AWS Messaging – Desktop & App Streaming



Desktop & App Streaming

  • AWS offers two managed end user computing services running on the AWS cloud – Amazon WorkSpaces and Amazon AppStream 2.0.
  • With these services, you can move your desktops and applications to AWS, and get enhanced security, low cost pay-as-you-go pricing, on-demand scaling, and global availability.


  • Enables you to provision cloud-based virtual desktops for your users, known as WorkSpaces.
  • Eliminates the need to procure and deploy hardware or install complex software.

Amazon WorkSpaces

  • Features

○Select from a range of hardware configurations, software configurations, and AWS regions.

○Connect to your WorkSpace and pick up from right where you left off.

○Amazon WorkSpaces provides the flexibility of either monthly or hourly billing for WorkSpaces.

○Deploy and manage applications for your WorkSpaces using Amazon WorkSpaces Application Manager.

○Use the same tools to manage WorkSpaces that you use to manage on-premises desktops.

○Use multi-factor authentication (MFA) for additional security.

○Use AWS Key Management Service (AWS KMS) to encrypt data at rest, disk I/O, and volume snapshots.

  • Architecture

○Each WorkSpace is associated with the virtual private cloud (VPC), and a directory.

○Directories are managed through the AWS Directory Service.

○Amazon WorkSpaces uses a directory, either AWS Directory Service or Microsoft AD, to authenticate users.

○Users access their WorkSpaces using a client application from a supported device or a web browser and log in using their directory credentials.


  • The following devices are supported:

○Windows computers

○Mac computers



○Android tablets

○Fire tablets

○Zero client devices

Configure a VPC for Amazon WorkSpaces

  • Amazon WorkSpaces launches your WorkSpaces in a virtual private cloud (VPC).
  • Configure your directory to launch your WorkSpaces in the private subnets.
  • To provide Internet Access to WorkSpaces in a private subnet, configure a NAT gateway in the public subnet.


Port Requirements for Amazon WorkSpaces

  • To connect to your WorkSpaces, the network that your Amazon WorkSpaces clients are connected to must have certain ports open to the IP address ranges for the various AWS services.
  • These address ranges vary by AWS region.
  • These same ports must also be open on any firewall running on the client.
    • Ports for Client Applications

    ○Port 443 (TCP)

    ○Port 4172 (UDP and TCP)

    • Ports for Web Access

    ○Port 53 (UDP)

    ○Port 80 (UDP and TCP)

    ○Port 443 (UDP and TCP)

Manage Directories for Amazon WorkSpaces

  • Amazon WorkSpaces uses a directory to store and manage information for your WorkSpaces and users.
  • You can use one of the following options:

○AD Connector

○Microsoft AD

○Simple AD

○Cross trust

Launch a Virtual Desktop Using Amazon WorkSpaces

  • With Amazon WorkSpaces, you can provision cloud-based virtual desktops for your users, known as WorkSpaces, in the AWS cloud.
  • Amazon WorkSpaces uses a directory to store and manage information for your WorkSpaces and users.
  • AWS Directory Service creates two directory servers, one in each of the private subnets of your VPC.

Administer Your WorkSpaces

  • Each WorkSpace is assigned to a single user and cannot be shared by multiple users.
  • Whenever you launch a WorkSpace, you must assign it to a user that does not already have a WorkSpace.
  • The running mode of a WorkSpaces determines its immediate availability and how you pay for it.
  • You can choose between the following running modes when you create the workspace:



  • You can organize and manage your WorkSpaces by assigning your own metadata to each WorkSpace in the form of tags.
  • You specify a key and a value for each tag.
  • You can apply tags to a WorkSpace when you launch it or apply them to the WorkSpace later on.
  • Each tag automatically applies to all WAM applications and WAM related service charges for the WorkSpace.
    • When you launch a WorkSpace, you have the option to encrypt the root volume (C: drive) and the user volume (D: drive) using customer master keys.
    • This ensures that the data stored at rest, disk I/O to the volume, and snapshots created from the volumes are all encrypted.
    • Reboot a WorkSpace

    ○Rebooting a WorkSpace performs a shutdown and restart of the WorkSpace.

    ○The user data, operating system, and system settings are not affected.

    • Rebuild a WorkSpace

    ○Rebuilding a WorkSpace causes the following to occur:

    ■The system is restored to the most recent image of the bundle that the WorkSpace is created from.

    ■The data drive (D drive) is recreated from the last automatic snapshot taken of the data drive.

    • Delete a WorkSpace

    ○When you are finished with a WorkSpace, you can delete it.

    ○You can also delete related resources.

WorkSpace Bundles and Images

  • WorkSpace.
  • When you launch a WorkSpace, you select the bundle that meets your needs.
  • You can create an image from a WorkSpace that you’ve customized, create a custom WorkSpace bundle from the image, and launch WorkSpaces from your custom bundle.
  • By creating a custom bundle, you can ensure that the WorkSpaces for your users have everything that they need already installed.

Monitoring Amazon WorkSpaces

  • Amazon WorkSpaces and Amazon CloudWatch are integrated, so you can gather and analyze performance metrics.
  • You can monitor these metrics.
  • CloudWatch also allows you to set alarms when you reach a specified threshold for a metric.
  • To get CloudWatch metrics, enable access on port 443 on the AMAZON subset in the us-east-1 region.
  • Dimensions for Amazon WorkSpaces Metrics
Dimension Description
Directory Id Limits the data you receive to the WorkSpaces in the specified directory. The Directory Id value is in the form of d-XXXXXXXXXX.
WorkspaceId Limits the data you receive to the specified WorkSpace. The WorkspaceId value is in the form ws-XXXXXXXXXX.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s