Category: Amazon WorkSpaces

AWS customers are deploying Amazon WorkSpaces at scale in medium and large organizations. For example, health care company Johnson & Johnson is using WorkSpaces to realize the long-promised security and efficacy benefits of virtual desktops, in a world populated by a diverse workforce that would like to use their own computing devices if possible (also known as BYOD – Bring Your Own Device). You can view their new video (Deploying Amazon WorkSpaces at Scale with Johnson & Johnson) to learn more about what they did and how they now support BYOD for 16,000 contractors and employees, along with zero clients for another 8,000 users. You can also take a look at the SlideShare presentation, Deploying Amazon WorkSpaces at Scale.

New Metrics
In order to help our customers to monitor their WorkSpaces deployments, we recently added additional Amazon CloudWatch metrics for WorkSpaces. These metrics are designed to provide administrators with additional insight in to the overall health and connection status of individual WorkSpaces and of all of the WorkSpaces that belong to a particular directory.

Like all CloudWatch metrics, these metrics can be viewed in the AWS Management Console, accessed via the CloudWatch APIs, and monitored by CloudWatch Alarms and third-party tools.

The new metrics are enabled by default and are available to you at no extra charge. Here’s what you get:

• Available – WorkSpaces that respond to a status check are counted in this metric.
• Unhealthy – WorkSpaces that do not respond to the same status check are counted in this metric.
• ConnectionAttempt – The number of connection attempts made to a WorkSpace.
• ConnectionSuccess – The number of successful connection attempts.
• ConnectionFailure – The number of unsuccessful connection attempts.
• SessionLaunchTime – The amount of time taken to initiate a session, as measured by the WorkSpaces client.
• InSessionLatency – The round trip time between the WorkSpaces client and WorkSpaces, as measured and reported by the client.
• SessionDisconnect – The number of user initiated and automatically closed sessions.

Here’s how you create an alarm that will fire if a user cannot connect to their WorkSpace:

Available Now
The new metrics are available now and you can start monitoring them today!

To learn more, read about Monitoring Amazon WorkSpaces.

— Jeff;

I’m a big fan of Amazon WorkSpaces and currently spend most of my day using a single WorkSpace that I can access from multiple locations, devices, and device types (I can’t wait to share even more details about this use case with you).

Up until now, all actions on a WorkSpace had to be initiated through the AWS Management Console. This access method offered point-and-click convenience, but did not lend itself to integration with existing business processes and workflows. There was, for example, no way to automatically create a WorkSpace for a new employee.

API & CLI
Today we are making WorkSpaces even more useful by adding API and CLI (Command-Line Interface) support. You can now describe available directories and bundles, create and describe WorkSpaces, and perform maintenance operations (rebuild, reboot, and terminate WorkSpaces) from your own code. For example, you could build an internal administrative tool or a self-service “give me a desktop” portal. The actions that are performed on a WorkSpace via the AWS SDK and the CLI can be recorded via AWS CloudTrail. Also, permissions for these actions and the WorkSpaces resources can be controlled via an IAM policy.

Let’s walk through the provisioning process using the CLI, taking on the role of the WorkSpaces Administrator  (the same steps apply to the AWS Tools for Windows PowerShell or to code that calls the WorkSpaces API):

The first step is to list (describe) the directories:

As you can see from the output, there’s one directory (internal.exampleco.com). The next step is to describe the WorkSpace bundles that can be used to create a WorkSpace:

And now we have all of the information needed to create a WorkSpace for a new user (in this example the user is named olivia in the directory listed above):

Then we can describe the WorkSpace to check on its creation status:

We can also describe all of the WorkSpaces associated with the AWS account in the current Region:

We can reboot a single WorkSpace by referencing the user’s name:

And we can check on the status of the reboot:

As usual, this new functionality is available now. You can start using it today in all of the regions where you can use WorkSpaces (currently US East (Northern Virginia), US West (Oregon), EU (Ireland), Asia Pacific (Singapore), Asia Pacific (Tokyo), and Asia Pacific (Sydney)).

— Jeff;

PS – If you are in the process of evaluating WorkSpaces to see how it could work for you, be sure to check out our new WorkSpaces Application Manager.

Over the last month or two I have become a devoted user of Amazon WorkSpaces. I am able to maintain a single, consistent working environment that I can access from my home, my office, an airport gate, a hotel room, and so forth. Regardless of where I am sitting, I have access to the same applications, files, browser tabs, and inbox. My PuTTY sessions remain open and I no longer have to waste any time or mental energy in context-switching between environments. Later this month I plan to start using a Zero Client device at the office (see my post, Amazon WorkSpaces Supports PCoIP Zero Clients for more information).

