variety of different hardware platforms ranging from 1 vCPU and 2 GB of RAM (Value bundle) to 16 vCPUs, 122 GB of RAM and 1 vGPU (GraphicsPro bundle). SSD storage starts at 80 GB for the root volume and 10 GB for user data to 100 GB for the root volume and 100 GB for user data. Each of the available options is presented when you create the Workspace.
If you are a larger organization wanting to commit to 200 or more Workspaces in a single region, it may be possible to use your exist8ing Microsoft Windows 10 licenses.
The security of a local device is every security professional’s nightmare. As the majority of data breaches occur when user laptops containing sensitive data is stolen, Workspaces addresses this by not allowing data to be stored from the Workspace onto the local device. This has the added benefit of allowing the user to connect to their Workspace from their tablet today and a web browser tomorrow.
Security can also be applied by integrating Amazon Workspaces with your existing Active Directory server, allowing users to log in to their Workspace using credentials they already have. Additionally, if you provide a RADIUS server for multi-factor authentication, this can also be integrated into the Workspaces platform.
Setting up an Amazon Workspace
Setting up a Workspace is pretty easy. Once you have logged in to the AWS Management Console, locate the Amazon Workspaces item, and you are presented with the Getting Started page.
Clicking on the Get Started Now button shows the launch screen where you can create your first workspace.
There are two options at this point: Quick set-up, allowing you to create an individual or a small number of workspaces at once; and Advanced set-up, where you can define the workspaces and associate them with an existing on-premise or cloud directory server.
Choosing the quick setup will create a directory server as part of the launch process, regardless of the number of workspaces you are creating.
Next in the process is to select the bundle you wish to launch. Recall the bundle selects the number of vCPUs, RAM, and a vGPU if selecting a Graphics bundle. As part of this step, you also select if you are launching an Amazon Linux 2 or Microsoft Windows workspace.
On this page, you will also enter the user details including their name, username, and email address. The username is how the user accesses their workspace. AWS sends the user their login instructions to the email address you provide.
At this point, it is a matter of waiting for the workspace to be created. All in all, it did take about 20 minutes for the directory server to be created and the workspace to be available.
For this article, I created both an Amazon Linux and Microsoft Windows Workspace.
If you have launched a workspace already, then you have a directory server associated with your account. Let’s walk through that process. On the Workspaces Console, click the Launch Workspaces button, which starts the process.
First, we select the directory where the users and workspaces are identified. In my case, the directory was created for my account as I didn’t have one already. If you already have an Active Directory configured in AWS or on-premise, you have the option of using it.
On the next screen, you can add additional users, or select the user which should be associated with the new workspace being created.
One important note — any given user can have only one workspace associated with their username. You can have a Linux or a Windows workspace, but the same username cannot have both.
After selecting or creating the user, we again select the operating system and bundle associated with the user.
On the next screen, we can define the workspace configuration. Will this be an Always On or Autostop workspace, and will we encrypt the storage volumes?
The Running Mode selection is important because it affects how your Workspace is billed. We will cover the costs associated with Workspaces later in this article.
We can choose to encrypt the root volume, data volume, or both. Additionally, we can select to encrypt the selected volumes with the default encryption key, or we can create a new encryption key using the Key Management Service (KMS), and select that key here. If desired, you can also associate tags with the Workspace.
After we review the Workspaces configuration, we can launch it and we are returned to the Workspaces Console where we can see the status of the created workspaces.
Once the launch process for the workspace is complete the user receives an email with the information they need to access the workspace from the Workspaces Client.
The user will need this information once they get the client download to their device of choice.
I have already provided a list of the client environments supported by Amazon Workspaces.
Getting the Amazon Workspaces Client for the appropriate local device is as simple as downloading the client from https://clients.amazonworkspaces.com.
