Extending corporate and government software services – Workspaces Backed By SimpleAD

Extending corporate and government software services – Workspaces Backed By SimpleAD

Here at PolarSeven we have worked with various corporate and government customers to get services that once ran on desktops into the AWS Cloud so more internal and external workers can utilize the services. The technology we use to accomplish the task is AWS Workspaces. Where applications and databases already reside in the AWS Cloud, working with the corporate IT to establish connectivity to access such services can be time consuming and sometimes are strictly not allowed where the connection is encrypted.

 

In a recent project we were tasked to architect and provision an active directory backed AWS Workspaces environment leveraging AWS SimpleAD. Provisioning separate credentials to the corporate credentials was not of concern for this customer, as users of this solution would be internal and external customers. To provision users in SimpleAD, you may use traditional active directory user management tools, or you may create a user in the same workflow when creating AWS Workspaces in the AWS console.

 

Other components of this solution requires AWS RDS MSSQL cluster in a highly-available configuration and a number of EC2 instances running the server software connected to the client software installed on the AWS Workspaces.

PolarSeven leveraged the ‘CloudBerry Drive’ software which is available for free with AWS Workspaces. ‘Cloudberry Drive’ will allow for an AWS S3 Bucket to be presented as a windows file share. At PolarSeven leveraging AWS S3 in this manner is often avoided for high volume data transfers. The project had very low amounts of data transfer and storage requirements which led to the decision to use Cloudberry Drive.

 

In order to provide a common file share between AWS Workspaces and the AWS EC2 instances, PolarSeven also installed the CloudBerry Drive service on the AWS EC2, licensed through the AWS MarketPlace. Providing software licenses through AWS Marketplace allowed for allocation of such software package without requiring further approval by the customers finance and IT team.

 

At PolarSeven we provision all resources with AWS CloudFormation. CloudFormation was used to create the AWS Workspaces instances, SimpleAD, EC2 and RDS instances so we could easily create the environment again if necessary.

 

The customer requirements dictated the software to install onto the AWS Workspaces. The software was installed by hand due to the complexity of the software. To facilitate this, an ‘image builder’ AWS Workspace instance has been provisioned with a user from SimpleAD of the same name.

 

Some important notes PolarSeven discovered when provisioning an AWS Workspace for image building purposes:

– The Workspaces instance must NOT be encrypted.

– The userprofile directory ‘D drive’ must be less than 10GB in size.

There are other conditions checked which are mentioned further here:

https://docs.aws.amazon.com/workspaces/latest/adminguide/create-custom-bundle.html

 

When attempting to take an image of the AWS Workspace, these items are checked and will error if any of the above is discovered.

 

Some other activities should always be completed before creating an image:

  • Execute a Windows Update to the latest available patches
  • Run ‘Disk Cleanup’ on C and D drive. This may allow you to reduce the D drive size for meeting the above requirements
  • Setup the current user profile with any shortcuts, registry keys or any other configuration, as this same user profile will be used as the end-users profile when provisioning a new AWS Workspace from this image.

 

AWS Workspace Custom Bundles is used to bundle the image into a ready-to-launch Workspace instance.

When creating a custom bundle, you select the AWS Workspace resources available and the size of the C and D drives.

 

When provisioning end-user AWS Workspaces, only then encryption can applied. When enabling encryption, select the desired KMS key to encrypt the Workspace.

 

AWS Workspaces provides two costing models for the AWS Workspace instances.

Monthly and Hourly.

 

An important note: if your workspaces environment runs for longer than 8 hours a day, everyday, it may be more cost effective to use the monthly costing model. The pricing model can be changed at any time on running AWS Workspace instances. The hourly pricing model does allow for an ‘auto-stop’ option which can be configured from 1 hour to 48 hours. This setting indicates that the end-user AWS Workspace will be automatically ‘stopped’ if no activity for the ‘auto-stop’ time. If the AWS Workspace instance is stopped, no data is lost.

 

AWS will automatically backup each end-users Workspaces instance every 12 hours, in the event of a failure, AWS will re-provision the end users Workspace from the latest snapshot. Some data loss may be experienced if there are changes within the 12 hours window. In the same way, when an AWS Workspace is ‘rebuilt’, the latest snapshot will be used. If the AWS Workspace is ever terminated, any data stored on the user AWS Workspace and related snapshots will also be terminated.

 

For more Amazon type explanation you can read the docs here:

https://docs.aws.amazon.com/workspaces/latest/adminguide/amazon-workspaces.html

 

If you’re looking to get this solution implemented for you PolarSeven are accredited to sell to the public sector and already have great clients like NSW DoJ, NSW DFSI and NSW OEH.

2019-01-25T05:16:48+00:00