(Microsoft RDS) Step-By-Step - Deploying Virtual Desktops With Windows Server 2012
[AWS Days Microsoft-LA 2015]: Amazon Workspaces-Running Microsoft Windows Desktops in the Cloud
-
Upload
amazon-web-services -
Category
Technology
-
view
1.485 -
download
0
Transcript of [AWS Days Microsoft-LA 2015]: Amazon Workspaces-Running Microsoft Windows Desktops in the Cloud
© 2015, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
December 9, 2015 | Los Angeles, CA
Microsoft Windows Desktops in the Cloud
What is WorkSpaces?
Desktop as a Service
Microsoft Windows desktops on AWS
• realizing the “virtual desktop dream”
The cloud replacement to VDI
• no-hassle performance, capacity
• improved accessibility, security
Decentralization meets consumerization
• “Corporate IT meets Consumer IT”
• device and location independence
Why WorkSpaces?
Ease of Deployment
On-demand,
pay-as-you-go
Launch the number of
WorkSpaces needed
Heavy lifting taken
care of by AWS
Standard Windows Management
Treat like any other Microsoft
Windows desktop environment!
• Policy: Active Directory, GPOs
• Patching: WSUS, SCCM
• Distribution: SCCM, App-V
• Automation: Powershell
Template to Desktop
Create custom images
Map to hardware types
Launch from bundles
Simple to Provision
Keep Data Secure and Available
No data stored on end-user device
Only streaming protocol pixels
delivered to users (Teradici PCoIP)
User volume backed by Amazon S3
Desktop, Laptop: PC, Mac
Tablets: iOS, Android, Kindle, Win
Zero, Thin Clients
Chrome OS
Support Multiple Devices
Integrate with Active Directory
IT: Control policies
with familiar tools
Users: Use existing
enterprise credentials
Protect with MFA
IT: Integrate with existing
MFA solution
Users: Get to use existing
one-time tokens
Automation Support
Manage and provision with CLI or API
(Powershell, .NET, and more)
WorkSpaces Monitoring
• Automatically respond to
desktop health and connection
issues
• Alert on custom metrics and
events
Monthly Pay as You Go
All WorkSpaces Bundles provide the Windows 7 Experience to users (provided by Windows Server 2008 R2 with RDS).
Monthly Price in N. Virginia and Oregon AWS regions. More here: http://aws.amazon.com/workspaces/pricing/
Value Plus
Value
1 vCPU, 2 GB memory
10 GB storage
$25 - Value
$40 - Value Plus
Performance Plus
Performance
2 vCPU, 7.5 GiB memory
100 GB storage
$60 - Performance
$75 - Performance Plus
Standard Plus
Standard
2 vCPU, 4 GB memory
50 GB storage
$35 - Standard
$50 - Standard Plus
The User Experience
A Typical User Journey with WorkSpaces
Discover Corporate Pilot Office Access
Home Access Other Devices No More Desktop
User Expectations for WorkSpaces
Work Anywhere High Productivity Help, not Hinder
Familiar Robust 100% Available
What Users Like
It Just Works Transparent Single Environment
Sense of Permanence Centralized Support Different Experience
Moving to WorkSpaces
Service Availability
6 Regions
• Oregon
• Northern Virginia
• Ireland
• Tokyo
• Singapore
• Sydney
http://aws.amazon.com/about-aws/global-infrastructure/
(as of December 2015)
Amazon WorkSpaces
Common Enterprise Deployment Model
• Regional proximity to users
• Tie into the global
corporate network via DX
• Use existing IP space
• Restrict corporate network
access when necessary
• Enable future expansion
Global Enterprise Corporate Network
(10.0.0.0/8)
10.44.192.0/20
10.44.208.0/2010.44.224.0/20
10.44.240.0/20
TBD
TBD
This is EC2 at scale.
