Desktop and Application Streaming

Deploy the Cost Optimizer for Amazon WorkSpaces in a highly-regulated environment.

The Cost Optimizer for Amazon WorkSpaces is a tool that analyzes your Amazon WorkSpaces usage data and automatically converts the WorkSpace to the most cost-effective billing option depending on the individual usage. You can use the Cost Optimizer with a single account or with AWS Organizations across multiple accounts.

Customers in highly-regulated environments often have limited or nopublic internet access from their AWS infrastructure. These restrictions have posed challenges for implementing the Cost Optimizer. With the release of version 2.7 of the Cost Optimizer for Amazon WorkSpaces, customers have the option to implement the solution with an Amazon Elastic Container Registry (ECR) image in their own private repository and Amazon VPC endpoints, eliminating the need for public internet access.

In this blog we will walk through the configuration of the Cost Optimizer with private ECR images and Amazon VPC Endpoint configurations to eliminate the need for public internet access.

Prerequisites

  • An AWS Account with necessary AWS Identity and Access Management (IAM) permissions to perform the tasks listed.
  • An active Amazon WorkSpaces Personal deployment.
  • Cost Optimizer for Amazon WorkSpaces 2.7 or later deployed into a separate VPC from your WorkSpaces VPC.
  • Inter-VPC pairing either with Transit Gateway Attachments or VPC Peering between the Cost Optimizer VPC and the VPC(s) hosting your Amazon WorkSpaces.
    • If you are deploying the Cost Optimizer in a Hub and Spoke design, the spoke VPCs will also need to be paired with the Hub VPC by either Transit Gateway Attachment or VPC Peering.
  • Docker Desktop and Docker CLI installed on a physical computer.

Create private ECR repository

  1. Open the Amazon Elastic Container Registry console.
  2. On the left menu, choose Repositories then select Create repository.
  3. Provide a namespace and repository name and select Create.
  4. Note the Repository URI as you will need it for the next section.

Copy the Image

The Amazon ECR Public Gallery contains the official Docker image for the Cost Optimizer. Follow the guide for Pulling an image to your local environment from an Amazon ECR private repository and Pushing a Docker image to an Amazon ECR private repository 

Create VPC Endpoints

  1. Open the Amazon VPC console. On the left menu, choose Endpoints.
  2. Select Create endpoint. 
  3. In the Service category section select AWS services. 
  4. Select com.amazonaws.<region>.sts in the services selection field. Where <region> is the region where your Cost Optimizer is deployed.
  5. For VPC, select your Cost Optimizer VPC.
  6. Under Subnets, select both private subnets in your Cost Optimizer VPC.
  7. Under Security groups select the cost optimizer IntraVPCSecurityGroup that was created when you deployed the Cost Optimizer using the CloudFormation script. The name will be similar to <stack_name>-IntraVPCSecurityGroup-<hash> where <stack_name> is the name of your CloudFormation stack.
  8. Select Create endpoint.
  9. Repeat steps 1-8 to create the following interface endpoints.
    • com.amazonaws.us-east-1.ecr.api
    • com.amazonaws.us-east-1.ecr-dkr
    • com.amazonaws.us-east-1.ecs-agent
    • com.amazonaws.us-east-1.secretsmanager
    • com.amazonaws.us-east-1.ecs-telemetry
    • com.amazonaws.us-east-1.logs
    • com.amazonaws.us-east-1.monitoring
    • com.amazonaws.us-east-1.workspaces

If you have deployed the Cost Optimizer in a single region (no hub & spoke design) you will need to create a DynamoDB gateway endpoint as well.

  1. Open the Amazon mVPC console. From the left menu, choose Endpoints.
  2. Select Create endpoint. 
  3. In the Service category section select AWS services. 
  4. Select com.amazonaws.<region>.dynamodb where <region> is the region where your Cost Optimizer is deployed. Make sure you select the Gateway endpoint type.
  5. For VPC, select your Cost Optimizer VPC.
  6. Under Route Tables, select the route table with. your 2 private subnets associated.
  7. Select Create endpoint.

Update IAM Policies

Since you are using a private ECR image, your gateway endpoint and IAM role must have permissions to access the repository as well as the starport layer bucket; an S3 bucket containing the layers for each Docker image. Additionally, you will need to add some policy statements for the IAM role that is assumed when the task is run.

S3 endpoint policy

  1. From the VPC Console select Endpoints from the left menu. Select the S3 gateway endpoint.
  2. Select the Policy tab and select Edit Policy. Add the following policy statement to the existing statement block and select Save. Replace <region> in the Resource block to the Region where you are deploying.
{
 "Sid": "Access-to-starport-layer-bucket",
 "Principal": {
    "AWS": "*"
  },
 "Action": [ "s3:GetObject" ],
 "Effect": "Allow",
 "Resource":[
      "arn:aws:s3:::prod-<region>-starport-layer-bucket/*"
 ]
}

IAM policy

  1. From the IAM console select Roles from the left menu.
  2. Find the IAM role created with the cost optimizer deployment. The naming pattern will be Workspaces-Cost-Optimizer-<region> where <region> is the AWS Region where the solution was deployed.
  3. Select the role. Under the Permission tab select the CostOptimizerAdminPolicy. Add the following statements to the policy and select Next, followed by Save.

