Provision Desktops in the Cloud
Learn how to provision, manage, and access Amazon WorkSpaces
Welcome
In this project, you’ll learn how to deploy cloud desktops using Amazon WorkSpaces and the AWS Directory Service. Amazon WorkSpaces is a fully managed, secure desktop computing service which runs on the AWS cloud. Amazon WorkSpaces allows you to easily provision cloud-based virtual desktops and provide your users access to the documents, applications, and resources they need. The AWS Directory Service makes it easy to setup and run Microsoft Active Directory (AD) in the AWS cloud, or connect your AWS resources with an existing on-premises Microsoft Active Directory.
What you’ll accomplish:
- Provision Cloud Desktops using Amazon WorkSpaces, and access them using the Amazon WorkSpaces client application, available for Windows and Mac computers, Chromebooks, iPads, Fire tablets, and Android
- Create a new directory using Microsoft AD and add As part of the project, you’ll learn how to assign Amazon WorkSpaces to users in your Microsoft AD.
- Perform basic administrative tasks using the AWS Management Console. You’ll learn how to reboot and rebuilt Amazon WorkSpaces, create your own custom image which you can use for provisioning new Amazon WorkSpaces, and remove Amazon
What you’ll need before starting:
- An AWS Account: You will need an AWS account to begin provisioning Amazon Sign-up for AWS.
- Skill level: A basic understanding of desktop computing and Microsoft AD is helpful but not
- AWS Experience: No prior experience with AWS is required to complete this
Step 1. Prepare an AWS Account
- If you don’t already have an AWS account, create one at http://aws.amazon.com by following the on-screen Part of the sign-up process involves receiving a phone call and entering a PIN using the phone keypad.
- Navigate to the Amazon WorkSpaces console at https://console.aws.amazon.com/workspaces/.
- Select a valid region from the drop-down list in the upper
Amazon Web Services currently hosts services in twelve regions in various geographic areas. Amazon WorkSpaces are available in six of the current regions (see figure 1 below).
Figure 1: Choosing a region for WorkSpaces
Note
For help selecting the closest region, we provide a health check page with Round Trip Time to all service regions at http://health.amazonworkspaces.com.
Step 2: Create VPC and Subnets
For WorkSpaces to function correctly, you will need to have one public subnet and two private subnets. The easiest way to do this is to use the VPC Wizard, which creates one public subnet, one private subnet, a NAT gateway, and an Internet Gateway (IGW) for you. If you use the VPC Wizard, you will not have to manually create the routing tables between the subnets. Before we create the VPC, we’ll need to allocate an Elastic IP address.
First, allocate an Elastic IP (EIP) address in your preferred region. To do this, in the navigation pane of the Amazon EC2 console (https://console.aws.amazon.com/ec2), choose Elastic IPs under the Network & Security section, and choose Allocate New Address, then Yes, Allocate. Take note of the resulting EIP address. (See figure 3 below)
Figure 3: Allocating an Elastic IP address
To create your VPC using the VPC wizard
- Open the Amazon VPC console at https://console.aws.amazon.com/vpc/.
- In the navigation pane, choose VPC Dashboard, Start VPC Wizard. If you do not already have any VPC resources, locate the Your Virtual Private Cloud area of the dashboard and choose Get started creating a VPC.
- Choose VPC with Public and Private Subnets, Select (See figure 4 below).
Figure 4: Creating VPCs with the VPC wizard
4. Enter the following information into the wizard and choose Create VPC.
VPC wizard fields
Option Value
IP CIDR block 10.0.0.0/16
VPC Name WorkSpaces VPC
Public subnet 10.0.0.0/24
Availability Zone No Preference
Public subnet name WorkSpaces Public Subnet
Private subnet 10.0.1.0/24
Availability Zone No Preference
Private subnet name WorkSpaces Private Subnet 1
Elastic IP Allocation ID Select the Elastic IP Allocation ID that corresponds with the address you created in the prior section. This will be
Option Value
assigned to the NAT gateway
Add endpoints for S3 to your
subnets
Leave as none
Enable DNS hostnames Leave default selection
Hardware tenancy Default
5. It takes several minutes for the VPC to be created. After the VPC is created, proceed to the following section.
Notes
i. VPC names and subnet names are for identification purposes only; you may use any descriptors that are meaningful to you.
ii. Take note of the region in which you create the private subnet. You will need to create an additional private subnet in the following step, and it must be in a different subnet than the one created via the wizard.