Application Delivery Made Easy
Today we are making WorkSpaces even more useful by adding a new WorkSpaces Application Manager (WAM).  This new service gives you on-demand access to centrally managed desktop applications. Delivery is secure, scalable, and streamlined; you can choose your applications from a catalog (built by your IT Manager) and start using them within seconds, with an economical user-based pricing model.

If you are an IT Manager, you can use WAM to provide your users with access to a curated collection of commercial (licensed), open source, and in-house applications using a simple and straightforward distribution model that will allow you to maintain control and accountability. You can also reduce the operational costs that are traditionally associated with installing, patching, and retiring applications, even as your user base scales to thousands or tens of thousands of WorkSpaces desktops.

Apps are deployed to Amazon WorkSpaces using application virtualization technology, which allows Amazon WAM to safely encapsulate and isolate applications in dedicated containers that run using resources provided by Amazon WorkSpaces. The application virtualization technology transforms Windows applications into centrally managed virtual applications. Apps are never installed, which streamlines application life-cycle management for IT admins.

There are two different subscription levels for Amazon WAM:

• WAM Basic provides you with access to the AWS Marketplace for Desktop Apps, along with a limited set of administrative controls. It is available to all users of Amazon WorkSpaces at no extra charge.
• WAM Standard adds fine-grained controls for provisioning and policies for users and groups, including controlling access, managing versions and updating. It also supports auditing of application usage. This level costs $5 / user / month, but is available at no charge until July 1, 2015.

In this post I will look at the WorkSpaces Application Marketplace from two very distinct points of view: the WorkSpaces users and the IT Manager / WorkSpaces Administrator.

The User View
My IT Manager can designate certain apps as “Required” for me.  Apps that have been flagged in this way will be deployed to my WorkSpace automatically.

The Amazon WAM desktop app runs within my WorkSpace and allows me to browse the apps that my IT Manager has made available to me for optional installation. I can click on All Apps to see what’s available:

After I find the desired application I simply click on Install and it will be delivered to my WorkSpace and ready to use within seconds. Once installed, the application can be launched from the Windows Start menu, a desktop shortcut, or from within the Amazon WAM client. Perhaps I’d like to run Visual Studio  (as you can see from the screen shot, my IT Manager designated Visio Standard as required and I don’t need to install it):

I can find all of the applications that are ready to run:

The IT Manager View
Let’s switch hats and become the IT Manager with responsibility for maintaining an application catalog for my users. I can use the WAM Console to take care of the following tasks:

• Manage the application catalog
• Control access by users
• Track usage

My catalog can contain any desired combination of applications that I already own and applications that I find in the AWS Marketplace for Desktop Apps and then subscribe to in the WAM Console.

Any 32-bit or 64-bit application that is compatible with Microsoft Windows 7, Microsoft Windows 8, Microsoft Windows Server 2008 R2, and Microsoft Windows Server 2012 can be delivered to a WorkSpace using WAM.

I can also use Amazon WAM to deliver my own line-of-business applications or applications that I have already licensed. In this case I would use the Amazon WAM packaging tools to prepare my applications via these steps:

1. Package / Capture – In this step I launch an EC2 instance that has been equipped with the requisite packaging utility, formally known as the Amazon WAM Admin Studio. I simply install the application in the desired fashion and Admin Studio will capture all of the changes made to the file system, registry, and environment. Then I finalize my application package and upload it to WAM. At this point it will be marked as Pending.
2. Validate– In this step I install the pending application on a fresh EC2 instance, use the Amazon WAM Admin Player to launch it as if I were a normal user, and then verify that it works as expected. Once I am satisfied that all is well, I approve the package to mark it as completed.
3. Publish – In this step I create a new application from the application package and make it available for use within my organization’s application catalog, all from within the WAM Console.

Here is the WAM Admin Studio:

And here is the WAM Admin Player:

I can also subscribe to applications in the AWS Marketplace for Desktop Apps (a new category within the AWS Marketplace) using a monthly subscription.  Here is how I would add an application to my catalog via the Marketplace:

A subscription is activated and charged the first time a user in my organization launches an application and will renew monthly until access to the application is removed for that user, with a prorated charge for the first month. I can purchase licenses for my organization from within the WorkSpaces console instead of negotiating with individual vendors. All of the software charges will appear on my organization’s AWS bill.