lots of worldwide users
Authentication
Gateway
Active
Directory
corp
servers
Direct Connect
Customer
Corp Net
Users
Customer
Streaming
Gateway
WorkSpaces Service Broker
A) AWS-managed (public)
B) customer-managed (public and/or private)
MFA
Accessing Corporate WorkSpaces
WorkSpacesVGW
Internet
Session
Gateway
secure protocols, analogous to VPN(SSL and PCoIP w/ IPSec AES-256)
1
2
3
Client authenticates (AD and MFA) via Authentication Gateway (SSL)
Client brokers desktop session with Session Gateway (SSL)
Client accesses desktop through Streaming Gateway (PCoIP w/ IPSec AES-256)
How Client Traffic Flows
access from Corp (wired, wireless, VPN)
customer-provided hardware
From the Enterprise Corporate Network
Zero Client
Gateway
B
Customer VPC
A
Sophos
source filtering
by IP
Transit
InfoSec Logging
all corporate network access
untrusted prior to filtering
US East
Employees
us-east-1
• regional proximity
• tie into corp via DX
redundant
private VIFs
• use existing IP space
10.44.208.0/2010.x.x.x/8 • restrict corp network access
KEY POINT
Kerb/TGTticket
Streaming Gateway IP
Authentication
Gateway
Active
Directory
corp
servers
Direct Connect
Customer
Corp Net
Users
Customer
Streaming
Gateway
WorkSpaces Service Broker
A) AWS-managed (public)
B) customer-managed (public and/or private)
MFA
Accessing Corporate WorkSpaces
WorkSpacesVGW
Internet
Session
Gateway
secure protocols, analogous to VPN(SSL and PCoIP w/ IPSec AES-256)
1
2
3
Client authenticates (AD and MFA) via Authentication Gateway (SSL)
Client brokers desktop session with Session Gateway (SSL)
Client accesses desktop through Streaming Gateway (PCoIP w/ IPSec AES-256)
How Client Traffic Flows
access from ANY networkBUT customer corporate
customer-provided hardware
From ANY Network Outside of the Enterprise
Zero Client
Gateway
B
Amazon.com VPC
A
Sophos
source filtering
by IP
Transit
InfoSec Logging
all corporate network access
untrusted prior to filtering
Standalone
Network
• BYOD: use ANY device, not just corporate hardware
• BYON: more than just BYOD … bring your own network
-or-BYOD
• NEXT-GEN: the new corporate network
The Evolution of Automation
CLI Tools on A-Linux
#!/usr/bin/ruby
#!/usr/bin/perl
#!/bin/bash
• fast and easy start – “just go”
• many operations need data (dir-id, wsb, region) CSV files over API calls
• as data increases, fast and easy not so fast and easy anymore
• oh, right … no AWS SDK support for Perl
• object notation, AWS SDK support
Web-Based UI
Self-Service Portal for End-Users
Admin Portal for Helpdesk
(Python)
(Ruby)API Gateway Lambda DynamoDB
create-workspaces
describe-workspaces
reboot-workspaces
terminate-workspaces
Public APIs
{ “key1”: “val1”, “key2”: “val2” }json transport
Common API Development
Event Handling
create-workspace
terminate-workspace
• delete object from Active Directory
• email users
• post-install hooks for other activities
poll API with cron
CloudTrail
CloudWatch Logs
Kinesis
Lambda
API events
create-workspace ENI
terminate-workspace
25-30 minutes
IP ready only at end
Implement workflow-driven behavior.
Code
User Migration Efforts
WorkDocs
DFS File Share
cloud-based Sync Storage
• install WorkDocs sync agent on
existing desktops and WorkSpace
• data stored securely in S3,
synced across all devices
Zero Clients, Tablets,
Chromebooks
• initial access from existing desktops, laptops
• Chromebooks solve a lot of problems
• customer explores tablets, zero clients
• Amazon does not support full
desktop migrations today
• excitement around thin client solutions
Thank You!
• Questions?
• Comments?
• Feedback and thoughts?