Desktop and Application Streaming

Secure workloads with Amazon WorkSpaces Core

Since launching Amazon WorkSpaces Core, customers have asked us numerous questions related to maximizing workload security with this new service. In this blog, we’ll dive deep into the 3 most frequently asked security-related questions.

As a refresher, WorkSpaces Core provides cloud-based, fully managed virtual desktop infrastructure (VDI) designed to work with third-party VDI management solutions. This new service is part of the Amazon WorkSpaces Family services, which share a common infrastructure stack giving customers and partners the ability to choose the best-fit solution for their specific use case or workload. By integrating with third-party VDI solutions, WorkSpaces Core offers customers many unique features necessary to secure their workloads.

How do I control my network traffic?

WorkSpaces is a fully managed desktop virtualization service. This includes setup, deployment, and management of streaming and authentication gateways. These gateways are public services (see our AWS IP Ranges for details). This level of management is ideal for some customers. However, customers with strict regulations on network traffic flow may need more control over their network architecture.

Customers using WorkSpaces Core and a third-party VDI solution can choose where to deploy their streaming and authentication gateways. They can keep them in on-premises locations or deploy them within specific AWS Regions, like our GovCloud Regions. This gives customers complete control over whether traffic flows over the internet or stays within their network using dedicated network connections like AWS Direct Connect.

How can I use my own Transport Layer Security (TLS) certifications?

Let’s first define some common TLS certificate architectures. Certificates help secure communication between two systems based on a trust. A hierarchical trust model has a single Certificate Authority (CA), which creates and manages the certificates, and the consumers of the certificates. A distributed trust model uses intermediate certificate authorities. This model limits the blast radius of a compromised certificate to only the certificates under the intermediate certificate authority.

Hierarchical and distributed trust models can be private or public. Public certificates are used when the identity of the end user is unknown. For example, end users typically trust a set of public root CAs and their intermediates CAs on their web browser. Alternatively, private certificates are for known end users, where the private CA is configured on the endpoint device to be trusted.

Amazon WorkSpaces streaming gateways use a public trust model, with root and intermediate certificates for communication of the desktop streaming protocols. While this strong security model is common for most organizations, some organizations require the use of their own certificates. This is common for government organizations, or in highly regulated environments. Not trusting public CAs or requiring control of the certificate chain for communication is common practice in these organizations.

WorkSpaces Core supports self-managed, third-party streaming gateways. This allows customers to use their own certificate trust model, and supports the use of private or public CAs created by the customer, instead of a WorkSpaces created certificate.

Can I integrate with my application firewall?

An application firewall controls input/output or system calls for an application or service. The application firewall communicates at the application layer of the Open Systems Interconnection Model (OSI) model. As we mentioned above, customers using a third-party VDI solution can choose where to deploy their streaming and authentication gateways. During deployment, customers can place their application firewall in front of a third-party gateway, whether on-premises or in the Cloud. This allows control of traffic using custom security rules. If the gateways are deployed in AWS behind an Application Load Balancer, customers can also take advantage of AWS WAF. A web application firewall (WAF) helps protect against common web exploits and bots that can affect availability, compromise security, and consume excessive resources.


In this blog we reviewed 3 of the most commonly asked questions about features supporting secure workloads on WorkSpaces Core including; controlling network traffic, managing TLS certificates, and application firewall support. Customers using WorkSpaces Core and third-party VDI solutions can take advantage of these features today. If you are interested in getting started on your end-user computing cloud journey, please contact your AWS account team or the EUC Specialist team.

Andrew Kloman Andrew is a Global Technology Lead, Digital Workplace Partners – Partner Solutions Architect at Amazon Web Services
Ivan O'Mahony Ivan O’Mahony is a Senior Product Manager for AWS End User Computing services, specifically Amazon WorkSpaces Core. He helps partners build and scale their cloud solutions for end customers using AWS services.