Add a Second Private Subnet
Create the second private subnet by perform the following steps:
1. Open the Amazon VPC console at https://console.aws.amazon.com/vpc/.
2. In the navigation pane, choose Subnets, select the subnet with the name WorkSpaces Private Subnet 1, and choose the Summary tab at the bottom of the page. Make a note of the Availability Zone of this subnet (see figure 5 below).
Figure 5: Identifying the Availability Zone for WorkSpaces Private Subnet 1
3. Choose Create Subnet, enter the following information in the Create Subnet dialog box, and choose Yes, Create.
Subnet 2 Settings
Option Value
Name tag WorkSpaces Private Subnet 2
VPC Select your VPC. This is the VPC with the
name WorkSpaces VPC.
Availability Zone Select any Availability Zone other than the one noted in
step 2. The two subnets used by Amazon WorkSpaces
must reside in different Availability Zones.
CIDR Block 10.0.2.0/24
Modify the Route Tables
Modify the route tables for your subnets by performing the following steps:
1. Open the Amazon VPC console at https://console.aws.amazon.com/vpc/.
2. In the navigation pane, choose Subnets and select the subnet with the name WorkSpaces Public subnet. At the bottom of the page, choose the Route Table tab and make a note
of the Route Table identifier for the subnet. The route table identifier will be similar to rtb-XXXXXXXX.
3. In the navigation pane, choose Route Tables, select the route table identified in the previous step, and change the name to Workspaces Public Route table.
4. At the bottom of the page, choose the Routes tab and verify that the following entries are in the route table for WorkSpaces Public route table. Modify the route table if needed by choosing Edit.
NAT Subnet Route Table
Destination Target
10.0.0.0/16 local
0.0.0.0/0 igw-XXXXXXXX
This routes all traffic destined for the VPC locally, and traffic destined to all other IP addresses to the Internet Gateway (IGW) that was created with the Amazon VPC wizard. igw-XXXXXXXX identifies the Internet.
5. In the navigation pane, choose Subnets and select the subnet with the name WorkSpaces Private Subnet 1. At the bottom of the page, choose the Route Table tab and make a note of the Route Table identifier for the subnet. The route table identifier will be similar to rtb-XXXXXXXX.
6. Select the subnet with the name WorkSpaces Private Subnet 2 and choose the Route Table tab at the bottom of the page. The route table identifier should be the same for WorkSpaces Private Subnet 1 and WorkSpaces Private Subnet 2. If the route table for WorkSpaces Private Subnet 2 is different, edit the entry to make them the same.
7. In the navigation pane, choose Route Tables, select the WorkSpaces route table identified previously, and change the name to WorkSpaces Private Route Table.
8. At the bottom of the page, choose the Routes tab and verify a local route for the VPC range, and a NAT route for 0.0.0.0/0 as shown below.
WorkSpaces Subnets Route Table
Destination Target
10.0.0.0/16 local
0.0.0.0/0 nat-XXXXXXXXXXXXXXXXX
This routes all traffic destined for the VPC locally, and traffic destined to all other IP addresses to the NAT gateway. nat-XXXXXXXXXXXXXXXXX identifies the NAT gateway.
Step 3: Create an Amazon WorkSpaces
Directory in the Cloud
Amazon WorkSpaces uses a directory to store and manage WorkSpace and user information, and you can have Amazon WorkSpaces create this directory in the cloud for you using Simple AD or Microsoft AD. Additionally, you can connect to an existing Active Directory using the Active Directory Connector.
Creating a Microsoft AD Directory
For this walkthrough, we’ll create a Microsoft AD Directory using the Amazon Directory Services console.
To create the Microsoft AD directory
1. Open the Amazon Directory Services console
at https://console.aws.amazon.com/directoryservice/.
2. Choose Get Started Now.
3. Choose Create Microsoft AD.
4. Provide the following information:
Option Value
Directory DNS The fully qualified name for the directory, such
as workspaces.demo.com
NetBIOS name The short name for the directory, such as workspaces
Administrator password The password for the directory administrator. The
directory creation process creates an administrator
account with the user name Admin and this password.
Note password requirements below.
Confirm password Retype the administrator password.
Description An optional description for the directory.
Administrator password requirements
The password for the directory administrator. The directory creation process creates an administrator account with the user name Admin and this password.
The password cannot include the word “admin.”
The directory administrator password is case-sensitive and must be between 8 and 64 characters in length. It must also contain at least one character from three of the following four categories:
• Lowercase letters (a-z)
• Uppercase letters (A-Z)
• Numbers (0-9)
• Non-alphanumeric characters (~!@#$%^&*_-+=`|\(){}[]:;”‘<>,.?/)
5. Provide the following information in the VPC Details section and choose Next Step.
Option Value
VPC The VPC for the directory (WorkSpaces VPC, or the VPC
with IP range 10.0.0.0/16).
