AWS for M&E Blog

Enterprise scale, security, and cost savings for creative workstations on AWS

In our second installment of Edit in the Cloud series, we covered getting started with virtual workstations powered by Amazon Elastic Compute Cloud (Amazon EC2)—a web service that provides secure, resizable compute capacity in the cloud—to meet the needs of creative workloads (for example, Blackmagic Design’s DaVinci Resolve) for media and entertainment (M&E).

In this post, you will learn how to take that initial deployment from test to production by introducing scaling automation, security, and cost management techniques. To do this, we will add two components to the environment—a connection broker to manage and control access to virtual workstations and a gateway to securely provide access to private workstations from the public internet (Figure 2).

Connection Broker

A connection broker is a control plane that provides remote access to your virtual workstation environment and management of the workstations, the users who access them, and the connection methods. A broker can have policies or rules that do the following:

  • Enforce the automatic provisioning and termination of workstations as demand changes
  • Assign users or groups of users to specific workstations or groups of workstations to limit access
  • Power workstations on and off automatically to save on running costs
  • Support multiple connection protocols to suit user preference or use case

Leostream Connection Broker

The Leostream Connection Broker is software that runs on Amazon EC2 T3 Instances—low-cost, general-purpose Amazon EC2 instances—for Linux. In a production deployment, following the AWS Well-Architected Framework concept of resiliency, the Leostream Connection Broker software is deployed as a “broker cluster.”

A broker cluster is two or more Amazon EC2 instances that are load balanced through Elastic Load Balancing (ELB)—which distributes network traffic to improve application scalability—and that share an external PostgreSQL database.

Each broker in the Leostream cluster is deployed to separate Availability Zones so that workstation connections can continue to be made if there is an issue in a single Availability Zone (Figure 1). The cluster instances are deployed in an Auto Scaling group of Amazon EC2 Auto Scaling—which lets users add or remove compute capacity to meet changes in demand—so that should an instance fail, a new one will launch to replace it (Figure 1). The database, which is deployed as an Amazon Aurora for PostgreSQL database cluster, and the Application Load Balancer (ALB) span Availability Zones (Figure 1). Aurora is a MySQL- and PostgreSQL-compatible relational database built for the cloud, and ALB provides advanced request routing targeted at delivery of modern application architectures.

Leostream Connection Broker deployment on AWS in a single region with two availability zones.

Figure 1 – Leostream Connection Broker deployment on AWS in a single region with two availability zones.

Leostream Gateway

The Leostream Gateway lets remote users securely access private workstations. These private workstations are deployed to private subnets and have no route to the internet. The Leostream Gateway supports NICE DCV (a high-performance remote display protocol), Remote Desktop Protocol, Virtual Network Computing protocol, and SSH (Secure Shell). For accessing workstations through the Teradici PCoIP protocol, a Teradici Connection Manager and Security Gateway is used instead of the Leostream Gateway.

The Leostream Gateway is software that runs on Amazon EC2 instances. In a well-architected production deployment, the gateway instances are deployed in a load-balanced, multi-AZ, and automatically scaled configuration (Figure 2). The gateway provides access to remote users connecting from the public internet, and it is deployed to public subnets, which have a route to the internet (Figure 2).

Leostream and Teradici gateway deployment on AWS using Elastic Load Balancing in the public subnet to forward connections to Leostream Connection Broker and workstations in the private subnet

Figure 2 – Production Leostream Gateway deployment

Scaling Automation

When you launch tens to hundreds (or more) Amazon EC2 instances manually—whether you do so in the AWS Management Console or using infrastructure-as-code (IAC) tools like AWS CloudFormation (which lets you model, provision, and manage AWS and third-party resources by treating infrastructure as code), you’ll find that this process does not scale well for user workstations that must be dynamically deployed based on demand.

Leostream solves this issue with “pool” configurations that let the Leostream Connection Broker automatically provision workstations. With this configuration option, if the number of available workstations (those not in use) drops below a user-defined threshold, Leostream Connection Broker launches workstations to meet the user-defined number of available workstations in the pool.

AWS Identity and Access Management (AWS IAM) lets you securely manage access to AWS services and resources. Leostream uses AWS IAM user credentials to access the Amazon EC2 API and launch instances from user-provided Amazon Machine Images (AMIs), which provide the information required to launch the instances (Figure 3). Leostream pools further reduce the management of deploying workstations by automating the process of naming workstations, joining them to an Active Directory domain, attaching user-defined security groups and AWS IAM instance profiles, and launching them to user-defined subnets.

