As a continuation of the AWS WorkSpaces series, I’ll detail the steps to deploy a WorkSpace into an Active Directory domain using a customized WorkSpace bundle in this post.
Creating a WorkSpace Using an AD Connector
- Within the AWS console, click WorkSpaces under the Desktop & App Streaming heading.
- On the WorkSpaces page, click WorkSpaces | Launch WorkSpaces
- On the Select Directory page, select the Directory in which you which to launch WorkSpaces and click Next Step.
- On the Identify Users page, you can search the directory for specific users or click Show All Users to list all of the users within a directory. Select the user(s) you wish to create WorkSpaces for and then click Add Selected | Next Step.
- On the Select Bundles page, select the previously created custom bundle and click Next Step.
- On the WorkSpaces Configuration page, begin by selecting AlwaysOn or AutoStop as the Running Mode.
AWS WorkSpaces can be billed by the month or by the hour. The obvious question is, of course, “Which one should I choose?“
AWS WorkSpaces can be billed by the month or by the hour. The obvious question is, of course, “Which one should I choose?” Naturally, as in most things IT, the answer is “It depends.” As an easy example, if you use the AWS Simple Monthly Calculator you will see that the monthly cost of a standard WorkSpace with the license included is $35.
If you change the Billing Option to hourly and then specify 80 Hours (WorkSpace accessed 20hrs./wk. for example), the monthly cost estimate is $33.75. So, if a user will access a WorkSpace for a total of 80 hours per month, it would be cheaper to pay by the hour. If you changed the hours to 100, the monthly cost estimate is $39.75. You could even have a scenario where both billing types make sense….perhaps you have full-time employee WorkSpaces that use monthly billing and part-time employee WorkSpaces that use the hourly billing option. This is a simple example but I believe it illustrates why the answer to use monthly and/or hourly billing for WorkSpaces ‘depends’.
For the WorkSpace you are currently creating, set the running mode to AlwaysOn to be billed monthly and AutoStop to be billed according to the hourly model. For this WorkSpace, I chose AutoStop and set the AutoStop Time (Idle time disconnect to me) to 2 hours.
Once the Running Mode has been selected, configure volume Encryption. AWS WorkSpaces integrates with AWS Key Management Service (KMS) which enables the encryption of the Root and/or User volumes to ensure that “data stored at rest, disk I/O to the volume, and snapshots created from the volumes are all encrypted.” (from the AWS WorkSpaces Administrator Guide)
To enable encryption, you will need an AWS KMS customer master key (CMK). You can use an existing key or use the default Encryption Key that is created for you automatically the first time you launch a WorkSpace.
Finally, under the Manage Tags heading, you can assign a WorkSpace appropriate tags, which is simply metadata used to easily organize and manage WorkSpaces. If tags are not added when the WorkSpace is deployed, they can be added later. Specify any tags appropriate for your WorkSpace use case and click Next Step.
- On the Review page, review the WorkSpace settings and click Launch WorkSpaces to deploy it. Because encryption was enabled, it could take up to 40 minutes for the WorkSpace to become available. The WorkSpace is accessible once the status reads AVAILABLE.
Sending the Invitation Email
With the WorkSpace created and available, an email invitation to the WorkSpace can be sent to the user it was created for.
- Select the appropriate WorkSpace and then click Actions | Invite User
- On the Invite Users To Their WorkSpaces page, copy the contents of the email Body and paste them into a email for the user.
On the End-User Side: Connecting to the WorkSpace
- When the invitation email arrives, the user should click the https://clients.amazonworkspaces.com hyperlink to download the WorkSpace client suitable for their client device. If the user does not wish to install a WorkSpace client, they can access their WorkSpace in a browser using Web Access.
- Whether using a WorkSpace client or Web Access, the user will be prompted for their Registration Code included within the invitation email. Enter that code and then click Register.
- Once the registration code is accepted, the user will be prompted to login with domain credentials. Enter the appropriate username/password and click Sign In.
- The WorkSpace is displayed and usable as shown below:
Conclusion and Next Steps
So at this point, I have a WorkSpace deployed with a custom bundle that includes a few built-in applications that I can access using my domain credentials…pretty cool. And to this point, the deployment of domain-based WorkSpaces has been relatively straightforward save for the bizarre “unsupported subnet” problem you can read about in an earlier post found here.
I’ll continue the AWS WorkSpaces series by detailing how I setup Liquidware ProfileUnity to store user profile/configuration data using AWS S3 buckets.