Clean up (Optional) - Amazon WorkSpaces

• Next steps (p. 8)

Before you begin

Before you begin, make sure that you meet the following requirements:

• You must have an AWS account to create or administer a WorkSpace. Users do not need an AWS account to connect to and use their WorkSpaces.

• WorkSpaces is not available in every Region. Verify the supported Regions and select a Region for your WorkSpaces. For more information about the supported Regions, see WorkSpaces Pricing by AWS Region.

It's also helpful to review and understand the following concepts before you proceed:

What Quick Setup does

• When you launch a WorkSpace, you must select a WorkSpace bundle. For more information, see Amazon WorkSpaces Bundles.

• When you launch a WorkSpace, you must select which protocol (PCoIP or WorkSpaces Streaming Protocol [WSP]) you want to use with your bundle. For more information, see Protocols for Amazon WorkSpaces (p. 9).

• When you launch a WorkSpace, you must specify proﬁle information for the user, including a user name and email address. Users complete their proﬁles by specifying a password. Information about WorkSpaces and users is stored in a directory. For more information, see Directories (p. 59).

What Quick Setup does

Quick Setup completes the following tasks on your behalf:

• Creates an IAM role to allow the WorkSpaces service to create elastic network interfaces and list your WorkSpaces directories. This role has the name workspaces_DefaultRole.

• Creates a virtual private cloud (VPC). If you want to use an existing VPC instead, make sure it meets the requirements noted in Conﬁgure a VPC for WorkSpaces (p. 10), and then follow the steps in one of the tutorials listed in Launch a virtual desktop using WorkSpaces (p. 73). Choose the tutorial that corresponds to the type of Active Directory that you want to use.

• Sets up a Simple AD directory in the VPC. This Simple AD directory is used to store user and WorkSpace information. The directory has an administrator account and it is enabled for Amazon WorkDocs.

• Creates the speciﬁed user accounts and adds them to the directory.

• Creates WorkSpaces. Each WorkSpace receives a public IP address to provide internet access.

The running mode is AlwaysOn. For more information, see Manage the WorkSpace running mode (p. 117).

• Sends invitation emails to the speciﬁed users. If your users don't receive their invitation emails, see Send an invitation email (p. 88).

Note

The ﬁrst user account created by Quick Setup is your Admin user account. You can't update this user account from the WorkSpaces Console. Don't share the information for this Admin account with anyone else. If you want to invite other users to use WorkSpaces, create new user accounts for them.

Step 1: Launch the WorkSpace

Using Quick Setup, you can launch your ﬁrst WorkSpace in minutes.

To launch a WorkSpace

1. Open the WorkSpaces console at https://console.aws.amazon.com/workspaces/.

2. Choose Get Started Now. If you don't see this button, either you have already launched a WorkSpace in this Region, or you aren't using one of the Regions that support Quick Setup (p. 4). In this case, see Launch a virtual desktop using WorkSpaces (p. 73).

3. On the Get Started with WorkSpaces page, next to Quick Setup, choose Launch.

Step 1: Launch the WorkSpace

4. For Bundles, select a bundle (hardware and software) for the user with the appropriate protocol (PCoIP or WSP). For more information about the various public bundles available for Amazon WorkSpaces, see Amazon WorkSpaces Bundles.

5. For Enter User Details, complete Username, First Name, Last Name, and Email.

Note

If this is your ﬁrst time using WorkSpaces, we recommend creating a user for yourself for testing purposes.

6. Choose Launch WorkSpaces.

7. On the conﬁrmation page, choose View the WorkSpaces Console. It takes approximately 20 minutes for your WorkSpace to be launched. To monitor the progress, go to the left navigation pane and choose Directories. You will see a directory being created with an initial status of REQUESTED and then CREATING.

