Amazon AppStream 2.0 - Enterprise Customer Use Cases

Amazon AppStream 2.0 is a fully managed non-persistent application and desktop streaming service that provides users access to desktop applications from anywhere through HTML5 web clients. It sits in the AWS End User Computing (EUC) business unit. Other services in AWS EUC include Amazon WorkSpaces, Amazon WorkSpaces Web (not to be confused with WorkSpaces) and Amazon WorkDocs.

This blog is not a tutorial on AppStream 2.0. After all, each customer may find different use cases for this flexible yet powerful AWS service. In this piece, I discuss several scenarios that saw AppStream 2.0 help some of my enterprise customers with their specific needs.

The non-persistent admin desktops

People call AppStream 2.0 a non-persistent ‘virtual desktop’ service. These virtual end-user compute sessions, powered in the backend by an elastic AppStream fleet and in a presenting form of an application streaming service, are torn down once the user sessions are completed. This characteristic means:

What a user can access in an AppStream session is pre-defined, and The virtual desktops are deleted after each respective session Some enterprise customers have found this useful when used as some type of privileged admin desktop for application and infrastructure support - where lock downs have been implemented and exposure surface minimised.

Commonly seen applications through AppStream privileged admin sessions include, but are not limited to:

  • Client software (specialised)
  • Web browsers
  • Database client
  • Database admin tools
  • Remote Desktop

Such considerations can be particularly relevant in security compliance programs. Enterprise and government customers know too well the journey of going through those hundreds of line items with compliance assessors and the importance of proper interpretation of each control in the right context.

In the settings of some enterprise and government customers, AppStream 2.0 could provide decent and convincing arguments for many compliance line items. Though please do note, each organisation’s settings, posture and context may be different when going through a compliance program – the fit for purpose of AppStream 2.0 as privileged admin desktops, or the fit for purpose of any given service, is to be examined in that particular context.

AppStream 2.0 Desktop, an application in AppStream for example, is subject to further interpretation. This is a good example of when a capable cloud service provider, that has taken the time to understand a customer’s environment and their business requirements, would get the best outcomes for the customer.

There are also the aspects that the logs in non-persistent compute environments don’t persist either, which may raise questions when completing a compliance program. Again, there are answers to such questions and considerations should always be examined for each scenario.

The home folder and file transfer capability

In typical AppStream 2.0 setups, users like to operate a number of applications – they do not need a full-blown virtual desktop. But it is common to have user data generated or imported.

Even though AppStream 2.0 sessions are non-persistent, the users’ home folders are. If an AppStream user would like to keep some data/files permanently, their home folder is there for them to use.

One may wonder how a folder can survive when the environment itself is not there anymore after each session. This is because the contents in home folders are synced to an S3 bucket. The data is encrypted in transit (using S3 SSL endpoints) between the AppStream fleet and S3 and encrypted at rest in the bucket (using S3 managed encryption keys).

AppStream 2.0 can also have other persistent storage through:

  • Amazon WorkDocs
  • Google Drive for G Suite
  • OneDrive for Business

Besides the above, using Amazon FSx is another option, which actually comes with interesting benefits, one of them being file transfer.

Many enterprise and government customers find the file transfer capability a nice feature of AppStream 2.0, compared to, say, Workspaces.

Imagine a scenario in which a user would like to transfer a file from their local computer to a server/service located in their organisation’s AWS VPC. Of course, there are multiple ways to do this securely. And there are circumstances where users have found AppStream 2.0 handy.

AppStream 2.0 allows two-way file transfer between the user’s local computer and the home folder. Innovative ways are there, such as having Amazon FSx in the organisation’s VPC connecting to AppStream 2.0, to provide the persistent storage of the home folders. This way, files can be transferred securely to the FSx shared storage, with the governance of an AWS managed Microsoft AD Domain Services.

The flexibility in directory services

AppStream 2.0 offers rich directory service options.

SAML 2.0 federation is supported. This opens the door to many directory service providers, such as:

  • AWS IAM Identity Centre (previously known as AWS SSO)
  • Okta
  • Azure AD
  • Google
  • ADFS for Windows Server
  • A number of other directory service providers

AppStream 2.0 also supports built-in user directory. This provides access when no external directory service has been integrated yet (or purposely not so).