In the Marketplace
We are launching the AWS Marketplace for Desktop Apps with an initial set of over 100 applications in the following categories:

• Accounting
• Business Intelligence
• Collaboration & Productivity
• CRM
• ERP
• GIS
• Illustration & Design
• Programming & Web Development
• Security
• Utilities

We are planning to add more categories and more applications in the coming weeks and months. If you are an ISV and you would like to talk to us about getting your products in to the AWS Marketplace for Desktop Apps, please email us at aws-marketplace-sellers@amazon.com .

Available Now
WAM is available today to use with your WorkSpaces in the US East (Northern Virginia) and US West (Oregon) regions.

— Jeff;

Amazon WorkSpaces is a managed desktop computing service that runs in the AWS cloud. Administrators can easily provision cloud-based desktops that users can access using the desktop or mobile device of their choice.

Today I would like to recap a series of updates and improvements that we have made to WorkSpaces over the last couple of months. All of these features are in production and available for use today. The features naturally fall into two groups: features for administrators and features for users. Let’s start with the users!

New WorkSpaces features for users include Single Sign-On (SSO), local printing from Macs, network health checks, and support for the Asia Pacific (Singapore) region.

Single Sign-On
If you use Amazon WorkDocs in conjunction with WorkSpaces, you can now benefit from Single Sign-On (SSO). After your administrator enables this feature and you do your part by signing in to the WorkDocs sync client for the first time, your WorkDocs sync client will automatically sign in  and start to sync as part of the WorkSpaces login procedure. If you are connecting from a device that is on the same domain as your Amazon WorkDocs subscription, you will be automatically signed in to your WorkDocs sync client, and you will not be required to provide credentials separately when you access the web collaboration client from that device.

Your administrator can enable SSO by visiting the AWS Directory Service area of the AWS console, clicking the directory ID link for your directory and selecting the Apps & Services tab. For more information and detailed setup see our documentation.

This is the newest feature; it launched today!

Local Printing from Macs
Mac users can now print from within their WorkSpace to their local printer:

To learn more, read the documentation for Printing From a WorkSpace.

Network Health Checks
The WorkSpaces client now includes a network health check feature. It verifies that the network and Internet connections are working, checks that WorkSpaces and the associated registration service are accessible, and also verifies that port 4172 is open for UDP and TCP access. It also reports on the round trip ping time between the client and WorkSpaces. Here’s what the health check looks like:

Client Reconnect
The WorkSpaces client now allows users to seamlessly gain access to their WorkSpace without having to re-enter their credentials every time they disconnect from their WorkSpace. The client application saves an access token in a secure store on the local device and uses it to authenticate the user.

Users simply have to click on the Reconnect button on the client in order to gain access to their WorkSpace:

For security reasons, users can reconnect for up to 12 hours without having to re-enter their credentials. Users will be prompted once to enable this feature, and can disable it at any time using the Advanced Settings menu.

Auto Session Resume
The WorkSpaces client will now attempt to resume a session that was disconnected due to a transient drop in network connectivity. The default time for resuming a session is 20 minutes; this can be extended (all the way up to a maximum of four hours) or disabled via a group policy. For more information, read about Using Group Policy to Manage WorkSpaces and Users.

Support for the Singapore Region
You can now launch WorkSpaces in the Asia Pacific (Singapore) region.

New WorkSpaces features for administrators include a stand-alone client installer and some important updates to the console.

Stand-Alone Client Installer
Administrators can now download the WorkSpaces installers for Windows and Mac and then make them available to their users. This can be helpful in managed situations where Internet downloads are prohibited. Here are the Amazon WorkSpaces Clients:

Console – Enable Internet by Default
We have made it easier for administrators to enable Internet access (including assignment of a public IP address) to allow outbound network access through an Internet Gateway in the VPC that contains the WorkSpaces. The setting applies to newly launched WorkSpaces, as well as those that are rebuilt after Internet access has been enabled:

Console – Search
Administrators can now search for WorkSpaces by username, bundle type, or directory via the Console:

Console – Bulk Actions
Administrators can now select and then reboot or remove multiple WorkSpaces:

PCoIP Connection Manager Improvements
The PCoIP Connection Manager authentication appliance brokers the authentication process and enables the creation of a streaming session from WorkSpaces to PCoIP zero clients. The appliance was initially designed to only run on an m3.medium and larger instance types. Now, the appliance can be configured for t2.micro, t2.small and t2.medium instance types, helping reduce costs while maintaining good baseline performance. We have also updated the appliance to support Elastic Load Balancing (ELB) so that you are not limited to a single appliance and can scale to support more simultaneous authentication requests than before.

