Post on 08-Jan-2017
© 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved.© 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Steve Mueller
Lead WorkSpaces Specialist, AWS
Technical Lead, Corporate WorkSpaces, Amazon.com
July 2016
Moving your Desktops to the Cloud
with Amazon WorkSpaces
End-User Computing in AWS
WorkDocs
Secure enterprise
document collaboration
WorkSpaces
Virtual desktops
Secure access from anywhere
Monthly pricing
Central sync, document feedback
Secure access from anywhere
S3
WorkSpaces Application
Manager
Virtual applications
Centralized application deployment
Monthly subscription options
March 2014 September 2014April 2015
WorkMail
Secure email and
calendaring
Strong security controls
Existing desktop, mobile support
January 2015
Directory Service
Managed directories
Simple AD, AD Connector,
Managed AD
October 2014
What is WorkSpaces?
Managed Cloud Desktops
Scale &
Highly interactive and secure
desktops your users will love
Secure
Pay-as-you-go
Simple to deploy and
manage
consistent performance
Desktop as a Service
Microsoft Windows desktops on AWS
• realizing the “virtual desktop dream”
The cloud replacement for traditional VDI
• no-hassle infrastructure, capacity, perf
• anywhere-access, industry-standard security
Decentralization meets consumerization
• “Corporate IT embraces Consumer IT”
• device and location independence
Why WorkSpaces?
Why DaaS?
Admins want to• Secure resources
• Lower cost structure
• Deliver high quality user experience
• Simplify administration
• Scale on-demand
Users want to• Get instant access to apps and data
• Go between devices
• Get work done from anywhere
Popular Use Cases
Call centers
Temporary workers
Dev/Test
Mergers and
acquisitionsSecuring data
Compliance
requirements
Mobile workersBYOD
Training and labs Demos
Simplify Desktop Deployments
Logistics Storage Networking Monitoring
Amazon WorkSpaces simplifies physical and virtual desktop deployments
Global Scale
On-demand,
pay-as-you-go
Launch the number of
WorkSpaces needed
Heavy lifting taken
care of by AWS
Feels Familiar
Treat like any other Microsoft Windows desktop
environment
• Auth and Policy: Active Directory, GPOs
• Patching: WSUS, SCCM, 3rd-party
• Distribution: SCCM, App Layering, App Virt
• Profile Management: 3rd-party
• Automation: Powershell, .NET, and more
Standard Windows Management
Use the technologies you know.
Simple to Provision
Zero to desktop in ~30 minutes.
• custom-image the way you want
• install-all or inject
• map to desired hardware configuration
• 1 vCPU, 2GB RAM
• 2 vCPU, 4GB RAM
• 2 vCPU, 8GB RAM
• provision thousands in minutes *
* limits permitting
Enforce MFA with RADIUS-based solutions
• Gemalto, Entrust, RSA, Duo Security … just to
name a few
Keep Data Highly Secure
• no data stored locally on end-user device
• utilizes Teradici PCoIP for streaming protocol
• supports storage volume encryption with
customer-owned keys
Supports Multiple Devices
Desktop, Laptop: PC, Mac
Tablets: iOS, Android, Kindle, Surface
Zero Clients
Thin Clients *
Chrome OS, ChromiumReuse your existing devices, or
acquire to fit your needs.
* OEM-specific, OS-specific
Monitoring Support
• Consume custom metrics and events
• Take action on key conditions as they occur
• Become more proactive, not reactive
Tie in with other AWS services to …
• open trouble tickets
• email users
• archive data for reporting and analysis
6 Regions
• Americas
• Oregon
• Northern Virginia
• EMEA
• Ireland
• APAC
• Tokyo
• Singapore
• Sydney
http://aws.amazon.com/about-aws/global-infrastructure/
(as of July 2016)
Amazon WorkSpaces
General Availability
Why are Multiple Regions Important?
Keep your desktops close
to your users ...
Keep your desktops
close to your apps.
or …
You decide.
