AWS EUC @re:Invent: What is Amazon WorkSpaces Core?

Amazon WorkSpaces Core enables customers and the AWS Partner Network to build customized VDI solutions using purpose-built compute instances optimized for virtual desktops. In this blog I cover why Amazon WorkSpaces Core is important, how to architect VDI solutions with Amazon WorkSpaces Core, and how to get started!

Every organization is at a different place in its journey to the cloud. Some need to get out of a data center quickly and, lift and shift their environment, which might be quick but costly. There are many places where the cloud can help reduce cost, optimize security, operations, reliability, performance, and sustainability.

In the virtual desktop world, solutions have been evolving to meet the needs of customers at every step of their journey. Our AWS partner solutions include ones that have isolated features for brokering users to desktop resources, or providing with a pixel streaming (visualization) protocol. Some include automation, and some are manual. Some are monolithic architectures and follow design patterns from on-premises hypervisors, and some are modern server-less architectures designed for the cloud. Additionally, consulting partners and managed service providers can provide an even higher level of managed service with help desk, user, and application onboarding support. You can find examples of these solutions at our Amazon Partner Network Digital Workplace Competency program.

Amazon WorkSpaces is built on a modern server-less architecture designed for the cloud. Provision Windows or Linux persistent desktops to users anytime, anywhere, and from any supported device. Strengthen security by storing data on AWS instead of vulnerable endpoint devices. Pay only for what you use and scale quickly to thousands of desktops across the globe.

While Amazon WorkSpaces is ideal in many ways, customers are still working on their journey to AWS. Amazon WorkSpaces Core provides for customers and partners to migrate to the cloud, while meeting many requirements customers are familiar with from their existing VDI/DaaS solutions.

Extending solutions with Amazon WorkSpaces Core

Here are some features that VDI/DaaS partner solutions can offer to extend Amazon WorkSpaces use cases by integrating with Amazon WorkSpaces Core.

You may ask, “Why not just deploy my VDI/DaaS solution on Amazon EC2?” Here are examples of how Amazon WorkSpaces Core moves up the stack to provide more managed services focused on VDI / DaaS.

*While 275 instance types provides choice, you must validate which are suited for VDI use cases.

Amazon WorkSpaces Core responsibilities

In this section, I review examples of how Amazon WorkSpaces Core customer and partner responsibilities are different than those of customers deploying Amazon WorkSpaces.

In terms of what the service is responsible for, Amazon WorkSpaces and WorkSpaces Core are similar. As an example, AWS provides the following features, which customers and partners can enable and implement as they see fit. Some of these items are shared responsibilities that are defined as responsibilities “of the cloud” versus “in the cloud”

• Encryption at rest
• Resilience in Amazon WorkSpaces Coreacross Availability Zones (except for cross-Region)
• Compliance validation (shared)
• Infrastructure security (within Amazon WorkSpaces (Core)) (does not include customer or partner solution, endpoints, VPC, etc. )
• Amazon WorkSpaces APIs, CLI, SDK, CDK, and console
• Amazon WorkSpaces based monitoring infrastructure (excluding CloudWatch Events, metrics and any other connection, session, or trusted device metrics).  Healthy state for Amazon WorkSpaces Core is also defined differently, since the service is not in control of the protocol connection or session.
• Amazon WorkSpaces image import (shared)
• Amazon WorkSpaces providing Dedicated Instances to help meet compliance standards.
• Identity and access management for WorkSpaces (shared)

Customer, or Partner, responsibilities

As Amazon WorkSpaces are opened to customer and partner solutions, it’s important to know the responsibilities being taken. Here are some examples.

• First, the control plane, which can include the brokering of users to desktop resources, authentication and pixel streaming (visualization) protocols.
  • A control plane is a solution that can be based on monolithic or server-less architectures. Operational Excellence, Security, Reliability, Performance Efficiency, Cost Optimization, and Sustainability are the responsibility of the customer or partner operating the solution.
• Compliance validation (Shared)
• Identity and access management to the WorkSpaces Core desktop
• Amazon WorkSpaces image import (Shared)
• Provisioning (creation) of desktop resources via the Amazon WorkSpaces APIs (including hourly management via running mode and (start/stop))

• Registration of WorkSpaces Core desktops resources as available resources within the customer or partner solution.
• Brokering Active Directory users to WorkSpaces Core desktop resources within the customer or partner solution.
• Gateway services for securely accessing the solution including user interfaces and pixel streaming or remote visualizations within the customer or partner solution. (encryption in transit) (client endpoints)
• Cross-Region: a feature that can fail over routing policies to redirect your users to alternative WorkSpaces Core desktops in another AWS Region when their primary WorkSpace Region isn’t available.
• Additionally, these solutions can include additional monitoring, security, analytics, etc. solutions, and are the responsibility of the customer or partner operating the solution.

