One of the things I enjoy most about my job and role at Concorde is how every week if not every day I work with different technology or in some cases, a product I have not had much exposure to. In this blog, I will be giving some of my thoughts and findings around a recent AWS Workspace POC project I did for a new customer, a technology and platform that until recently I had very little exposure to.
As with most projects, the initial phase was around pre-sales, trying to find out as much information around the ‘the bigger picture’ as I like to call it. By this, I mean trying to understand not only where the customer’s infrastructure is now and what they wish to achieve, but also around what their actual business does and how they do it. This includes processes they follow to the applications they use day to day. With GDPR and compliance being such a huge thing at the moment and in the future, I feel when I am tasked with coming up with a solution for a customer that I need to understand all aspects of their business as well as their Infrastructure, and this is what I call ‘the bigger picture’.
For obvious reasons, I can’t go into too much detail around what this customer does, however they currently had a very standard on-premise infrastructure with a mixture of physical and virtual servers with standard desktop machines running Windows 10. The customer's aim was not that they had an outdated Infrastructure and wanted the latest and greatest, but it was more about compliance. Due to the nature of the work they do, ISO and PCI compliance was vitally important to enable them to grow as a business in the future. They also wanted a solution with a uniform desktop experience for all staff with standard applications for all machines that would be easy to manage.
The last part of this requirement for me was easy enough to work out that some type of VDI solution was a good fit, however without the understanding of how the business worked and what their business requirements were I would have found it very difficult to come up with a solution that could easily, efficiently and cost-effectively meet their requirements. The key was compliance, which is why I started to look at AWS.
The list of compliance programs that AWS Cloud meet or are part of is just endless, and in my opinion, this is what sets it apart from other public Cloud vendors. At the end of the day, most public cloud vendors offer customers the same: Compute, Storage, networking and services in a public cloud. What sets them apart is the compliance, and this is where AWS has the upper hand.
As with most technologies I am less familiar with, I started by setting up my own lab environment. The good thing about AWS is they offer a free 12-month trial which gives you access to the entire AWS cloud portfolio, including EC2 and S3 instances. For now, I was mainly concerned with AWS Workspaces, and again the good thing about AWS is the amount of quality documentation available. I was easily able to find the relevant guide on how to setup the Workspaces instance. The tasks involved were as follows:
- Setup a new Directory: You have two Directory types you can setup: ‘Microsoft AD’ or ‘AD Connector’. The difference is that the Microsoft AD gives you a full Active Directory feel with a new domain, and the AD Connector extends the on-premise domain into AWS.
- Setup VPC (Virtual Private Cloud) and subnets: This is the network side of the AWS platform your entire Infrastructure will sit within. The following diagram shows how a new VPC with an IPv4 CIDR block, and the route table –
The idea is you have a subnet in each Availability Zone which gives the network resilience.
- Launching the Workspace: Once the Directory and Network are setup you will configure the Workspace Instance which involves 4 steps:
- Select your Directory
- Identify or create users within the Directory
- Select your bundle (within the free 12-month trial I only had access to 2 low spec bundles)
- Workspaces Configuration
The 1st step was to just select the Directory I created earlier. The 2nd step was to provision some new accounts within my directory for the Workspaces instances. By default in the London region, you only get a single Workspace instance, however, if you require more you are required to log a support call and request more. The 3rd step was to select the bundle which include Standard, Value, Performance and Power. You can get each of the bundle types in either Windows 7 or Windows 10 and with or without Office (2010, 2013 and 2016). You can find more details of the different bundles here - Workspaces. The final step is to configure the Workspaces. Here you can choose the running mode: either ‘Always on’ or ‘Auto Stop’. With Auto Stop you can specify the number of hours a day the Workspace instance is active and for me, this is a great way for customers to keep cost down. If you think about it, why is there a need to keep the instance online 24 hours a day when users will only be accessing it for 8-10 hours a day? You can also choose to encrypt the root volume and user volume. Again, this is a great feature, which is ideal for customers who require encryption on user machines for compliance reasons.
One thing I found frustrating was the amount of time it took for the different aspects to provision. The directory services took around 1 hour as did the Workspaces instance, even though the actual configuration only takes around 20 minutes. Another item to note is once the Workspaces instances are provisioned there is a little more work needed to enable Internet access. You need to ensure your instances have a public IP address by provisioning an Elastic IP address, then ensure the routing is set up correctly. One thing I found when working on this proof of concept was that the AWS technical support was top class, not only in resolving any issues I had but also in their response times. When logging a ticket you get the option to log in via the web, or you can put in your phone number and it will initiate a call from AWS to your number and directly connects you to an Engineer!
The Final piece of this POC puzzle was to set up a Site to Site VPN between AWS and the on-premise Firewall (WatchGuard). Luckily the WatchGuard range is a support device with AWS, so once again the documentation and support around getting this setup were great!
My experience using AWS from a technical perspective has been really positive up to now. The documentation and amazing technical support from AWS has made learning about the product so much easier. I have been in situations where good documentation or vendor support has not been available and it can be very frustrating. This will, in turn, create doubts about the product, which might actually be amazing, however, vendors need to help make resources available to ensure the customers understand its benefits. AWS has done this very well and I am now looking forward to working my way through the rest of the AWS portfolio to see what else it has to offer.
You can see more updates around what I am working on via my Twitter handle @shabazdarr