Replace <region> with your AWS region in the below statement.

{
   "Effect": "Allow",
   "Action": [
       "ecr:GetAuthorizationToken",
       "ecr:BatchCheckLayerAvailability",
       "ecr:GetDownloadUrlForLayer",
       "ecr:GetRepositoryPolicy",
       "ecr:DescribeRepositories",
       "ecr:ListImages",
       "ecr:DescribeImages",
       "ecr:BatchGetImage",
       "ecr:GetLifecyclePolicy",
       "ecr:GetLifecyclePolicyPreview",
       "ecr:ListTagsForResource",
       "ecr:DescribeImageScanFindings"
    ],
    "Resource": ["*"]
},
{
    "Effect": "Allow"
    "Action": [
       "s3:GetObject"
     ],
    "Resource": ["arn:aws:s3:::prod-<region>-starport-layer-bucket/*"],
}

Security Group

  1. Open the VPC console. From the left menu, choose Security Groups.
  2. Find the security group that was created with the deployment of the Cost Optimizer and select that. The name will look similar to <stack_name>-IntraVPCSecurityGroup-<hash> where the <stack_name> is the name of your CloudFormation stack that was created when you deployed the Cost Optimizer.
  3. Select the Inbound rules tab and select Edit Inbound rules.
  4. Add the following inbound rules then click Save.
Type Source CIDR
DNS (UDP) Custom CIDR of your Cost Optimizer VPC
DNS (TCP) Custom CIDR of your Cost optimizer VPC
HTTPS Custom CIDR of your Cost Optimizer VPC

Update the ECS Task

  1. Open the Amazon ECS console. From the left menu, choose Task definitions, then select the wco-task.
  2. Select the checkbox for latest task definition and select Create new revision.
  3. Scroll to the Container-1 section. In the Image URI field, paste the URI to your private ECR image.
  4. In the Environment variables – optional field, make the following changes/additions then select Create.
Type Key Old Value New Value
Change SendAnonymousData True False
Add AWS_STS_REGIONAL_ENDPOINTS regional

Update the EventBridge Rule

  1. Open the Amazon EventBridge console. From the left menu, choose Rules .
  2. Find the rule that was created when the Cost Optimizer was deployed. It will follow a format like <stack_name>-ScheduleRule-<hash> where <stack_name> is the name of your CloudFormation stack that was created when you deployed the Cost Optimizer.
  3. Select the rule. In the Targets tab select Edit.
  4. In the Task definition field, select the Revision radio button and select the latest revision you created in the last section.
  5. Select Next, Next then Update rule.

When your scheduled task runs, it will now use the latest revision of the task which is pointing to your private repository.

Testing

Manually run the ECS task to test the functionality of the new design.

  1. From the ECS console, select Task definitions from the left menu.
  2. Select the wco-task and select the check box next to the latest revision.
  3. Select Deploy → Run Task.
  4. Expand the Networking section. Select the Cost Optimizer VPC and select the 2 private subnets.
  5. Under Security group name select the <stack_name>-IntraVPCSecurityGroup-<hash> group where <stack_name> is the name of your CloudFormation stack.
  6. Set the Public IP option to Turned off.
  7. Select Create.

Your task will now execute. This will take a few minutes to complete. When completed you can see the results in the S3 bucket created when the solution was deployed.

Cleanup

To avoid unwanted AWS charges, you must remove the infrastructure created in this blog:

  1. Delete the VPC endpoints.
    1. Open the Amazon VPC console. On the left menu, choose Endpoints.
    2. Select the checkbox next to each endpoint you created in this blog.
    3. Select Actions then Delete Endpoints.
    4. Type delete into the confirmation field and select Delete.
  2. Deregister the ECS task revision.
    1. Open the Elastic Container Service console. From the left menu, select Task definitions.
    2. Select the wco-task definition.
    3. Select the checkbox next to the task revision you created in this blog.
    4. Select Actions, then Deregister.
  3. Delete the ECR image and repository.

At this point, you have deleted all resources created in this blog. If you would also like to remove the Cost Optimizer for Amazon WorkSpaces that was defined as a prerequisite, continue with steps 4-6.

  1. Delete the CloudFormation template you created to deploy the Cost Optimizer.
  2. Delete the S3 bucket and contents that was deployed in the CloudFormation Script.
  3. Delete the CloudWatch log groups that was deployed in the CloudFormation Script.

Conclusion

In this blog you modified the Cost Optimizer for Amazon WorkSpaces to run in an environment without internet connectivity by utilizing a private ECR image and VPC endpoints. To see a video of this solution check out our YouTube video and our YouTube playlist for other EUC videos.

Robert Fountain is a Sr. EUC Specialist Solutions Architect based out of Pennsylvania. Robert has been with AWS since 2020 and currently holds six AWS Certifications. Outside of the office, Robert is a member of the National Ski Patrol and enjoys spending time with his wife, 2 boys, and his dog, Daisy.
Dave Jaskie Dave Jaskie brings 15 years of experience in the End User Computing space. Outside of Work, Dave enjoys traveling and hiking with his wife and 4 kids.