After the directory has been created and has a status of ACTIVE, you can choose WorkSpaces in the left navigation pane to monitor the progress of the WorkSpace launch process. The initial

Step 2: Connect to the WorkSpace

status of the WorkSpace is PENDING. When the launch is complete, the status is AVAILABLE and an invitation is sent to the email address that you speciﬁed for each user. If your users don't receive their invitation emails, see Send an invitation email (p. 88).

Step 2: Connect to the WorkSpace

After you receive the invitation email, you can connect to the WorkSpace using the client of your choice.

After you sign in, the client displays the WorkSpace desktop.

To connect to the WorkSpace

1. If you haven't set up credentials for the user already, open the link in the invitation email and follow the directions. Remember the password that you specify as you will need it to connect to your WorkSpace.

Note

Passwords are case-sensitive and must be between 8 and 64 characters in length, inclusive.

Passwords must contain at least one character from each of the following categories:

lowercase letters (a-z), uppercase letters (A-Z), numbers (0-9), and the set ~!@#$%^&*_-+=`|\(){}[]:;"'<>,.?/.

2. Review WorkSpaces Clients in the Amazon WorkSpaces User Guide for more information about the requirements for each client, and then do one of the following:

• When prompted, download one of the client applications or launch Web Access.

• If you aren't prompted and you haven't installed a client application already, open https://

clients.amazonworkspaces.com/ and download one of the client applications or launch Web Access.

Note

You cannot use a web browser (Web Access) to connect to Amazon Linux WorkSpaces.

3. Start the client, enter the registration code from the invitation email, and choose Register.

4. When prompted to sign in, enter the user name and password, and then choose Sign In.

5. (Optional) When prompted to save your credentials, choose Yes.

For more information about using the client applications, such as setting up multiple monitors or using peripheral devices, see WorkSpaces Clients and Peripheral Device Support in the Amazon WorkSpaces User Guide.

Step 3: Clean up (Optional)

If you are ﬁnished with the WorkSpace that you created for this tutorial, you can delete it. For more information, see the section called “Delete a WorkSpace” (p. 143).

Note

Simple AD is made available to you free of charge to use with WorkSpaces. If there are no WorkSpaces being used with your Simple AD directory for 30 consecutive days, this directory will be automatically deregistered for use with Amazon WorkSpaces, and you will be charged for this directory as per the AWS Directory Service pricing terms.

To delete empty directories, see Delete the directory for your WorkSpaces (p. 69). If you delete your Simple AD directory, you can always create a new one when you want to start using WorkSpaces again.

Next steps

You can continue to customize the WorkSpace that you just created. For example, you can install software and then create a custom bundle from your WorkSpace. You can also perform various

administrative tasks for your WorkSpaces and your WorkSpaces directory. For more information, see the following documentation.

• Create a custom WorkSpaces image and bundle (p. 145)

• Administer your WorkSpaces (p. 95)

• Manage directories for WorkSpaces (p. 59)

To create additional WorkSpaces, do one of the following:

• If you want to continue using the VPC and the Simple AD directory that were created by Quick Setup, you can add WorkSpaces for additional users by following the steps in the Step 2: Create a WorkSpace (p. 79) section of the Launch a WorkSpace Using Simple AD tutorial.

• If you need to use another directory type or if you need to use an existing Active Directory, see the appropriate tutorial in Launch a virtual desktop using WorkSpaces (p. 73).

For more information about using the WorkSpaces client applications, such as setting up multiple monitors or using peripheral devices, see WorkSpaces Clients and Peripheral Device Support in the Amazon WorkSpaces User Guide.

Protocols for Amazon WorkSpaces

Networking and access for WorkSpaces

As a WorkSpace administrator, you must understand the following about WorkSpaces networking and access.