Depending upon which local device you are using, a different action will occur. Microsoft Windows and Apple macOS devices can download the client directly, Apple iOS devices are directed to the Apple App Store, Android devices are directed to the Google Play Store, Fire Tablets are directed to the Amazon store, and Linux devices are provided with a set is infest ructions to download the client.
For this example, I am going to demonstrate downloading the client for an iPad. Using the link in the email received about your Workspace, access the client download page.
As seen here, there are clients available for
- Microsoft Windows;
- Apple macOS;
- iPad (iPadOS);
- Amazon Fire Tablets;
- Web Access; and,
Click on the appropriate device to download the client. The iPad, Android, and Amazon Fire devices will access their respective app stores, while Microsoft Windows and Apple macOS will download the clients from the site. If you select Linux, then a set of instructions to download and install the client is presented.
Web Access is only supported on Microsoft Windows, Apple macOS, and Linux platforms using either Google Chrome or Firefox v48 (or later).
Before we start the Workspaces client, we need to set a password. Using the link the email you received about the workspace, the directory service page is presented with your name, email address, and fields to provide a password.
Once the password is set, and you have your workspaces Client, we are ready to launch Workspaces. Upon launching the client, you are presented the login screen, where you enter your Workspaces username, password and if prompted, the registration code provided in the email.
Depending upon the client, you may be presented with instructions on interacting with the Workspace using your specific device. For example, on the iPad, we see
- how to left-click;
- how to right-click;
- how to extend the keyboard;
- how to retract the keyboard;
- how to extend the radial menu;
- hoe to use a corner of the screen as a touchpad;
- how to return to normal mouse mode;
- how to turn off your Workspace;
- how to check the connection quality to your workspace;
- how to move a window on the screen;
- how to zoom in and out; and,
- how to pan the screen when zoomed in.
After going through the instructions specific to your device, you are ready to use your Workspace.
Using the Virtual Desktop
Once you are logged in to your Workspace, the desktop for the specific operating system is displayed.
You can interact with the workspace as you would normally. There are idiosyncrasies when using the iPad as the client due to the different input methods associated with the touch display.
The governing factor o the quality of the experience is your internet connection. For example, I tried playing some Youtube videos in a Workspaces session. Some of the video was jumpy, owing to my connection going from Texas to North Virginia (and we have 25 Mbps download). Overall though, the experience with both Windows and Linux was very positive.
Accessing Local Devices
With today’s work environment, we need to be able to access web cameras, computer-based audio for web conferencing, etc. Amazon Workspaces has support for these devices enabled by default. For Microsoft Windows users, USB headsets should be visible in the Windows sound mixer.
Bring Your Own Device
I mentioned the possibility of Bring Your Own Device (BYOD). Many organizations fear this approach because they have no control over the actual device being used and the security of their information on that device. By adding capabilities like Apple Business Manager or similar capabilities for other devices, organizations can create a segregated environment for their applications and data on the client device.
By using a BYOD approach, the organization can take advantage of the equipment the employee already has, lowering their capital expenses.
Consider this example:
A corporate user has a 2020 12.9 inch Apple iPad Pro, with a Magic Keyboard and external monitor. Their employer provides that user with a laptop and the majority of applications they use are either text or code editors, a git client for connecting with the source code repository, or web-based applications like Google G-Suite. Periodically the user needs a command line, which can be served through an EC2 instance.
In this case, the user doesn’t need that corporate laptop. Using their device, they can access all of the services they need directly from their Workspace. Security is improved because the information is stored securely in the Workspace and never stored on the local device.
The pricing model of Amazon Workspaces makes it hard to beat. Most employees have a personal computing device, and even if you wanted to provide a low-cost Chromebook for corporate use, the cost model still works.
At the time of publication, up to 50 Amazon Workspaces are available under the free tier for first time Amazon Workspaces subscribers. this provides 50 workspaces for free. Amazon Web Services made this offer to help organizations with the rapid deployment of remote workers. the current end of this promotion is June 30, 2020, although Amazon could choose to extend the offer period.
