Introduction
In the dynamic landscape of the Media and Entertainment industry, the demand for high-performance, scalable, and secure workspaces is more critical than ever. The processing of large media files, often necessitating dedicated image processors such as GPUs, requires a technological infrastructure that can deliver on the promise of efficiency and reliability. This guide is tailored to our esteemed client, OmniCorp (pseudonym), a major player in the Media and Entertainment industry, as they embark on a transformative journey to implement Amazon WorkSpaces. The following sections will delve into the technical and implementation details that will empower your organization to seamlessly roll out Amazon WorkSpaces, ensuring an optimal environment for heavy processing tasks, security, and productivity.
The business value Amazon WorkSpaces offers is tremendous, and some of it are
- True on-demand desktop as a service with no upfront investment in infrastructure (hardware, software, or licenses)
- Cost-effective with on-demand hourly usage charges or dedicated monthly usage
- Global availability and a wide range of hardware to create everyday laptops or powerful engineering workstations. This adds tremendous productivity.
- Inherent security from lost end-user devices and built-in ransomware protection as snapshots are automatically taken to restore users’ work to any day.
Understanding Amazon WorkSpaces
Amazon WorkSpaces redefines how organizations provide desktop computing services to remote and contingent workers. This cloud-based solution offers a versatile spectrum of cloud desktops, catering to various computing needs. From standard 2CPU – 8GB configurations to robust engineering workstations equipped with dedicated GPUs and substantial CPU/memory capacities, Amazon WorkSpaces ensures a tailored experience for each user.
Traditional on-premises virtualization-based desktop services require more compute power and additional hosts as the number of virtual desktop users grows. Amazon WorkSpaces offers scalability on demand. It can swiftly accommodate increasing users, ensuring your workforce can grow seamlessly with your organization’s requirements.
The end-user experience is simplified and user-friendly. Users can remotely access their assigned cloud desktops after installing the Amazon WorkSpaces client, which is compatible with various operating systems. AWS leverages a global caching and streaming services network, resulting in a remote desktop experience that mirrors the fluidity and responsiveness of a local machine.
Security is paramount with Amazon WorkSpaces. Centralizing data storage within the AWS ecosystem mitigates the security risks associated with endpoint devices. Additionally, the pay-as-you-go pricing model enhances flexibility and significantly reduces costs for managing a contingent workforce. Amazon WorkSpaces empowers organizations to provide secure, scalable, and cost-efficient desktop computing services, making it an indispensable solution in today’s remote and dynamic work environment.
Amazon WorkSpaces Components
Amazon WorkSpaces will be launched within the VPCs associated with the OmniCorp AWS accounts listed below.
| Account | Purpose | Regions |
| Non-Production | Test and evaluation | us-east-1 |
| Production | WorkSpaces for various team | us-east-1Region for EPICOR and AutoCAD users ap-south-1:Region for MENA users |
| Shared services account | This only has an AD Domain controller |
Directory Service
OmniCorp planned to authenticate all users using the omnicorp.io domain. This helped single sign-on into multiple apps integrated with Okta or Windows AD.
Directory service was created using an AWS Directory connector connected to a Windows domain controller in the shared-services account. This domain controller was part of an AD forest that was set up On-Prem. The following Diagram illustrates this architecture.
Three unique AWS accounts provided the required isolation control and security to WorkSpaces setu[. Test and validation WorkSpaces were created in the non-prod account, and the prod account was used to launch production WorkSpaces for end users. Shared-services account offered connectivity with on-prem and Windows domain controllers connected with on-prem AD forest. An AWS transit gateway provided connectivity between VPCs of all charges and with Gateways such as direct connect for on-prem connectivity.
IT Control on the Amazon WorkSpaces using Directory service.
Specific self-service options incurring additional costs for OmniCorp End-Users have been deactivated. This encompasses the capacity for end users to modify their WorkSpaces’s Machine type or Running mode.
If Amazon WorkSpaces corruption results from unauthorized activity, such as installing adware-enabled applications, IT support must be engaged for remediation.
OmniCorp WorkSpaces Images
The option to generate a tailored image is available for those who have deployed customized Windows or Linux workspaces. This custom image exclusively encompasses the operating system, software, and configurations of the WorkSpaces. The OmniCorp IT team created the following images for your convenience:
- A foundational Windows 10 image for interns featuring Box, Zoom, office 365, and a few other applications.