Contents

• Protocols for Amazon WorkSpaces (p. 9)

• Conﬁgure a VPC for WorkSpaces (p. 10)

• Availability Zones for Amazon WorkSpaces (p. 17)

• IP address and port requirements for WorkSpaces (p. 18)

• Amazon WorkSpaces client network requirements (p. 34)

• Restrict WorkSpaces access to trusted devices (p. 35)

• Use smart cards for authentication (p. 37)

• Provide internet access from your WorkSpace (p. 44)

• Security groups for your WorkSpaces (p. 45)

• IP access control groups for your WorkSpaces (p. 46)

• Set up PCoIP zero clients for WorkSpaces (p. 48)

• Set up Android for Chromebooks (p. 49)

• Enable and conﬁgure Amazon WorkSpaces Web Access (p. 49)

• Set up Amazon WorkSpaces for FedRAMP authorization or DoD SRG compliance (p. 52)

• Enable SSH connections for your Linux WorkSpaces (p. 53)

• Required conﬁguration and service components for WorkSpaces (p. 56)

Protocols for Amazon WorkSpaces

Amazon WorkSpaces supports two protocols: PCoIP and WorkSpaces Streaming Protocol (WSP).

The protocol that you choose depends on several factors, such as the type of devices your users will be accessing their WorkSpaces from, which operating system is on your WorkSpaces, what network conditions your users will be facing, and whether your users require bidirectional video support.

When to use PCoIP

• If you want to use the iPad, Android, or Linux clients.

• If you use Teradici zero client devices.

• If you need to use GPU-based bundles (Graphics or GraphicsPro).

• If you need to use a Linux bundle for non-smart card use cases.

• If you need to use WorkSpaces in the China (Ningxia) Region.

When to use WSP

• If you need higher loss/latency tolerance to support your end user network conditions. For example, you have users who are accessing their WorkSpaces across global distances or using unreliable networks.

• If you need your users to authenticate with smart cards or to use smart cards in-session.

• If you need webcam support capabilities in-session.

VPC requirements

• If you need to use Web Access with the Windows Server 2019-powered WorkSpaces bundle.

Note

• A directory can have a mix of PCoIP and WSP WorkSpaces in it.

• A user can have both a PCoIP and a WSP WorkSpace as long as the two WorkSpaces are located in separate directories. The same user cannot have a PCoIP and a WSP WorkSpace in the same directory. For more information about creating multiple WorkSpaces for a user, see Create multiple WorkSpaces for a user (p. 88).

• You can migrate a WorkSpace between the two protocols by using the WorkSpaces migration feature, which requires a rebuild of the WorkSpace. For more information, see Migrate a WorkSpace (p. 139).

Conﬁgure a VPC for WorkSpaces

WorkSpaces launches your WorkSpaces in a virtual private cloud (VPC). Your WorkSpaces must have access to the internet so that you can install updates to the operating system and deploy applications using Amazon WorkSpaces Application Manager (Amazon WAM).

You can create a VPC with two private subnets for your WorkSpaces and a NAT gateway in a public subnet. Alternatively, you can create a VPC with two public subnets for your WorkSpaces and associate an Elastic IP address with each WorkSpace.

Tip

For a detailed exploration of directory and virtual private cloud (VPC) design considerations for various deployment scenarios, see the Best Practices for Deploying Amazon WorkSpaces whitepaper.

Contents

• Requirements (p. 10)

• Conﬁgure a VPC with private subnets and a NAT gateway (p. 10)

• Conﬁgure a VPC with public subnets (p. 14)

Requirements

Your VPC's subnets must reside in diﬀerent Availability Zones in the Region where you're launching WorkSpaces. Availability Zones are distinct locations that are engineered to be isolated from failures in other Availability Zones. By launching instances in separate Availability Zones, you can protect your applications from the failure of a single location. Each subnet must reside entirely within one Availability Zone and cannot span zones.

Note

Amazon WorkSpaces is available in a subset of the Availability Zones in each supported Region.

To determine which Availability Zones you can use for the subnets of the VPC that you're using for WorkSpaces, see Availability Zones for Amazon WorkSpaces (p. 17).

