This is the second blog in our Remote Working series. Please see our first blog at https://polarseven.com/remote-working/remote-working-with-aws to see the first blog in our series.
A quick overview of WorkSpaces…
Amazon WorkSpaces is a scalable Desktop-as-a-Service (DaaS) solution provided by AWS. It is a secure and managed cloud desktop that allows users to leverage a Windows or Linux desktop, giving them the option to access it from any supported device.
We believe these are the top five features of WorkSpaces for an Australian enterprise looking to enable remote working:
One of the most crucial elements of Amazon WorkSpaces is cloud security. When users become AWS customers, they gain the advantage of having a data centre network architecture that strives to meet the demands of many security-sensitive environments.
The user and AWS share the responsibility of cloud security and compliance. By looking at the shared responsibility model, which includes the security of the cloud and security in the cloud. Security of the cloud involves AWS protecting infrastructure that runs services in the AWS cloud. Users know that services are secure as third-party auditors perform regular tests to verify the effectiveness of security. Conversely, the user’s AWS service determines security in the cloud. The users are responsible for the sensitivity of their data, company requirements, and laws and regulations. Through AWS and its ability to manage, control and operate components, the shared responsibility model assists customers in relieving operational burdens. The host operating system controls the components and customers assume the management of the guest operating system and application software. Customer responsibilities vary according to what package and system they choose. An advantage of package selection is that users have the option to configure Amazon WorkSpaces in a way that meets security and compliance objectives.
Protecting AWS account credentials and setting up individual accounts using AWS Identity and Access Management (IAM) is imperative. Users must ensure they do this to enhance data protection in Amazon WorkSpaces. It is also vital that users only receive permissions required to do their jobs.
You should secure your data in the following ways:
- Accounts should require multi-factor authentication (MFA).
- When communicating with AWS, users need to use TLS.
- Set up API and user activity logging with AWS CloudTrail.
- When using AWS services, users should obtain AWS encryption solutions.
- Amazon Macie, an advanced managed security service, should be used as it assists in determining and securing personal data.
With Amazon WorkSpaces, users have the option of integrating their on-premises Microsoft Active Directory through an interforest trust with the AWS Directory Service for Microsoft Active Directory (also called AWS Microsoft AD). Establishing an interforest trust relationship allows you to assign Amazon WorkSpaces to individuals in any on-prem domain.
Users logging in to WorkSpaces can use their current Microsoft AD credentials to sign in; AWS Microsoft AD will route authentication requests to the correct domain controller. AD Connector provides the option of validating users in an on-prem AD to gain access to Amazon WorkSpaces. A separate AD connector configures user accounts contained in AD domains. Doing this means that AD connector works efficiently in environments with single on-prem domains.
AWS Managed Microsoft AD is founded on Microsoft Active Directory and does not require its users to replicate their data from the existing Active Directory to the cloud. With AWS Managed Microsoft AD, it is easy to join Amazon EC2, and Amazon RDS for SQL Server instances to your domain.
Many benefits come with AD Integration. These include:
- The option to migrate Active Directory – dependent applications to the AWS Cloud.
- Leveraging Microsoft Active Directory to manage users, groups and devices.
- A single directory for Active Directory-aware Amazon EC2 instances including AWS Enterprise IT applications.
- Extending existing domains to the AWS cloud which allows users to leverage existing on-premises user credentials.
- Centrally managing application devices in the AWS cloud.
Easy, self-service provisioning
The self-service provisioning portal lets users optimise processes to organise WorkSpaces on any scale. WorkSpaces can be enabled as independent, meaning they do not require IT intervention when granting requests. This reduces IT operational costs and quickly sets up end users.
Furthermore, the built-in approval workflow makes the desktop approval process easier for franchises. The portal combines WorkSpaces with AWS application services which offers users automated tools for provisioning Windows or Linux cloud desktops. Teams can use a self-service portal that Amazon WorkSpaces provides to limit any operational IT burdens allowing for the introduction of automation and customisation, which ultimately simplifies WorkSpaces administration and offers excellent customer experiences.