There were situations where enterprise customers had policies requiring the use case of AppStream to have different and separate user accounts from these users’ daily accounts. AppStream’s flexibility in directory services enables such applications.

Microsoft AD Domain Service is another distinct service (not to be confused with the above-mentioned directory services). Again, AppStream 2.0 shows flexibility in working with it:

  • AppStream can work without an AD Domain
  • AppStream can be domain joined when applications require

WorkSpaces, on the other hand, currently requires an AD Domain Service to function and does not support SAML integration (AWS had launched the preview for WorkSpaces Integration with SAML 2.0. Limitations apply.).

Basic comparisons between AppStream 2.0 and WorkSpaces are frequently asked by customers. I have included a summary table below.

An in-a-nutshell comparison to Amazon WorkSpaces

The table below provides a summary comparison, served as an FYI only.


                            *Table contents were abstracted from AWS documentation. 


As mentioned before, AppStream’s presentation front end is an application streaming service, which does not provide a full-blown virtual desktop user experience. If users prefer a dedicated desktop experience that they can customise all the time and as they like, then AppStream 2.0 may not be the right choice for them. But there are plenty of scenarios where AppStream 2.0 can help and is the best-suited solution. I encourage you to explore the use cases of AppStream based on your circumstances. From time to time, you may find yourself congratulating yourself on innovatively using AppStream to successfully deliver some business/workload objectives.

                                                                                                                                    --Simon Wang 

Comments

Post a Comment

Popular posts from this blog

Fairness Evaluation and Model Explainability In AI

Image
Artificial Intelligence (AI) relies on machine learning and its modelling to provide outcomes. Imagine a credit card company receives hundreds of thousands of applications each year and would like to use AI to do the first round of application filtering. If it is not developed properly, the AI decisions will be skewed with unfairness – such as rejecting a lot more applications from a certain age group, from a certain gender, or from a certain employment history pattern – UNFAIRLY. Please note unfairness is the key issue here – in other words, AI and machine learning inference that is not reflecting the due course in actual situations. This is typically called bias in AI and machine learning. Biases can come from various stages of a machine learning life cycle: • Biases may exist in the pre-training data -  e.g., the dataset to be used in machine learning training has biases in it • Biases may be introduced by the machine learning exercise  Below is a machine learning lifecycle char
Read more

AWS and Generative AI

Image
 Generative Artificial Intelligence, or Generative AI, GenAI, is one of the hottest topics in the recent months. You would ‘have to be living under a rock to not notice this massive topic’.  ‘Generative AI is a branch of AI that focuses on creating new data. It is a subset of machine learning. The goal of generative AI is to create new data that is similar to the data that was used to train the model.’ – texts generated by an AI tool.  Recently I experimented a couple of random text-to-image GenAI tools to observe how generative AI can create contents and how the data generated by different GenAI tools trained by different models is different. My experiment was straightforward: text-to-image GenAI tools ask you to provide some texts as a prompt, and then use this input to generate an image. So that was what I did. The prompt I supplied was: ‘female student graduation photo in front of a white building with flowers in hand in Paris’. Both GenAI tools I tested could output an image withi
Read more

Amazon CloudFront and Its Primary and Secondary Origins

Nowadays most of the online contents are web service based. A user accesses a specific content, for example a web page, by connecting their client end application (like a web browser) running on their desktop or mobile computing device to the server that hosts the web page. There are billions of websites and webpages. DNS services, online search engines and links on well known ‘portal’ websites help people to find and locate the contents they would like to visit.  A user’s web client device and the server it visits can be worldly apart: for example, let’s think of a user in Tasmania, Australia that uses its smart phone to visit a website hosted on a server that locates in a data centre in Montreal, Canada, which is more than sixteen thousand kilometres away. They are connected by the Internet. The Internet comprises of millions of inter-connected networks. Traffic on the Internet is routed between the users and the servers through those inter-connected networks in-between. Using the ab
Read more