Conﬁgure a VPC with private subnets and a NAT gateway

If you use AWS Directory Service to create an AWS Managed Microsoft or a Simple AD, we recommend that you conﬁgure the VPC with one public subnet and two private subnets. Conﬁgure your directory to launch your WorkSpaces in the private subnets. To provide internet access to WorkSpaces in a private subnet, conﬁgure a NAT gateway in the public subnet.

Conﬁgure a VPC with private subnets and a NAT gateway

Prerequisites

If you aren't already familiar with working with VPCs and subnets, we recommend reading VPC and Subnet Sizing for IPv4 in the Amazon VPC User Guide before performing the following tasks.

Tasks

• Step 1: Allocate an Elastic IP address (p. 11)

• Step 2: Create a VPC (p. 12)

• Step 3: Add a second private subnet (p. 13)

• Step 4: Verify and name the route tables (p. 13)

• Step 5: Route your WorkSpaces to the subnets (p. 14)

Note

As an alternative to the following procedure for conﬁguring a VPC with private subnets and a NAT gateway, you can follow the steps in the "Getting started project" tutorial, which details how to set up your VPC and your WorkSpaces directory. That tutorial also covers how to launch WorkSpaces, create custom images and bundles, and perform other tasks related to administering your WorkSpaces.

Step 1: Allocate an Elastic IP address

Allocate an Elastic IP address for your NAT gateway as follows. Note that if you are using an alternative method of providing internet access, you can skip this step.

Conﬁgure a VPC with private subnets and a NAT gateway

To allocate an Elastic IP address

1. Open the Amazon VPC console at https://console.aws.amazon.com/vpc/.

2. In the navigation pane, choose Elastic IPs.

3. Choose Allocate Elastic IP address.

4. On the Allocate Elastic IP address page, for Public iPv4 address pool, choose Amazon's pool of IPv4 addresses, Public IPv4 address that you bring to your AWS account, or Customer owned pool of IPv4 addresses, and then choose Allocate.

5. Make a note of the Elastic IP address, then choose Close.

Step 2: Create a VPC

Create a VPC with one public subnet and two private subnets as follows.

To create the VPC

1. Open the Amazon VPC console at https://console.aws.amazon.com/vpc/.

2. In the navigation pane, choose VPC Dashboard in the upper-left corner.

3. Choose Launch VPC Wizard.

4. Choose VPC with Public and Private Subnets and then choose Select.

5. Conﬁgure the VPC as follows:

a. For IPv4 CIDR block, enter the CIDR block for the VPC. We recommend that you use a CIDR block from the private (non-publicly routable) IP address ranges speciﬁed in RFC 1918. For example, 10.0.0.0/16. For more information, see VPC and Subnet Sizing for IPv4 in the Amazon VPC User Guide.

b. For IPv6 CIDR Block, keep No IPv6 CIDR Block.

c. For VPC name, enter a name for the VPC.

6. Conﬁgure the public subnet as follows:

a. For IPv4 CIDR block, enter the CIDR block for the subnet. For example, 10.0.0.0/24. For more information, see VPC and Subnet Sizing for IPv4 in the Amazon VPC User Guide.

b. For Availability Zone, keep No Preference.

c. For Public subnet name, enter a name for the subnet (for example, WorkSpaces Public Subnet).

7. Conﬁgure the ﬁrst private subnet as follows:

a. For Private subnet's IPv4 CIDR, enter the CIDR block for the subnet. For example, 10.0.1.0/24.

b. To make an appropriate selection for Availability Zone, see Availability Zones for Amazon WorkSpaces (p. 17).

c. For Private subnet name, enter a name for the subnet (for example, WorkSpaces Private Subnet 1).

8. For Elastic IP Allocation ID, choose the Elastic IP address that you created. Note that if you are using an alternative method of providing internet access, you can skip this step.