IP Access Control Groups
IP Access control groups assist business because they act as virtual firewalls that control the IP addresses accessing your WorkSpaces. IP access control groups are associated with one or more directories and allow users to create as many as 100 IP access control groups per AWS account. Each directory has a default IP access control group that is associated with the directory. However; it only allows you to associate around twenty-five IP access control groups with a single directory.
All traffic is allowed through the default group. If AWS decides to associate their IP access control group with the directory, then the default access control group is automatically disassociated.
It is crucial to add rules to IP access control groups if you wish to specify specific public addresses and ranges of IP addresses for trusted networks. Rules are necessary if users obtain access through NAT gateway or VPN to allow traffic to come from the public IP addresses for the NAT gateway or VPN. When looking at NAT gateways, it is crucial to note that IP access control groups prohibit the use of dynamic IP addresses for NATs.
It is simple to create an IP access control group:
- This page directs you to the Amazon WorkSpaces console.
- Select IP Access Controls in the navigation pane.
- Create an IP Group.
- Name and describe the group by creating an IP Group dialogue box.
- Select ‘Edit’ after you have selected the group.
- Select ‘Add Rule’, and do this for each IP address.
- When you get to ‘Source’, enter the IP address.
- When you get to ‘Description’, you must enter a description.
- After adding your rules, save them.
Business Continuity and DR
Business continuity planning (BCP) and disaster recovery (DR) are closely related platforms that ensure businesses maintain functionality after an adverse event. When working with Amazon WorkSpaces, business continuity and disaster recovery (BCDR) becomes a high priority. Your team’s WorkSpace fleet must withstand any disasters if end users are leveraging Amazon WorkSpaces as their primary desktop.
You must understand what your business requires from a DR plan and what the timeframe is to execute the plan.
AWS’ cloud infrastructure leverages regions and availability zones. This provides any areas that are separated or have low latency with high throughput, making them highly available and fault-tolerant. The availability zones offer clients an efficient way to design and operate applications. Each WorkSpace connects with a precise Amazon Virtual Private Cloud (VPC) and AWS Directory Service construct that creates it. As all AWS Directory Service services require two subnets to function, it is crucial to place each one in a different availability zone. Each directory gets deployed across an array of availability zones meaning that failed domain controllers are detected automatically through monitoring services.
You can choose three options for allowing users to exit in an AWS Directory Service. These include the use of a Simple Active Directory, AWS managed Microsoft AD or AD Connector.
Deployed WorkSpaces have two Amazon EBS volumes present. Using this prevents the loss of data from any component that fails. This is important when focusing on DR, as these services and WorkSpaces benefit teams on many corporate levels. Users can build scalable and secure cloud-based desktops. Groups that choose to run Domain controllers and additional infrastructure on-premises through AWS Direct Connect – used to connect private VPCs – are encouraged to focus on their network configuration. They must do this to eliminate any single points of failure in their taken network paths. AWS has considered these aspects, establishing architecture patterns which provide a flexible working environment. One recommendation is that users make use of a failover IPSec VPN, which is another redundant Direct Connect that connects to a different AWS Direct Connect point of presence. Furthermore, to increase resiliency, customers can use an array of Direct Connects that terminate to various data centres on the side of the customer.
Amazon WorkSpaces optimises workflows and business processes. Security maintains protection of your sensitive business data. AD Integration provides flexible login options for your entire team. Self-service provisioning mitigates the need for IT operational burdens and costs. Furthermore, you can manage access to WorkSpaces by controlling which IP addresses can gain access. Business continuity and DR should remain top of mind, and Amazon WorkSpaces provides numerous options to establish your continuity strategy.
PolarSeven configure and manage Amazon WorkSpaces
Please visit https://polarseven.com/services/remoteworking/amazon-workspaces/ to learn more about our WorkSpaces offering, or go to https://polarseven.com/lets-chat/ to book a complimentary workshop with one of our engineers.