Business continuity across multiple AWS Regions with Amazon WorkSpaces and AWS Directory Services
Amazon WorkSpaces delivers fully managed, secure and reliable virtual desktops for every workload. In my earlier post, Building for Business Continuity with Amazon WorkSpaces and AWS Directory Services, I presented a highly available solution for Amazon WorkSpaces. The setup can be supported by AWS Managed Microsoft AD or your self-managed Active Directory. Today, I present a follow-up showing how to scale-out the same solution across multiple AWS Regions to support more users dispersed around the world.
Following the walkthrough on Building for Business Continuity with Amazon WorkSpaces and AWS Directory Services you deploy WorkSpaces solution across a Primary and Standby AWS regions. Yet, many organizations have their WorkSpaces deployments spanning across multiple AWS Regions to support an equally disperse workforce. In order to expand the solution to match the spread of your workforce, scale-out the number of AD Connectors per region. Create different DNS records to relate each AD Connector with partner deployed in the Standby region.
Business continuity across regions
On any AWS Region where Amazon WorkSpaces is available, launch an AD Connector to support WorkSpaces for users physically located close to this region. Create a second AD Connector in a Standby region and launch a second WorkSpaces for the same set of users. This second WorkSpaces are configured in Auto-Stop running mode. A DNS record of TXT type is associated to the Connection Alias of both AD Connectors. Configurations are different depending of your DNS solution of choice. For example in Amazon Route53, you can follow the steps on the Amazon Route 53 Developer Guide to create a Simple record of type TXT. Users are routed to the second WorkSpaces in case of a service disruption affecting the Primary region.
If both regions support Standby WorkSpaces, you can launch the secondary (Standby) WorkSpaces from the actions menu of the Primary WorkSpace. If any or both regions do not support the Standby WorkSpaces feature, you have to create each WorkSpace individually.
One identity spans multiple regions
Both of the AD Connectors point to the same user database. This can be an Enterprise Edition AWS Managed Microsoft AD which is replicated across both regions or your self-managed Active Directory. As the user database is common to both of the AD Connectors the username and password for all users remain synchronized automatically. Repeat this configuration to cover more regions as long as the AWS Managed AD has been replicated to the intended regions. For each pair for AD connectors create one TXT DNS record that is responsible to redirect the traffic from one region to the other. Out of each pair of AD Connectors, one acts as Primary to support your user’s WorkSpaces. The other takes the role of Standby and becomes active in case of an issue affecting the availability on the Primary region.
- An AWS Account.
- An Identity and Access Management (IAM) user with permissions to create AWS Managed AD, AD Connectors, Amazon WorkSpaces, and Route53 DNS records.
- Two or more AWS Regions.
- A Virtual Private Cloud (VPC) configured in each Region.
- Two private subnets in each VPC in each Region.
- A self-managed Active Directory or an AWS Managed Microsoft AD configured to replicate to your Standby Region(s).
Follow the walkthrough provided by Building for Business Continuity with Amazon WorkSpaces and AWS Directory Services. Then repeat the steps and create another set of AD Connectors and a new TXT DNS record associated to their Connection Alias. In the second case, invert the Primary and Standby roles for the AWS Regions.
For example, take two AWS regions: eu-east-1 (Ireland) and eu-central-1 (Frankfurt). Users are distributed between Ireland and Germany. Create an AWS Managed AD in one of these regions and replicate it to the other. Alternatively, make sure your self-managed Active Directory has domain controllers deployed on both regions. Create two AD Connectors, one in eu-east-1 and eu-central-1 both pointing to the AWS Managed AD. To provision WorkSpaces for the users physically located in or closer to Ireland, create a TXT DNS record. Route the traffic to the AD connector located in eu-east-1 (Ireland) as Primary option. In case of a localized issue affecting eu-east-1, update the value in the TXT DNS record to redirect users to their Standby WorkSpace in eu-central-1.
Next, create a second pair of AD Connectors, one on each region. Create a new TXT DNS record to route the traffic to eu-central-1 by default and redirect to eu-east-1 in the case of failure. Now, provision WorkSpaces for the users located in Germany on this later pair as illustrated in the following diagram (figure 1).
This model is highly scalable. Continue to build on top of this solution to accompany the growth of your organization across multiple regions.
To scale-out this solution:
- Replicate your AWS Managed AD or self-managed Active Directory to any other region where WorkSpaces is available.
- Deploy another pair AD Connector directories.
- Create the corresponding TXT DNS records in your DNS service.
The next diagram (figure 2), presents the same solutions spanning across three different AWS Regions. Two of these are Primary region for a subset of users. Both have their corresponding Standby configuration in the remaining region.
Cleaning up resources
In this blog, you created several components that generate costs. Please ensure you clean up these services when no longer required. Follow these steps to remove the components that make up this solution.
- Delete the TXT DNS records
- Remove the Amazon WorkSpaces
- Deregister the WorkSpaces service from each AD Connector
- Delete each AD Connector
- Delete the AWS Managed AD
In this blog, I illustrate how you can deploy a WorkSpaces solution to support a disperse workforce across different AWS regions. The solution uses the WorkSpaces features Cross-Region Redirection and Standby WorkSpaces to achieve high availability and a recovery time under 5 minutes. The last few years have seen a rapid increase in the adoption of decentralized and disperse workforce models. Many organizations have found that this model benefits their business. Furthermore, many have thrived thanks to a remote and decentralized work environment which would not be possible with a classic, office-centric approach.
By building on top of AD Connector, organizations can deploy WorkSpaces to support their workforce across multiple AWS Regions. Thanks to Cross-Region Redirection and Standby WorkSpaces users located in one region can be redirected to an alternative WorkSpaces in a Standby region. In the event of a localized issue affecting the Primary region, users are redirected to the Standby with less than 5-minute downtime.
To learn more regarding Multi-Region Resilience and Standby WorkSpaces you can visit:
- Advancing business continuity with Amazon WorkSpaces Multi-Region Resilience
- Business continuity for Amazon WorkSpaces
To dive deeper into the benefits of having a remote workforce and how Amazon WorkSpaces helps supporting them visit:
- Three Ways the Cloud Empowers Today’s Transition to Hybrid Work for Small and Medium Businesses
- How Small and Medium Businesses Can Use Remote Work Technology to Recruit and Retain the Best Talent
- Amazon WorkSpaces Customers
|Nahuel is a Sr. CSE in AWS Support Engineering who specializes in AWS Directory Services and Microsoft Technologies. He enjoys teaming-up with customers to discover new and exciting ways to make use of AWS services.
Outside the office, Nahuel loves to spoil his niece and goddaughters above all else. Also anything Dungeons and Dragons (before it was popular); Crossfit; hiking & trekking; and sharing a pint with friends, but “just one”.