Streaming from interface VPC endpoints for Regulated environments with AppStream 2.0

Customers with strict compliance requirements such as financial industries, healthcare, and government sectors use End User Compute (EUC) solutions to regulate access and centralize tooling. For these organizations, users are often required to connect to a Virtual Private Network (VPN) to access the private corporate network. In this blog, I explain how users with such a constraints can stream a remote desktop session through the browser while facilitating the streaming traffic remain within the customer’s private network, including their virtual private cloud (VPC) and VPN connection.

Solution Overview

AppStream 2.0 is a non-persistent desktop and application streaming solution. It can be accessed without traffic traversing the internet through an interface VPC endpoint in a Private Subnet within a VPC. With this configuration, a user connected to the network using a Client VPN can stream traffic across the VPN, rather than the internet.

You can also build an image for a desktop or application by streaming the AppStream 2.0 image builder using a VPC endpoint. You can use Amazon S3 to store and load in application packages, and download them from AppStream 2.0 image builder through an Amazon S3 VPC endpoint.

However, note that user authentication traffic still must traverse the internet. The Client VPN must use split tunnels for the authentication traffic to go through the internet while the streaming traffic remains within the VPC. With this, AppStream 2.0 sessions connect to AWS Identity and Access Management (IAM) and internet-based identity providers for user authentication.

In this blog, you walk through how this solution can be deployed. You use AWS Client VPN, AWS IAM Identity Center for authentication and Amazon Managed Active Directory for the user identity store. Additionally, Amazon FSx for Windows File Server can be mapped as a network drive for users to store files persistently. Applications on the customer private network that are connected to the VPC can also be accessed from AppStream 2.0 instances.

Note: to meet strict compliance requirements, where the traffic has to remain within the private corporate network, deploying AppStream 2.0 to a private subnet and using VPC endpoints for streaming can result in a performance trade-off compared to streaming AppStream 2.0 via the public internet, and this trade-off is dependent on the VPN used.

Architecture Diagram for AppStream 2.0 streaming through a VPN connection

Solution Walkthrough

Set up the VPC and VPC Endpoints:

Create a VPC with private and public subnets in at least two Availability Zones. The private subnets do not require a route to an internet gateway or NAT gateway.
Create AppStream 2.0 interface VPC streaming endpoints in the private subnets using this guide.
Create an Amazon S3 interface VPC endpoint in the private subnets. Refer to this documentation for more information about how to use Amazon S3 interface VPC endpoints.

Set up an Amazon Managed Active Directory in Directory Service:

Create an Amazon Managed Active Directory with “directory type” as “Microsoft AD” with domain controller endpoints in the two private subnets within the selected VPC. Refer to this guide for more details.
Create an administrator and some test users in the directory.

Configure DNS settings:

For the selected VPC, verify that “Enable DNS resolution” and “Enable DNS hostnames” are both checked
Create a new DHCP options set with the domain name servers being the private IP addresses of your Active Directory domain controllers. Configure your VPC to use this DHCP options set. Refer to this guide for more details.
Using a Windows-based domain-joined EC2 instance deployed in the public subnet, configure the DNS settings for the domain such that it uses the VPC Amazon DNS server (the reserved IP address at the base of the VPC IPv4 network range, plus two). This is instead of the public Amazon DNS server (169.254.169.253). In doing so, DNS resolution to IP addresses within the VPC are prioritized, and the AppStream 2.0 DNS names resolve to the AppStream 2.0 ENIs. Refer to DNS attributes for your VPC for more information.

Set up AWS Client VPN:

Add the VPC IP range to the ingress configuration.
Configure the Client VPN to use split tunnel.
Verify that the VPN endpoint security group allows inbound traffic from the VPC IP range and allows all outbound traffic.

Create an AppStream 2.0 Image:

Upload application packages using the AWS Management Console, or CLI, to an S3 bucket. Ensure that the AppStream 2.0 role used by the image builder has the permissions to access the S3 bucket. Use PowerShell for AWS to download the files to the image builder instance.
Create an AppStream 2.0 image builder instance in a private subnet and ensure it uses a VPC endpoint by selecting the AppStream 2.0 streaming VPC endpoint in the Availability Zone that the instance is deployed in. Configure the instance to use the domain created.
Create a streaming URL using the AWS Management Console or CLI to generate a streaming URL that can be used to connect to the image builder instance.
Connect to the VPN and use the streaming URL to connect to the AppStream 2.0 Image Builder. Perform application or desktop configuration and test the applications using the required users.
Once testing is complete, publish the image. Publishing the image will disconnect you from the instance.

Set up AppStream 2.0:

Create a Directory Config in AppStream 2.0 to join instances in a fleet to the domain.
Create a new fleet using the image that was created. Select the private subnets to deploy the instances to and set Default Internet Access to Disabled.
Create a stack, and associate it with the fleet.
Configure AppStream 2.0 as a SAML application for AWS IAM Identity Center. For more information review, enable federation with AWS single sign-on and Amazon AppStream 2.0.

Summary of your connection work flow

You connect to the VPN using a VPN client. Note that this blog post uses AWS Client VPN, other Client VPN solutions can also work.
You launch a browser window to the authentication page for AWS IAM Identity Center and completes authentication with their AD credentials. The authentication must access IAM, and also your identity provider. This is why the split tunnel configuration on the VPN for internet access is required.
You select the AppStream 2.0 SAML application configured. This launches a new browser tab for AppStream 2.0.
Once the instance has started, you can be prompted to enter your Microsoft Active Directory password again before the application or desktop launches. To remove the prompt, use Certificate-Based Authentication. For more information, review seamless Active Directory domain logon architecture with Amazon AppStream 2.0 .

Clean up

Delete the AWS Client VPN endpoints.
Stop and terminate the AppStream 2.0 image builder, stack, and fleet..
Delete the AppStream 2.0 image.
Delete any package files uploaded to Amazon S3.
Delete the AWS IAM Identity Center configuration
Delete Managed Windows Active Directory, Amazon FSx for Windows File Server and VPC Endpoints.
Delete DHCP option, security groups, subnets, VPC, and IAM roles.

Conclusion

This blog post describes how you can use a non-persistent application or desktop streaming solution to streaming traffic within the Amazon VPC and customer private networks to meet compliance requirements. AppStream 2.0 images can be created using internet-free access and users will use AWS Client VPN and AWS Identity Center SAML federation to authenticate with the streaming instance via the internet.

Julia is a Solutions Architect based in Singapore. She has worked with customers in a range of fields, from health and public sector to digital native businesses, to adopt solutions according to their business needs. She has also been supporting customers in Southeast Asia and beyond to use AI & ML in their businesses. Outside of work, she enjoys learning about the world through traveling and engaging in creative pursuits.

Desktop and Application Streaming