Subnets Select the two private subnets, WorkSpaces Private
subnet 1 and WorkSpaces Private Subnet 2 for
the directory servers (IP ranges 10.0.1.0/24 and
10.0.2.0/24).
6. Review the directory information and make any necessary changes. When the information is correct, choose Create Microsoft AD.
It takes several minutes for the directory to be created. When it has been successfully created, the Status value changes to “ACTIVE”.
Step 4: Launch WorkSpaces
Once the Directory is set up WorkSpaces can now be launched via the console.
1. Navigate to https://console.aws.amazon.com/workspaces/. Choose Launch WorkSpaces (see figure 6 below).
2. Select the directory you created in the previous section and choose Next Step. WorkSpaces will register your directory with the WorkSpaces service; this could take up to five minutes.
3. You can now either add users to your directory or select from existing users. Since we just created this directory, you’ll need to create at least one user. Enter all of the appropriate information for the new user, and choose Create. The user accounts you created will automatically be added to the WorkSpaces list. See figure 7 below.
Figure 7: Creating and selecting a user
Notes
i. The first WorkSpace you provision in this walkthrough will be used to create a master image for subsequent deployments, so you may wish to indicate that by naming the first account “ImageBuilder”
ii. It’s important to use a valid email address where you can receive email so that you can receive the one-time activation link. In order for this user account to become active, you need to set a password by following the instructions on the activation page. If you don’t use a valid email address, you’ll need to retrieve the registration link from the console.
4. Next you will assign a WorkSpaces Bundle to the user you just created. For this walkthrough, select the Performance bundle and assign it to the user you created in the prior step (see figure 8 below).
Figure 8: Selecting a WorkSpaces Bundle, and assigning it to a user
5. You are now presented with the WorkSpaces Configuration options (see figure 9 below). On this screen, you can select the AlwaysOn or AutoStop running mode, enable encrypted drives, and specify tags. Note that the AlwaysOn running mode is used for monthly billing, and AutoStop for hourly billing. Configure this WorkSpace for AutoStop, choose an option for Encryption, and click Next. Note that encrypting the Root Volume will increase the time required to provision a WorkSpace, but there is no operational performance impact once
provisioned.
Figure 9: WorkSpaces Configuration
6. On the next screen you will verify the details then choose Launch WorkSpaces which will start the process and will take around 60 minutes to complete (20 minutes if you did not select the option to encrypt the root volume). During this process, your WorkSpace will show a status of “PENDING”. Once completed the user will receive an email containing the Registration Code with instructions on downloading the client (https://clients.amazonworkspaces.com/).
If you do not receive the email, you can see the content of this message by selecting the user’s WorkSpace and selecting Actions, Invite User (see figure 10 below).
Figure 10: Retrieving the activation link for a user
7. Follow the link in the Invitation email to complete your user profile, download the WorkSpaces Client, and connect to the WorkSpace.
Step 5: Customise the Initial WorkSpace
By this point, you should be logged in to your first Amazon WorkSpace. Now, let’s update the WorkSpace and add some applications.
1. Run Windows Update and apply any updates to bring your client up to date. Reboot when prompted; it takes around 5 minutes to reboot a WorkSpace, and note that some Windows Updates will cause the restart to take longer. Once all Windows Updates have been applied, we’ll continue customising this WorkSpace.
2. Change the Wallpaper.
3. Install the Chrome browser from http://www.google.com/chrome.
4. Download and install the latest version of Notepad++ from https://notepad-plusplus.org/download.
5. Choose Start, Run, and type “Server Manager” (Amazon WorkSpaces runs Windows Server 2008 R2 with the Windows 7 Experience Pack). Start Server Manager.
6. In Server Manager, choose Features. After Server Manager finishes collecting data, choose Add Features from the Action menu (see figure 11 below).
Figure 11: Adding features using Server Manager
7. Under Remote Server Administration Tools, Role Administration Tools, select AD DS and AD LDS Tools and choose Next (see figure 12 below).
8. Under Remote Server Administration Tools, Role Administration Tools, select AD DS and AD LDS Tools and choose Next (see figure 12 below).
Figure 12: Adding Active Directory administrator capabilities
9. The Add Features Wizard will prompt you to restart the WorkSpace after adding this role. Go ahead and restart. After about 5 minutes, reconnect to your WorkSpace.