Available Now
Once again, these features are available now and you can start using them today. The session resume feature will be available in all regions by April 8th, 2015.

— Jeff;

We’ve increased the geographic footprint and international relevance of several AWS services this past month. Here’s a summary:

• Amazon WorkSpaces and AWS Directory Service are now available in the Asia Pacific (Singapore) region.
• Amazon ElastiCache is now available in the EU (Frankfurt) region.
• AWS Trusted Advisor, Amazon ElastiCache, and RDS integration with AWS CloudTrail are now available in AWS GovCloud (US).
• We added a second location in Korea for Amazon CloudFront and Amazon Route 53.
• Amazon Kinesis is now available in the US West (Northern California) region.
• The AWS website is now available in Traditional Chinese.

For more information on service availability, please take a look at our Products and Services by Region page.

— Jeff;

I’ve got some good news for Amazon WorkSpaces administrators and users. We are introducing new Value bundles, upgrading the existing Standard bundles, and making Office 2013 available in the Plus bundles. This is the most recent in a series of feature releases for WorkSpaces that includes Multi-Factor Authentication (MFA), zero client support, and the ability to create golden images.

Value Bundle
The new Value bundle was designed to meet the needs of casual users, including those who run a browser and a productivity program or two. The Value bundle includes 1 vCPU, 2 GB of memory, and 10 GB of user storage and costs $25 per month per user. The Value Plus bundle has the same hardware specs and also includes Microsoft Office Professional; it costs $40 per month per user (these prices are for the US East (Northern Virginia) and US West (Oregon) Regions; see the WorkSpaces Pricing page for pricing in other Regions.

Standard Bundle Upgrade
We are upgrading the Standard bundle with additional hardware resources at no extra charge. All existing WorkSpaces that are running this bundle will be upgraded from 1 vCPU to 2 and from 3.75 to 4 GB of memory before the end of 2014. The upgrade will take place during the defined maintenance window for the AWS Region in which the WorkSpace is located (you’ll be notified 5 days ahead of time). The doubled CPU capacity and the extra memory should result in a meaningful and perceptible performance improvement.

The update will not affect any user data on the C: or D: drives of the WorkSpace. Users will sign in on the Monday morning following the maintenance window for this desktop to find that their WorkSpace has been rebooted and now delivers better performance.

Office 2013
All three of the “Plus” bundles (Value, Standard, and Performance) include Microsoft Office. You can now choose either Office 2010 or Office 2013 when you create a new WorkSpace.

Availability
The new bundles are available today in the US East (Northern Virginia), US West (Oregon), EU (Ireland), Asia Pacific (Tokyo), and Asia Pacific (Sydney) Regions.

— Jeff;

Amazon WorkSpaces is a managed desktop service in the Cloud. It allows administrators to provision cloud-based desktops that can be accessed from laptops (PC and Mac), tablets (Kindle Fire, Android, and iPad), and zero client devices.

Today we are making WorkSpaces even more flexible with the addition of a new image creation feature. Administrators can now create customized golden images for use within their organization. They can add additional applications, remove existing applications, and set configurations in order to provide their users with an environment that is appropriate for their needs.

Creating a Custom Image
Let’s create a custom [ws_u] image. I’ll start by launching one of the built-in bundles. Wait for it to launch:

Then I connect as usual, configure it as desired, and then disconnect. I used the Kindle client for WorkSpaces, and chose to install PuTTY to illustrate this post:

Next, I return to the WorkSpaces Console and find the WorkSpace that was launched and customized. I select it and choose Create Image from the Instance Actions menu:

Now I fill in the name and description, click Create Image, and wait for the image creation process to finish (this can take up to 45 minutes):

I can check the WorkSpace Images tab to see when my image is ready. Behind the scenes, WorkSpaces will make a copy of the source WorkSpace, copy the user profile to the default profile, prepare the image for use (Sysprep), validate the custom image with a test launch, and publish the image to your account. The Status will change to Available when the image is ready:

Once the image is ready I am ready to create a bundle from it by selecting the image and choosing Create Bundle from the menu:

I simply fill in the name and description and choose the hardware:

When the bundle is ready I can launch WorkSpaces for my users. As you can see, I now have the opportunity to give them one of the standard bundles or my newly created custom one:

Things to Know
Here are a couple of things to keep in mind:

• Existing WorkSpaces that were launched weeks or months ago must first be rebooted in order to be used as the basis for a custom image.
• If you want to keep your bundle updated with new applications or patches, simply create a new image and update the bundle from the console. You can use the updated bundle to launch new WorkSpaces, or rebuild existing WorkSpaces to move all of your users to the latest image.
• You can create up to 5 custom images for each AWS account. If you need to create more, simply Contact Us.
• Our new custom images tutorial contains additional information about the process described above.