- An ERPApp User Image designed with the ERP app Client and Office 365.
- A specialized AutoCAD Image to cater to specific needs.
OmniCorp Bundles
A WorkSpaces bundle unites essential components, including an operating system, storage, compute power, and software resources (image). When initializing a workspace, choose the bundle that aligns with your requirements. The diagram below illustrates a standard bundle.
The default WorkSpaces configurations, accessible to all users, are called “public bundles.” In addition, the OmniCorp IT team has developed a variety of tailored bundles to cater to specific user requirements and computational resources.
These encompass:
| Bundle Name | Hardware | Image |
| ERPAppDevBaseBundle | 2 vCPU, 8.0 GB Memory, 50 GB Storage | erp-app-base-image-dev |
| AWSInterns | 2 vCPU, 8.0 GB Memory, 100 GB Storage | OmniCorp Intern-1 |
| OmniCorpGraphicsProBundle | 16 vCPU, 64.0 GB Memory, 300 GB Storage, G4DN base bundle with T4 GPU | AWS pre-installed pre-installed Autocad |
WorkSpaces operation modes
Amazon WorkSpaces are primarily available in two operating modes.
- Always-on-mode WorkSpaces, which are billed at a flat monthly rate irrespective of usage
- On-demand mode WorkSpaces that are billed based on actual usage. They come with auto shut-off within an hour of activity. They are billed for an initial fixed fee of WorkSpaces plus an hourly rate of use.
During testing and evaluation, the team spent considerable time observing WorkSpaces usage so we could set up optimal usage modes for workspaces. For the occasional users like interns, on-demand mode with auto shutoff made a lot of sense, as WorkSpaces would be billed for actual usage hours. However, for AutoCAD users using expensive GPU-enabled WorkSpaces, usage of more than 100 hours a month would result in more billing than always-on mode would charge for the entire month, so for power users, we selected Always-on mode.
Patching and updates
For WorkSpaces launched in always-on mode, there was a predefined update schedule for when updates would be applied. By default, Windows WorkSpaces are configured to receive updates from the Microsoft Windows Update service. We found this satisfactory, with no further customization of the Windows server update service.
Deployment Architecture
The following diagram shows How AWS VPC was laid out to deploy WorkSpaces for ERP app users.
Amazon WorkSpaces are launched in two regions. ERPApp and AutoCAD WorkSpaces are initially launched in US-EAST-1 as servers, and FSX volumes with critical app data are geolocated in US-EAST-1. Performance and latency testing did not show any lag for Wakefield or Southern California users when they accessed WorkSpaces launched in US-EAST1.
The nearest available region (AP-SOUTH-1 Mumbai) was chosen for MENA as it had minimum latency.
To ensure AP-SOUTH-1 has connectivity with on-prem services, a second transit gateway was launched, and a peering relationship was established between the two transit gateways.
AutoCAD work is done as a team, and to ensure the whole team has access to all files in a project folder, the AWS storage gateway was set up along with Windows FSX Volume.
File Gateway ensured local on-prem users could still access project folders and work on AutoCAD projects. AWS FSX volume for Windows file server provided high performance and ultra-low latency access to project files. It was integrated with the Windows domain controller, so shared mount points of on-prem file share were automatically configured for each user group.
Launch Process
The launch process was smooth. WorkSpaces for target users were launched using a simple script that would go through a list of users for which to provision WorkSpaces and create a WorkSpaces using Boto API call for users’ assigned bundle.
Project plan, rollout dates, and timelines
Planning for the out part of the project was fairly simple as all heavy lifting work was done during the testing and evaluation phase as all images and bundles were created as well as directory service and IT control of the WorkSpaces life cycle was pre-defined
During the rollout phase,, we defined a 15-day window to launch and hand over WorkSpaces.
Following was a sample tracker used for the launch of WorkSpaces for a group.
(Estimated numbers)
| Team | Start date | Go-Live Date | No. of WorkSpaces |
| AutoCad | August 01 | August 15 | 20 |
| Prod ERP App | August 16 | August 31 | 30 |
| Interns | September 01 | September 31 | 500 |
The Rollout support team was small and included a WorkSpaces specialist and devops engineer, part-time help from the project manager, and occasional help from aws support.