10. The Server Manager Wizard will automatically resume. Close it once it completes.
11. Choose Start, Run, and type “Users and Computers.” You should see the Active Directory Users and Computers administrative tool. Hold Ctrl+Shift, right-click Active Directory Users and Computers, and choose “Run as different user”
12. When prompted, enter Admin as the username, and the password you used when creating the directory in Step 3 (see figure 13 below).
Figure 13: Run as Admin
13. This is your Microsoft AD directory. Go to the workspaces.demo.com domain, expand the workspaces Organization Unit (OU), and select the Users OU (see figure 14 below).
Figure 14: Active Directory view
14. From the Action menu, select New, then User, and create a new Test User in your directory (see figure 15 below).
Figure 15: Adding a new user to your Active Directory
We’ll use this user later when deploying an additional WorkSpace, so on the next screen, set a password you’ll remember, and deselect “User must change password at next logon.” After creating the user account, right-click Test User, select Properties, and specify an email address. Without an email address, you won’t be able to provision a WorkSpace in later steps.
15. Close the Active Directory Users and Computers console, and restart the WorkSpace.
Step 6: Create a Custom Image and Bundle.
Now that you’ve customised your WorkSpace, it’s time to create an image that you can use for subsequent deployments.
1. Go to the WorkSpaces console at https://console.aws.amazon.com/workspaces.
2. Ensure the status of the WorkSpace assigned to ImageBuilder is “AVAILABLE”.
3. Select the ImageBuilder WorkSpace, choose Actions, Create Image (see figure 16 below).
Figure 16: Creating a new image for future WorkSpaces
4. Give the image a Name and Description, then choose Create Image. This process takes approximately 45 minutes to complete. The ImageBuilder WorkSpace will be unavailable
during this time (see figure 17 below).
Figure 17: Naming your new image
You can monitor the progress from the Images section of the WorkSpaces console. Once the Image Status changes to “AVAILABLE”, your ImageBuilder WorkSpace will reboot and
be available for use.
5. Once the image is complete, we need to create a bundle based on this Image. On the Images page, select the new image, choose Actions, and Create Bundle (see figure 18
below).
Figure 18: Creating a bundle with your new image
6. Give the bundle a name, description, and select the Performance hardware type, then choose Create Bundle (see figure 19 below).
Figure 19: Creating your new bundle
Note
The Hardware Type does not have to match the hardware type you used when creating the initial WorkSpace.
7. Back on the main WorkSpaces console, choose Launch WorkSpace.
8. Select the workspaces.demo.com directory and choose Next Step.
9. Choose “Show All Users” and check the Test User account you previously created, then choose Add Selected, and Next Step.
10. Assign your custom bundle to the testuser account and choose Next Step (see figure 20 below).
Figure 20: Using your new bundle to create a new WorkSpace
11. Choose AutoStop for Running Mode on the WorkSpaces Configuration screen, then click Next Step.
12. Click Launch WorkSpaces on the Review & Launch screen. It will take approximately 60 minutes for your WorkSpace to complete, if you selected the option to encrypt the root volume.
13. Once the WorkSpace for Test User is complete, connect to the WorkSpace using the WorkSpaces client. Note, registration codes are unique per directory, so the registration code will be the same as it was for your initial WorkSpace.
14. Once you’re at the desktop for the Test User WorkSpace, you should see:
15. The Wallpaper is the same as for your ImageBuilder WorkSpace.
16. Chrome and Notepad++ are installed.
17. The Active Directory Remote Server Administration Tools are already available.
18. The WorkSpace has all Windows Updates available up to the point where you created the Image.
Step 7: Reboot and Rebuild
The two primary actions you’ll use when troubleshooting a WorkSpace are Reboot and Rebuild. If you’re connected to the WorkSpace, you can always restart the WorkSpace as with any other Windows client, from the start menu. For this example, we’re going to connect to the WorkSpace, then force and administrative reboot from the WorkSpaces console.
Rebooting
1. After confirming the state of the Test User WorkSpace, connect to the WorkSpace, then go
back to the main screen of the WorkSpaces console. While still logged in and connected to
the Test User WorkSpace, select the Test User WorkSpace in the console, choose Actions,
and then Reboot Workspaces (see figure 21 below).
Figure 21: Rebooting your WorkSpace
Rebuilding
Rebuilding a WorkSpace is a more destructive action. The system volume (Drive C) will be rebuilt from the image used to provision the WorkSpace, and the User Data volume (Drive D) will be restored to the last snapshot. Any new applications installed to the System volume will not be restored. Snapshots of the Data volume are taken every 12 hours, but the exact time varies. For this lab, if you wish to see the snapshot recovery in action, you may wish to write some data files to the D: drive, then come back 12 hours later to try the rebuild operation.
Let’s see how a Rebuild works.
