Amazon AppStream 2.0 - Enterprise Customer Use Cases

Amazon AppStream 2.0 is a fully managed non-persistent application and desktop streaming service that provides users access to desktop applications from anywhere through HTML5 web clients. It sits in the AWS End User Computing (EUC) business unit. Other services in AWS EUC include Amazon WorkSpaces, Amazon WorkSpaces Web (not to be confused with WorkSpaces) and Amazon WorkDocs.

This blog is not a tutorial on AppStream 2.0. After all, each customer may find different use cases for this flexible yet powerful AWS service. In this piece, I discuss several scenarios that saw AppStream 2.0 help some of my enterprise customers with their specific needs.

The non-persistent admin desktops

People call AppStream 2.0 a non-persistent ‘virtual desktop’ service. These virtual end-user compute sessions, powered in the backend by an elastic AppStream fleet and in a presenting form of an application streaming service, are torn down once the user sessions are completed. This characteristic means:

What a user can access in an AppStream session is pre-defined, and The virtual desktops are deleted after each respective session Some enterprise customers have found this useful when used as some type of privileged admin desktop for application and infrastructure support - where lock downs have been implemented and exposure surface minimised.

Commonly seen applications through AppStream privileged admin sessions include, but are not limited to:

  • Client software (specialised)
  • Web browsers
  • Database client
  • Database admin tools
  • Remote Desktop

Such considerations can be particularly relevant in security compliance programs. Enterprise and government customers know too well the journey of going through those hundreds of line items with compliance assessors and the importance of proper interpretation of each control in the right context.

In the settings of some enterprise and government customers, AppStream 2.0 could provide decent and convincing arguments for many compliance line items. Though please do note, each organisation’s settings, posture and context may be different when going through a compliance program – the fit for purpose of AppStream 2.0 as privileged admin desktops, or the fit for purpose of any given service, is to be examined in that particular context.

AppStream 2.0 Desktop, an application in AppStream for example, is subject to further interpretation. This is a good example of when a capable cloud service provider, that has taken the time to understand a customer’s environment and their business requirements, would get the best outcomes for the customer.

There are also the aspects that the logs in non-persistent compute environments don’t persist either, which may raise questions when completing a compliance program. Again, there are answers to such questions and considerations should always be examined for each scenario.

The home folder and file transfer capability

In typical AppStream 2.0 setups, users like to operate a number of applications – they do not need a full-blown virtual desktop. But it is common to have user data generated or imported.

Even though AppStream 2.0 sessions are non-persistent, the users’ home folders are. If an AppStream user would like to keep some data/files permanently, their home folder is there for them to use.

One may wonder how a folder can survive when the environment itself is not there anymore after each session. This is because the contents in home folders are synced to an S3 bucket. The data is encrypted in transit (using S3 SSL endpoints) between the AppStream fleet and S3 and encrypted at rest in the bucket (using S3 managed encryption keys).

AppStream 2.0 can also have other persistent storage through:

  • Amazon WorkDocs
  • Google Drive for G Suite
  • OneDrive for Business

Besides the above, using Amazon FSx is another option, which actually comes with interesting benefits, one of them being file transfer.

Many enterprise and government customers find the file transfer capability a nice feature of AppStream 2.0, compared to, say, Workspaces.

Imagine a scenario in which a user would like to transfer a file from their local computer to a server/service located in their organisation’s AWS VPC. Of course, there are multiple ways to do this securely. And there are circumstances where users have found AppStream 2.0 handy.

AppStream 2.0 allows two-way file transfer between the user’s local computer and the home folder. Innovative ways are there, such as having Amazon FSx in the organisation’s VPC connecting to AppStream 2.0, to provide the persistent storage of the home folders. This way, files can be transferred securely to the FSx shared storage, with the governance of an AWS managed Microsoft AD Domain Services.

The flexibility in directory services

AppStream 2.0 offers rich directory service options.

SAML 2.0 federation is supported. This opens the door to many directory service providers, such as:

  • AWS IAM Identity Centre (previously known as AWS SSO)
  • Okta
  • Azure AD
  • Google
  • ADFS for Windows Server
  • A number of other directory service providers

AppStream 2.0 also supports built-in user directory. This provides access when no external directory service has been integrated yet (or purposely not so).

There were situations where enterprise customers had policies requiring the use case of AppStream to have different and separate user accounts from these users’ daily accounts. AppStream’s flexibility in directory services enables such applications.

Microsoft AD Domain Service is another distinct service (not to be confused with the above-mentioned directory services). Again, AppStream 2.0 shows flexibility in working with it:

  • AppStream can work without an AD Domain
  • AppStream can be domain joined when applications require

WorkSpaces, on the other hand, currently requires an AD Domain Service to function and does not support SAML integration (AWS had launched the preview for WorkSpaces Integration with SAML 2.0. Limitations apply.).

Basic comparisons between AppStream 2.0 and WorkSpaces are frequently asked by customers. I have included a summary table below.

An in-a-nutshell comparison to Amazon WorkSpaces

The table below provides a summary comparison, served as an FYI only.


                            *Table contents were abstracted from AWS documentation. 


As mentioned before, AppStream’s presentation front end is an application streaming service, which does not provide a full-blown virtual desktop user experience. If users prefer a dedicated desktop experience that they can customise all the time and as they like, then AppStream 2.0 may not be the right choice for them. But there are plenty of scenarios where AppStream 2.0 can help and is the best-suited solution. I encourage you to explore the use cases of AppStream based on your circumstances. From time to time, you may find yourself congratulating yourself on innovatively using AppStream to successfully deliver some business/workload objectives.

                                                                                                                                    --Simon Wang 

Comments

Popular posts from this blog

AWS Storage Gateway File Gateway with S3 and FSx For Lustre with S3

Fairness Evaluation and Model Explainability In AI

AWS and Generative AI