Partner VDI solutions with Amazon WorkSpaces Core

The control plane and gateway services are deployed in your account. The Amazon WorkSpaces Core desktop has two Elastic Network Interfaces (ENIs). A management network interface (eth0), and a primary network interface (eth1). AWS uses the management network interface to manage the WorkSpace. AWS uses a private IP address range for this interface. For network routing to work properly, you can’t use this private address space on any network that can communicate with your WorkSpaces VPC. For more information, review the whitepaper best practices for VPCs and networking in Amazon WorkSpaces deployments.

How to get started!

VMware Horizon 8

Check out how customers are expanding the VMware and AWS collaboration with VMware Horizon and Amazon WorkSpaces Core

Check out this blog for details around Getting started with Amazon WorkSpaces Core and VMware Horizon 8. Also, review the VMware techzone article deploying VMware Horizon with native Amazon EC2 and Amazon Workspaces

For customer solutions or other partner solutions

First you must enable Bring Your Own License(BYOL), and Bring Your Own Protocol (BYOP) features in your AWS account. Make sure to understand the BYOL requirements.

If you are a partner accessing customer environments, use the AssumeRole feature. To find out more, review how to securely access customer AWS Accounts with cross-account IAM roles

If your AWS is new, I recommend using our AWS Quick Starts. The Active Directory Domain Services on AWS quick start provides all the foundational services to get started to your AWS account and Amazon WorkSpaces Core. Use Scenario 3 to deploy an AWS Managed Microsoft AD for isolated environments, or create a trust with existing Active Directory environments.

You must register your directory with Amazon WorkSpaces. You can do this via the console or API. This enables WorkSpaces to manage desktop and active directory resources. The directory must be configured for DEDICATED tendency. Tenancy indicates whether your WorkSpace directory is dedicated or shared. To use Bring Your Own License (BYOL) images, this value must be set to DEDICATED and your AWS account must be enabled for BYOL.

Next, import your image. Using Windows 10 or 11. You can find more details here on how to import your image. Something new with Amazon WorkSpaces Core is the ability to import the image without having WorkSpaces install the default protocols. When using the CLI, use the BYOL_REGULAR_BYOP or BYOL_GRAPHICS_G4DN_BYOP ingestion process.

Once the image is imported, you can deploy your Amazon WorkSpaces Core desktops. Any desktops provided using this ingestion process have a lower price than Amazon WorkSpaces instances. You can compare this using the Amazon WorkSpaces pricing web pages.

To deploy Amazon WorkSpaces Core instances,  create a bundle via the console (step 3), , API or CLI. A bundle combines the custom image and the underlying compute and storage configuration. Then create a new WorkSpaces Core desktop. 

From there, use your partner solution to register the desktop with their control plane or any other configuration requirements.

For managing the lifecycle of the desktop, Amazon WorkSpaces provides the ability to change running modes, storage, and compute types to optimize cost. Also, rebuild and restore features to repair the desktop. When you are finished with your desktop,  terminate the instance. All of these features can be used via the Amazon WorkSpaces console, API or CLI. 

For customer or partner solutions using hourly billing, use the Manual running mode. This option allows for the start and stop of the desktop to optimize costs. Here is an example of creating a WorkSpaces Core instance using this running mode.

Summary

Amazon WorkSpaces Core enables customers and the AWS Partner Network to build customized VDI solutions using purpose-built compute instances optimized for virtual desktops. In this blog I covered why Amazon WorkSpaces Core is important, how to architect VDI solutions with Amazon WorkSpaces Core, and how to get started.

If you are going to AWS re:Invent, come check out our Amazon WorkSpaces sessions!

To learn more about Amazon Workspaces Core, check out EUC203 at re:Invent this Wednesday from 10AM-11AM. EUC203 – Creating flexibility and choice for VDI management with Amazon WorkSpaces.

I look forward to seeing you there!

Global Technology Lead, Digital Workplace Partners – Partner Solutions Architect at Amazon Web Services