9. For Service endpoints, do nothing.

10. For Enable DNS hostnames, keep Yes.

11. For Hardware tenancy, keep Default.

12. Choose Create VPC. Note that it takes several minutes to set up your VPC. After the VPC is created, choose OK.

Conﬁgure a VPC with private subnets and a NAT gateway

Note

You can associate an IPv6 CIDR block with your VPC and subnets. However, if you conﬁgure your subnets to automatically assign IPv6 addresses to instances launched in the subnet, then you cannot use Graphics bundles. (You can use GraphicsPro bundles, however.) This restriction arises from a hardware limitation of previous-generation instance types that do not support IPv6.

To work around this issue, you can temporarily disable the auto-assign IPv6 addresses setting on the WorkSpaces subnets before launching Graphics bundles, and then reenable this setting (if needed) after launching Graphics bundles so that any other bundles receive the desired IP addresses.

By default, the auto-assign IPv6 addresses setting is disabled. To check this setting from the Amazon VPC console, in the navigation pane, choose Subnets. Select the subnet, and choose Actions, Modify auto-assign IP settings.

For more information about working with IPv6 addresses, see IP Addressing in Your VPC in the Amazon VPC User Guide.

Step 3: Add a second private subnet

In the previous step, you created a VPC with one public subnet and one private subnet. Use the following procedure to add a second private subnet.

To add a private subnet

1. In the navigation pane, choose Subnets.

2. Choose Create Subnet.

3. For Name tag, enter a name for the private subnet (for example, WorkSpaces Private Subnet 2).

4. For VPC, select the VPC that you created.

5. To make an appropriate selection for Availability Zone, see Availability Zones for Amazon WorkSpaces (p. 17). Make sure you select a diﬀerent Availability Zone from the one you selected for Step 7 (p. 12) earlier.

6. For IPv4 CIDR block, enter the CIDR block for the subnet. For example, 10.0.2.0/24.

7. Choose Create and Close.

Step 4: Verify and name the route tables

You can verify and name the route tables for each subnet.

To verify and name the route tables

1. In the navigation pane, choose Subnets, and select the public subnet that you created.

a. On the Route Table tab, choose the ID of the route table (for example, rtb-12345678).

b. Select the route table. Under Name, choose the edit icon (the pencil), and enter a name (for example, workspaces-public-routetable), and then choose the check mark to save the name.

c. On the Routes tab, verify that there is one route for local traﬃc and another route that sends all other traﬃc to the internet gateway for the VPC. For example, you should see entries similar to those in the following table.

Destination Target

10.0.0.0/16 local

Conﬁgure a VPC with public subnets

Destination Target

0.0.0.0/0 igw-12345678

2. In the navigation pane, choose Subnets, and select the ﬁrst private subnet that you created (for example, WorkSpaces Private Subnet 1).

a. On the Route Table tab, choose the ID of the route table.

b. Select the route table. Under Name, choose the edit icon (the pencil), and enter a name (for example, workspaces-private-routetable), and then choose the check mark to save the name.

c. On the Routes tab, verify that there is one route for local traﬃc and another route that sends all other traﬃc to the NAT gateway. For example, you should see entries similar to those in the following table.

Destination Target

10.0.0.0/16 local

0.0.0.0/0 nat-12345678

Note

To provide internet access to your WorkSpaces in the private subnets, make sure your NAT gateway is conﬁgured in the public subnet.

3. In the navigation pane, choose Subnets, and select the second private subnet that you created (for example, WorkSpaces Private Subnet 2). On the Route Table tab, verify that the route table is the private route table (for example, workspaces-private-routetable). If the route table is diﬀerent, choose Edit and select this route table.

Step 5: Route your WorkSpaces to the subnets

To route your WorkSpaces to your VPC's subnets, make sure to select your VPC and subnets during the process of setting up your WorkSpaces directory.

To set up your WorkSpaces directory, see Launch a virtual desktop using WorkSpaces (p. 73), and select the tutorial for the type of directory you'd like to use (AWS Managed Microsoft AD, Simple AD,

在文檔中 Amazon WorkSpaces (頁 12-44)