The pricing model is monthly or hourly. With monthly billing, a fixed fee is charged based upon the operating system and performance bundle. This provides unlimited usage of the workspace over the month. The alternative is hourly billing, where a small monthly fee is charged, and there is a charge for each hour the Workspace is used.
If the Workspace is going to be the primary desktop for a user, then the monthly fee makes the most sense. For those users who will make use of it for less than a full workday and only a few days a month, then the hourly rate is more appropriate.
The rate can vary from region to region, so check out the pricing before making any decisions about the bundle and billing option. Let’s consider an example.
The purchase price for a 2020 Apple MacBook Pro with 2.3 GHz 8 core i9 CPU, 16 GB of RAM, and 1 TB SSD storage is $3,199. Let’s assume the machine will be used for 3 years (36 months), for an average monthly price of $88/month. This is also a capital expense, which has depreciation to track and can’t be used to offset revenue like operating expenses that can decrease taxes.
A similar Workspaces bundle (there is no exact match) is a 4 vCPU, 16 GB RAM with a 175 GB root volume, and a 100 GB user volume. This Workspace in North Virginia (us-east-1) is $78 per month. There is no capital expense, no depreciation to track and because it is an operational expense, it can be used to lower your tax burden. If you want 8 vCPUs, then you get 32 GB of RAM and the cost is $123 per month.
The Zero Client
Amazon Workspaces is implemented using PCoIP — PC over IP, developed by Teradici. With PCoIP, only display information is transmitted to the client, so the organization’s business information remains in the cloud, and not downloaded to the client. The technology is enabled to support multiple displays, full frame-rate 3D graphics, and USB peripherals.
With PCoIP and Amazon Workspaces, not only can you support users with one of the more common personal devices, you can also purchase a zero client — a hardware device providing display, input device and USB support. They are available from a number of different hardware vendors. As long as the zero client uses the Teradici T2 chipset, it is supported by Amazon Workspaces.
There are several methods available to provide a remote desktop experience depending upon the sophistication of your users and your specific use case. Developers could be granted access to the AWS web console and the ability to use the Cloud9 Integrated Development Environment, which provides an EC2 as part of the IDE for performing their development work.
Cloud9 can integrate with the other AWS development services like CodeCommit, CodeBuild, CodeDeploy, CodePipeline, and Lambda. This is a web interface, which sometimes doesn’t perform so well on iOS-based platforms.
You could also just provide an EC2 for each developer or group of developers with a virtual desktop. However, you would likely want to use some form of VPN service to keep the connection secures between the local device and the remote desktop.
Both of these situations will require more effort to deploy, manage, and certainly a higher level of knowledge on the part of the user. Amazon Workspaces simplifies the virtual desktop and provides significant controls for desktop management, application deployment controls, and more.
While I didn’t address it in this article, Amazon Workspaces users can also access Amazon WorkDocs, for secure document storage.
With all of the attention on remote work right now, Amazon Workspaces provides a great solution to enable business operations to continue when the workplace is unavailable. However, it is also a good solution for people working in an office. Just as we can reduce the cost associated with hardware for remote workers, using a zero client in the office means any user can sit anywhere, log in on the zero client and instantly have access to their virtual desktop.
Amazon Workspaces simplify the process, provide secure communication between the client device and the virtual desktop, and reduces the knowledge level needed by the user. Instead of having to learn an interface or application set they are unfamiliar with, users are presented with an interface familiar to them and can start using it right away.
Whether your users are in the office or remote, Amazon Workspaces provides the secure, reliable and easily managed desktop solution.
About the Author
Chris is a highly-skilled Information Technology, AWS Cloud, Training and Security Professional bringing cloud, security, training, and process engineering leadership to simplify and deliver high-quality products. He is the co-author of seven books and author of more than 70 articles and book chapters in technical, management, and information security publications. His extensive technology, information security, and training experience make him a key resource who can help companies through technical challenges.
This article is Copyright © 2020, Chris Hare.