1. Connect to the Test User WorkSpace.
2. Go to Add or Remove Programs
3. Uninstall Notepad++
4. Go to https://www.sublimetext.com/3 and download the installer for Windows 64 bit. Save the downloaded file on the D drive.
5. Run the install with the default install directory of c:\Program Files\Sublime Text 3. Now, your Test User WorkSpace has Sublime Text 3 installed, but you’ve removed Notepad++. If you rebuild right now, you’ll revert to the prior state, but since this WorkSpace is less than 12 hours old, you will not get an updated snapshot of the D volume. To see the data volume snapshot restore at work, you’ll have to pause the lab and come back tomorrow. If you wish, go ahead and copy some additional files to the D: volume. ….12 hours later
Welcome back! Let’s continue with the Rebuild operation.
6. Log back in to the WorkSpaces console.
7. Select the Test User WorkSpace.
8. Choose Actions, Rebuild WorkSpace. You’ll be prompted to confirm (see figure 22 below).
Figure 22: Rebuilding a WorkSpace
The rebuild operation takes about half an hour to complete. Once the process is complete, reconnect to the Test User WorkSpace. You should notice the following:
• SublimeText is gone.
• Notepad++ is back.
• Assuming you waited at least 12 hours, any files you created on the D drive are still present.
This would include the SublimeText installer you previously downloaded and saved to the D volume.
Step 8: Modify Running Mode Properties
Amazon WorkSpaces provides the flexibility to pay monthly or hourly. With monthly billing, you pay a fixed monthly fee for unlimited usage during the month. With hourly billing you pay a small
fixed monthly fee per WorkSpace to cover infrastructure costs and storage, and a low hourly rate for each hour the WorkSpace is used during the month. To pay monthly, your Amazon
WorkSpaces needs to be configured to run in the AlwaysOn running mode. To pay hourly, your Amazon WorkSpace needs to be configured to run in the AutoStop running mode. You can mix
monthly and hourly billing within your AWS account, and you can also switch between billing options at any time during a billing period to optimize your AWS bill. You can learn more about
billing options and pricing here.
To change the running mode for one of your WorkSpaces:
1. Log back in to the WorkSpaces console.
2. Select the Test User WorkSpace (previously configured to run in the AutoStop running mode).
3. Click Actions, and select Modify Running Mode Properties as shown in Figure 23.
Figure 23: Changing the Running Mode Properties
4. Select the new running mode for your WorkSpace as shown in Figure 24.
Figure 24: Changing the Running Mode Properties
5. You’ll see the Running Mode reflected in the console. For AutoStop instances, there are additional options under the Actions menu to start or stop the WorkSpace.
Step 9: Cleanup
Congratulations! You’ve successfully provisioned a WorkSpace, created an Image of the initial WorkSpace, created a Bundle from the Image, deployed a new WorkSpace from a custom
Bundle, rebooted and rebuilt a WorkSpace, and switched Running Modes. If you’re ready to clean up the environment, you’ll have to delete components in the right order.
Go to the WorkSpaces console. Under Bundles, select your custom bundle, choose Actions, and Delete Bundle. The action will not succeed, because all WorkSpaces built from that bundle must be deleted first. The same is true if you attempt to delete the Image while a Bundle is still attached to the Image.
To unwind what we’ve done:
1. Go to the WorkSpace page, select the Test User WorkSpace, choose Actions, Remove WorkSpaces, and confirm by choosing Remove WorkSpaces.
2. After the WorkSpace terminates, go to Bundles, select the custom bundle, choose Actions, Delete Bundle.
3. Now go to Images. Select the custom image, Actions, Delete Image.
4. If you want to delete the directory, you’ll need to remove the ImageBuilder WorkSpace as well. Go back to the WorkSpaces page, select the ImageBuilder WorkSpace, choose Actions, Remove WorkSpaces, and confirm.
5. Before deleting the directory, we have to de-register from the WorkSpace service.
6. Go to the Directories tab of the WorkSpaces console. Select the directory, choose Actions, Deregister (see figure 25 below).
Figure 25: Deregistering Amazon WorkSpaces from your Microsoft AD service
7. Select the Directory again, but this time, choose Actions, then Delete, and confirm (see figure 26 below).
Figure 26: Deleting your Microsoft AD
It will take a few minutes for the directory to delete. Wait for the process to complete.
8. You can now go to the VPC console and delete the WorkSpaces VPC (see figure 27 below).
Figure 27: Deleting your WorkSpaces VPC
9. Delete the Elastic IP address from the
Leave a Reply
Want to join the discussion?Feel free to contribute!