Putting It All Together
Authentication
Gateway
Active
Directory
corp
servers
Direct Connect
Corp Net
Users
Corporate
Streaming
Gateway
WorkSpaces Service Broker
A) AWS-managed (public)
B) customer-managed (public and/or private)
MFA
Accessing Corporate WorkSpaces
WorkSpacesVGW
Internet
Session
Gateway
secure protocols, analogous to VPN(SSL and PCoIP w/ IPSec AES-256)
1
2
3
Client authenticates (AD and MFA) via Authentication Gateway (SSL)
Client brokers desktop session with Session Gateway (SSL)
Client accesses desktop through Streaming Gateway (PCoIP w/ IPSec AES-256)
How Client Traffic Flows
access from Corp (wired, wireless, VPN)
corporate-provided hardware
From the Amazon Corporate Network
Zero Client
Gateway
B
Customer VPC
A
L3-L7
source filtering
by IP
Transit
InfoSec Logging
all corporate network access
untrusted prior to filtering
US East
us-east-1
• regional proximity
• tie into corp
redundant
connectivity
• use existing IP space
10.44.208.0/2010.x.x.x/8 • restrict corp network access
KEY POINT
Kerb/TGTticket
Streaming Gateway IP
Authentication
Gateway
Active
Directory
corp
servers
Direct Connect
Corp Net
Users
Corporate
Streaming
Gateway
WorkSpaces Service Broker
A) AWS-managed (public)
B) customer-managed (public and/or private)
MFA
Accessing Corporate WorkSpaces
WorkSpacesVGW
Internet
Session
Gateway
secure protocols, analogous to VPN(SSL and PCoIP w/ IPSec AES-256)
1
2
3
Client authenticates (AD and MFA) via Authentication Gateway (SSL)
Client brokers desktop session with Session Gateway (SSL)
Client accesses desktop through Streaming Gateway (PCoIP w/ IPSec AES-256)
How Client Traffic Flows
access from ANY networkBUT corporate
corporate-provided hardware
From ANY Network Outside of Amazon Corporate
Zero Client
Gateway
B
Customer VPC
A
L3-L7
source filtering
by IP
Transit
InfoSec Logging
all corporate network access
untrusted prior to filtering
Standalone
Network
• BYOD: use ANY device, not just corporate hardware
• BYON: more than just BYOD … bring your own network
-or-BYOD
• NEXT-GEN: the new corporate network
Managing Apps with WorkSpaces
• Dynamic delivery – deploy, track, and update apps on
users’ WorkSpaces
• Bring your own apps or subscribe apps from AWS
Marketplace
• Available in Virginia, Oregon, Ireland, Singapore, and
Sydney AWS regions
Amazon WAM
Amazon WAM Benefits
Amazon WAM Benefits
Amazon WAM Benefits
Amazon WAM Benefits
Amazon WAM Benefits
Amazon
WorkSpaces
Amazon
WAM
catalog Deploy
apps
Manage Apps at Scale
for Desktop Apps
Applications where you
already own the license
Line of business
applications
Build Your App Catalog
Your applicationVirtualize your app
using Amazon
WAM Studio
Validate using
Amazon WAM
Player
Upload to the
application catalog
using the WorkSpaces
console
Your application
catalog on the
Amazon WAM
console
Select applications Search for users in
your directory and
assign
applications
Use Amazon WAM
desktop app on
WorkSpace to
access
applications
Assign Apps from Catalog to Users
• Use a zero image with a WorkSpace, and deploy all your apps via WAM
• Deliver multiple versions of the same application.
• Example - Microsoft Internet Explorer (IE8 and IE11) to
WorkSpaces users
• Improve business continuity by locking dependencies on frameworks
such as Java and .NET
• Virtualize applications together to manage dependencies between apps
• Configure app settings for activation and customization
• Easily test app versions, manage their deployments, and track usage
Use Cases for Amazon WAM
Parting Thoughts
• Provides fast, secure desktops with consistent performance that users will love
• Simplifies desktop management
• Scales globally within minutes
• Plays well with existing tools
• Provides flexibility and agility
• Lowers complexity and cost
Thank You!
Be sure to let us know your thoughts by completing an
evaluation survey.
And before we forget …
Thank you for your time and attendance.