This new feature is available now and you can start using it today. There are no charges for image creation or storage.

— Jeff;

Virtually every organization uses a directory service such as Active Directory to allow computers to join domains, list and authenticate users, and to locate and connect to printers, and other network services including SQL Server databases. A centralized directory reduces the amount of administrative work that must be done when an employee joins the organization, changes roles, or leaves.

With the advent of cloud-based services, an interesting challenge has arisen. By design, the directory is intended to be a central source of truth with regard to user identity. Administrators should not have to maintain one directory service for on-premises users and services, and a separate, parallel one for the cloud. Ideally, on-premises and cloud-based services could share and make use of a single, unified directory service.

Perhaps you want to run Microsoft Windows on EC2 or centrally control access to AWS applications such as Amazon WorkSpaces or Amazon Zocalo. Setting up and then running a directory can be a fairly ambitious undertaking once you take in to account the need to procure and run hardware, install, configure and patch the operating system, and the directory, and so forth. This might be overkill if you have a user base of modest size and just want to use the AWS applications and exercise centralized control over users and permissions.

The New AWS Directory Service
Today we are introducing the AWS Directory Service to address these challenges! This managed service provides two types of directories. You can connect to an existing on-premises directory or you can set up and run a new, Samba-based directory in the Cloud.

If your organization already has a directory, you can now make use of it from within the cloud using the AD Connector directory type. This is a gateway technology that serves as a cloud proxy to your existing directory, without the need for complex synchronization technology or federated sign-on. All communication between the AWS Cloud and your on-premises directory takes place over AWS Direct Connect or a secure VPN connection within a Amazon Virtual Private Cloud. The AD Connector is easy to set up (just a few parameters) and needs very little in the way of operational care and feeding. Once configured, your users can use their existing credentials (user name and password, with optional RADIUS authentication) to log in to WorkSpaces, Zocalo, EC2 instances running Microsoft Windows, and the AWS Management Console. The AD Connector is available in Small (up to 10,000 users, computers, groups, and other directory objects) and Large (up to 100,000 users, computers, groups, and other directory objects).

If you don’t currently have a directory and don’t want to be bothered with all of the care and feeding that’s traditionally been required, you can quickly and easily provision and run a Samba-based directory in the cloud using the Simple AD directory type. This directory supports most of the common Active Directory features including joins to Windows domains, management of Group Policies, and single sign-on to directory- powered apps. EC2 instances that run Windows can join domains and can be administered en masse using Group Policies for consistency. Amazon WorkSpaces and Amazon Zocalo can make use of the directory. Developers and system administrators can use their directory credentials to sign in to the AWS Management Console in order to manage AWS resources such as EC2 instances or S3 buckets.

Getting Started
Regardless of the directory type that you choose, getting started is quick and easy. Keep in mind, of course, that you are setting up an important piece of infrastructure and choose your names and passwords accordingly. Let’s walk through the process of setting up each type of directory.

I can create an AD Connector as a cloud-based proxy to an existing Active Directory running within my organization. I’ll have to create a VPN connection from my Virtual Private Cloud to my on-premises network, making use of AWS Direct Connect if necessary. Then I will need to create an account with sufficient privileges to allow it handle lookup, authentication, and domain join requests. I’ll also need the DNS name of the existing directory. With that information in hand, creating the AD Connector is a simple matter of filling in a form:

I also have to provide it within information about my VPC, including the subnets where I’d like the directory servers to be hosted:

The AD Connector will be up & running and ready to use within minutes!

Creating a Simple AD in the cloud is also very simple and straightforward. Again, I need to choose one of my VPCs and then pick a pair of subnets within it for my directory servers:

Again, the Simple AD will be up, running, and ready for use within minutes.

