Amazon WorkSpaces is a cloud-based desktop service that lets enterprises avoid most of the management and infrastructure overhead of traditional desktops. While it's reasonable to think of Amazon WorkSpaces as a type of software as a service, there's still a fair amount of management work that goes into an enterprise-wide deployment.
Cloud admins work with these five Amazon WorkSpaces management tasks:
- Synchronizing data
- Applying patches
- End-user authentication and authorization
- Resolving performance issues
- Removing Amazon WorkSpaces
Synchronizing data across devices
Amazon WorkSpaces implements synchronization in a few ways. Provisioned desktops have C: and D: drives. The D: drive is backed up every 12 hours. Amazon Web Services (AWS) can restore the D: drive if there is a problem and that drive is lost. This feature is a course-grade form of synchronization suitable for data protection; more granular synchronization operations require WorkSpaces Sync.
WorkSpaces Sync is an application you can install into a WorkSpaces device; it's also compatible with Windows or Mac clients. The application continuously backs up WorkSpaces files to Amazon Simple Storage Service (S3).
Workspace Sync is configured at the directory-level, so you can't configure it on a per-user basis. You can configure synchronization on a per-client device level, but that requires you to install the WorkSpaces Sync client, and then configure folders on the client you want to sync.
Patching Amazon WorkSpaces software
There are two categories of software patches in AWS WorkSpaces: operating system patches and application and WorkSpaces patches. AWS manages WorkSpaces patches by pushing them to the service during the regularly scheduled maintenance windows (currently between midnight and 4:00 a.m. on Sundays). AWS will also push out emergency patches at any time. Users and desktop admins have no control over WorkSpaces' patching.
Desktop administrators must perform OS and application patching. Windows desktops are automatically configured to update the OS and Microsoft Office on a regular basis (currently 2 a.m. on Sunday mornings). You have full control over the desktop and installed applications, so you can change patching configurations if needed. Test patching procedures for any additional software you install on the desktop.
Authenticating and authorizing users
Once you set up Amazon WorkSpaces and provision desktops, users can log in and start using the service. Authentication is available with or without an Active Directory configuration. If WorkSpaces is configured to use Active Directory, users can log in with those credentials, otherwise users must create a password when first using the desktop.
Amazon WorkSpaces authorizes users as local administrators by default. You would not want a user with local administrator privileges accidently disabling antimalware, so you can alter this setting for users who aren't familiar with Windows operations. Use group policies to further lock down the desktop if you do not want users to change wallpaper, create shortcuts or customize the desktop in any way. In the current version of Amazon WorkSpaces, a user can have only a single workspace.
Resolving performance issues
If virtual desktop infrastructures (VDI) have an Achilles Heel, it's performance.
Virtualized desktop performance can be a step down for those accustomed to working with desktops and laptops outfitted with multicore processors, large amounts of RAM and flash drives. And though you can't configure hardware in a desktop service like Amazon WorkSpaces, there are some infrastructure parameters and design guidelines.
Test network latency between the Amazon data centers and end-user locations. AWS recommends no more than a 100 milliseconds (ms) of latency for optimal performance, but up to 250 ms is acceptable. If you are experiencing latency longer than 250 ms, try a different AWS region. WorkSpaces is currently available in U.S.-East (Virginia), U.S.-West (Oregon), EU (Ireland) and Asia Pacific (Sydney) AWS Availability Zones.
Finally, if your network supports quality-of-service controls, Amazon recommends prioritizing user datagram protocol traffic on Port 4172.
Removing Amazon WorkSpaces
You can delete VDIs when they are no longer needed. All data on the volume attached to the virtual desktop also will be deleted. Make sure data that should persist after the workspace has been removed and is copied to S3, synched to a client device or backed up.
About the author:
Dan Sullivan holds a Master of Science degree and is an author, systems architect and consultant with more than 20 years of IT experience. He has had engagements in advanced analytics, systems architecture, database design, enterprise security and business intelligence. He has worked in a broad range of industries, including financial services, manufacturing, pharmaceuticals, software development, government, retail and education. Dan has written extensively about topics that range from data warehousing, cloud computing and advanced analytics to security management, collaboration and text mining.