Security design with AWS Identity and Access Management (IAM) and Leostream Connection Broker

Figure 3 – Leostream Connection Broker’s Amazon EC2 API access for provisioning workstations


The first step to securing virtual workstations is removing them from direct access to the public internet and deploying them to private subnets. Placing workstations in a public subnet is convenient for testing and proofs of concept, but this configuration presents a potential security risk. If security groups are not managed properly, workstations can be accessed by bad actors. Although deploying workstations in a private subnet removes them from direct inbound internet access, internet access for tasks such as web browsing and checking email is provided using a public Network Address Translation (NAT) gateway (Figure 4).

Deploying workstations to a private subnet reduces the potential attack surface of the environment to the gateway load balancer. Workstations are further protected by a security group that only permits protocol traffic that originates from the gateways.

The gateway only accepts connections from users that the broker has authenticated and authorized. Authentication is provided by the Leostream Connection Broker through local user creation or integration with Active Directory. Active Directory integration lets users log in to their workstations with the same familiar and centrally managed credentials that they use to access other enterprise resources. Leostream Connection Broker can integrate with existing Active Directory deployments or work alongside AWS Directory Service for Microsoft Active Directory (AWS Managed Microsoft AD), which lets directory-aware workloads and AWS resources use managed Active Directory on AWS (Figure 4).

For an added layer of security, Leostream Connection Broker integrates with Remote Authentication Dial-In User Service (RADIUS) servers (for example, the Okta RADIUS Server agent) to add multi-factor authentication (MFA) to the user authentication process.

Leostream and Teradici deployment on AWS with a public subnet for remote streaming connections via a gateway, and outbound NAT connections; and a private subnet for broker and workstation infrastructure.

Figure 4 – Leostream virtual workstation environment security and authentication integration

The Leostream Connection Broker user interface lets administrators manage what workstations authenticated users are authorized to use. For example, editors might be given access to high-powered GPU-based Amazon EC2 G4 instances (cost-effective GPU instances for machine learning inference and graphics-intensive applications) with assistant editors only given access to lower-powered, lower-cost instances to perform their less-graphics-intensive work.

Cost Savings

By making sure that Amazon EC2 instances are not left running when not in use, you can save money on your AWS bill, particularly when the instances are larger Amazon EC2 G4 Instance types. Leostream Connection Broker provides the ability to automate power control of your workstations by letting users define granular power control plans that determine what action should be taken after users log out of their workstations or are inactive for defined periods of time. For example, a power control plan can be configured to wait 1 hour after a user logs out of a workstation and then shut the workstation off. Additional Leostream configurations let users automatically start stopped workstations and launch new workstations on login as needed.

Getting Started

For users who are comfortable with deploying their own infrastructure, Leostream has both Leostream Connection Broker and Leostream Gateway AMIs available from the AWS Marketplace, a sales channel where you can find, buy, deploy, and manage software solutions. If you are using Teradici PCoIP, the Teradici Connection Manager and Security Gateway must be installed on an Amazon EC2 instance as described in Teradici’s installation guide.

AWS CloudFormation templates for quickly deploying the infrastructure discussed in this article will be released in a subsequent post.


In this post, we described how to add enterprise scale, security, and cost savings to Amazon EC2 workstations using a broker and gateway. Although many customers might be comfortable deploying infrastructure on their own, we realize some might be new to the cloud. Dedicated M&E experts at AWS can provide prescriptive guidance and necessary resources to optimize your cloud production. Click here to connect to our team.

Ryan McKeague

Ryan McKeague

Ryan McKeague is a Media and Entertainment Specialist Solutions Architect focused on Media Supply Chain at AWS. He has over 10 years of experience in various industry roles ranging from the set to the studio, and has a passion for optimizing media workflows, particularly in post-production and non-linear delivery. Prior to AWS, he held Director, Architect, and Post Supervisor roles at companies like Panavision, Amazon Studios, and The Walt Disney Studios.

Matt Herson

Matt Herson

Matt Herson is a Sr. Solution Architect Leader in Content Production enabling global media customers to successfully run production workflows on AWS. With over 15 years of experience, Matt as a passion of innovation in the post production space. Prior to AWS, he held roles as the Director of Technology, Post IT Manager, DIT, and Chief Architect roles managing a large number of teams around the word.