Managing Directories
Let’s take a look at the management features that are available for the AD Connector and Simple AD. The Console shows me a list of all of my directories:

I can dive in to the details with a click. As you can see at the bottom of this screen, I can also create a public endpoint for my directory. This will allow it to be used for sign-in to AWS applications such as Zocalo and WorkSpaces, and to the AWS Management Console:

I can also configure the AWS applications and the Console to use the directory:

I can also create, restore, and manage snapshot backups of my Simple AD (backups are done automatically every 24 hours; I can also initiate a manual backup at any desired time):

Get Started Today
Both types of directory are available now and you can start creating and using them today in the US East (Northern Virginia), US West (Oregon), Asia Pacific (Sydney), Asia Pacific (Tokyo), and EU (Ireland) Regions. Prices start at $0.05 per hour for Small directories of either type and $0.15 per hour for Large directories of either type in the US East (Northern Virginia) Region. See the AWS Directory Service page for pricing information in the other AWS Regions.

— Jeff;

Amazon WorkSpaces provides a persistent, cloud-based desktop experience that can be accessed from a variety of devices including PC and Mac desktops and laptops, iPads, Kindle Fires, and Android tablets.

Support for PCoIP Zero Clients
Today we are making WorkSpaces even more flexible by adding support for PCoIP zero clients. WorkSpaces desktops are rendered on the server and then transmitted to the endpoint as a highly compressed bitmap via the PCoIP protocol.

Zero clients are simple, secure, single-purpose clients that are equipped with a monitor, keyboard, mouse, and other peripherals. The clients use a dedicated PCoIP chipset for bitmap decompression and decoding and require very little in the way of local software maintenance (there is no operating system running on the device), making them a great match for Amazon WorkSpaces.

You can use any zero client device that contains the Teradici Tera 2 zero client chipset. Currently, over 30 hardware manufacturers provide such devices; check Teradici’s supported devices list for more information.

Getting Started
In order to connect your existing zero clients to Amazon WorkSpaces, first verify that they are running version 4.6.0 (or newer) of the PCoIP firmware.

You will need to run the PCoIP Connection Manager authentication appliance in a Virtual Private Cloud. The Connection Manager is built on Ubuntu 12.04 LTS and is available as an HVM AMI. It brokers the authentication process and enables the creation of streaming sessions from WorkSpaces to the clients, thereby offloading all non-streaming work from the clients. The Connection Manager must be run in the VPC that hosts your Amazon WorkSpaces endpoint.

To learn more about this important new AWS feature, read the PCoIP Zero Client Admin Guide.

— Jeff;

Amazon WorkSpaces is a fully managed desktop computing service in the cloud. You can easily provision and manage cloud-based desktops that can be accessed from laptops, iPads, Kindle Fire, and Android tablets.

Today we are enhancing WorkSpaces with support for multi-factor authentication using an on-premises RADIUS server. In plain English, your WorkSpaces users will now be able to authenticate themselves using the same mechanism that they already use for other forms of remote access to your organization’s resources.

Once this new feature has been enabled and configured, WorkSpaces users will log in by entering their Active Directory user name and password followed by an OTP (One-Time Passcode) supplied by a hardware or a software token.

Important Details
This feature should work with any security provider that supports RADIUS authentication (we have verified our implementation against the Symantec VIP and Microsoft Radius Server products). We currently support the PAP, CHAP, MS-CHAP1, and MS-CHAP2 protocols, along with RADIUS proxies.

As a WorkSpaces administrator, you can configure this feature for your users by entering the connection information (IP addresses, shared secret, protocol, timeout, and retry count) for your RADIUS server fleet in the Directories section of the WorkSpaces console. You can provision multiple RADIUS servers to increase availability if you’d like. In this case you can enter the IP addresses of all of the servers or you can enter the same information for a load balancer in front of the fleet.

On the Roadmap
As is the case with every part of AWS, we plan to enhance this feature over time. Although I’ll stick to our usual policy of not spilling any beans before their time, I can say that we expect to add support for additional authentication options such as smart cards and certificates. We are always interested in your feature requests; please feel free to post a note to the Amazon WorkSpaces Forum to make sure that we see them. You can also consult the Amazon WorkSpaces documentation for more information about Amazon WorkSpaces and this new feature.

Price & Availability
This feature is available now at no extra charge to Amazon WorkSpaces and you can start using it today.

— Jeff;

PS – Last month we made a couple of enhancements to WorkSpaces that will improve integration with your on-premises Active Directory. You can now search for and select the desired Organizational Unit (OU) from your Active Directory. You can now use separate domains for your users and your resources; this improves both security and manageability. You can also add a security group that is effective within the VPC associated with your WorkSpaces desktops; this allows you to control network access from WorkSpaces to other resources in your VPC and on-premises network. To learn more, read this forum post.