In this project, you’ll learn how to deploy cloud desktops using Amazon WorkSpaces and the AWS Directory Service. Amazon WorkSpaces is a fully managed, secure desktop computing service which runs on the AWS cloud. Amazon WorkSpaces allows you to easily provision cloud-based virtual desktops and provide your users access to the documents, applications, and resources they need. The AWS Directory Service makes it easy to set up and run Microsoft Active Directory (AD) in the AWS cloud, or connect your AWS resources with an existing on-premises Microsoft Active Directory.
What you’ll accomplish:

Provision Cloud Desktops using Amazon WorkSpaces, and access them using the Amazon WorkSpaces client application, available for Windows and Mac computers, Chromebooks, iPads, Fire tablets, and Android tablets.

Create a new directory using Microsoft AD and add users. As part of the project, you’ll learn how to assign Amazon WorkSpaces to users in your Microsoft AD.

Perform basic administrative tasks using the AWS Management Console. You’ll learn how to reboot and rebuild Amazon WorkSpaces, create your own custom image which you can use for provisioning new Amazon WorkSpaces, and remove Amazon WorkSpaces.
What you’ll need before starting:
An AWS Account: You will need an AWS account to begin provisioning Amazon WorkSpaces. Sign up for AWS.

Skill level: A basic understanding of desktop computing and Microsoft AD is helpful, but not required.

AWS Experience: Some prior experience with AWS is helpful to complete this project.
Monthly Billing Estimate:
The total cost of running cloud desktops using Amazon WorkSpaces will vary depending on your needs and configuration. If you use the resources described in the implementation guide for a full month, and choose the monthly billing option for your Amazon WorkSpaces, your cost will be about $412. This excludes the cost of bandwidth consumed accessing the public Internet from your Amazon WorkSpaces.

Architectural Diagram :Amazon WorkSpaces Architectural Diagram.ab2a96ecf1e07f90f8e7b5593b2dadf348ed8edc

Step 1. Prepare an AWS Account
1. If you don’t already have an AWS account, create one at by
following the on-screen instructions. Part of the sign-up process involves receiving a
phone call and entering a PIN using the phone keypad.
2. Navigate to the Amazon WorkSpaces console at
3. Select a valid region from the drop-down list in the upper right.
Amazon Web Services currently hosts services in twelve regions in various geographic
areas. Amazon WorkSpaces are available in six of the current regions (see figure 1
aws regions

For help selecting the closest region, we provide a health check page with Round Trip
Time to all service regions at

Step 2: Create VPC and Subnets
For WorkSpaces to function correctly, you will need to have one public subnet and two private
subnets. The easiest way to do this is to use the VPC Wizard, which creates one public subnet,
one private subnet, a NAT gateway, and an Internet Gateway (IGW) for you. If you use the VPC
Wizard, you will not have to manually create the routing tables between the subnets. Before we
create the VPC, we’ll need to allocate an Elastic IP address.
First, allocate an Elastic IP (EIP) address in your preferred region. To do this, in the navigation
pane of the Amazon EC2 console (, choose Elastic IPs
under the Network & Security section, and choose Allocate New Address, then Yes, Allocate.
Take note of the resulting EIP address. (See figure 3 below)

To create your VPC using the VPC wizard
1. Open the Amazon VPC console at
2. In the navigation pane, choose VPC Dashboard, Start VPC Wizard. If you do not
already have any VPC resources, locate the Your Virtual Private Cloud area of the
dashboard and choose Get started creating a VPC.
3. Choose VPC with Public and Private Subnets, Select (See figure 4 below).

4. Enter the following information into the wizard and choose Create VPC.
VPC wizard fields
Option Value
IP CIDR block
VPC Name WorkSpaces VPC
Public subnet
Availability Zone No Preference
Public subnet name WorkSpaces Public Subnet
Private subnet
Availability Zone No Preference
Private subnet name WorkSpaces Private Subnet 1
Elastic IP Allocation ID Select the Elastic IP Allocation ID that corresponds with
the address you created in the prior section. This will be Option Value
assigned to the NAT gateway
Add endpoints for S3 to your
Leave as none
Enable DNS hostnames Leave default selection
Hardware tenancy Default

5. It takes several minutes for the VPC to be created. After the VPC is created, proceed to
the following section.
i. VPC names and subnet names are for identification purposes only; you may use
any descriptors that are meaningful to you.
ii. Take note of the region in which you create the private subnet. You will need to
create an additional private subnet in the following step, and it must be in a
different subnet than the one created via the wizard

Add a Second Private Subnet
Create the second private subnet by perform the following steps:
1. Open the Amazon VPC console at
2. In the navigation pane, choose Subnets, select the subnet with the name WorkSpaces
Private Subnet 1, and choose the Summary tab at the bottom of the page. Make a note
of the Availability Zone of this subnet 3. Choose Create Subnet, enter the following information in the Create Subnet dialog box,
and choose Yes, Create.
Subnet 2 Settings
Option Value
Name tag WorkSpaces Private Subnet 2
VPC Select your VPC. This is the VPC with the
name WorkSpaces VPC.
Availability Zone Select any Availability Zone other than the one noted in
step 2. The two subnets used by Amazon WorkSpaces
must reside in different Availability Zones.
CIDR Block

Modify the Route Tables
Modify the route tables for your subnets by performing the following steps:
1. Open the Amazon VPC console at
2. In the navigation pane, choose Subnets and select the subnet with the name WorkSpaces
Public subnet. At the bottom of the page, choose the Route Table tab and make a note
of the Route Table identifier for the subnet. The route table identifier will be similar
to rtb-XXXXXXXX.
3. In the navigation pane, choose Route Tables, select the route table identified in the
previous step, and change the name to Workspaces Public Route table.
4. At the bottom of the page, choose the Routes tab and verify that the following entries are
in the route table for WorkSpaces Public route table. Modify the route table if needed by
choosing Edit.
NAT Subnet Route Table
Destination Target local igw-XXXXXXXX
This routes all traffic destined for the VPC locally, and traffic destined to all other IP
addresses to the Internet Gateway (IGW) that was created with the Amazon VPC
wizard. igw-XXXXXXXX identifies the Internet.
5. In the navigation pane, choose Subnets and select the subnet with the name WorkSpaces
Private Subnet 1. At the bottom of the page, choose the Route Table tab and make a
note of the Route Table identifier for the subnet. The route table identifier will be similar
to rtb-XXXXXXXX.
6. Select the subnet with the name WorkSpaces Private Subnet 2 and choose the Route
Table tab at the bottom of the page. The route table identifier should be the same for WorkSpaces Private Subnet 1 and WorkSpaces Private Subnet 2. If the route table
for WorkSpaces Private Subnet 2 is different, edit the entry to make them the same.
7. In the navigation pane, choose Route Tables, select the WorkSpaces route table
identified previously, and change the name to WorkSpaces Private Route Table.
8. At the bottom of the page, choose the Routes tab and verify a local route for the VPC
range, and a NAT route for as shown below.
WorkSpaces Subnets Route Table
Destination Target local nat-XXXXXXXXXXXXXXXXX
This routes all traffic destined for the VPC locally, and traffic destined to all other IP
addresses to the NAT gateway. nat-XXXXXXXXXXXXXXXXX identifies the NAT gateway

Step 3: Create an Amazon WorkSpaces
Directory in the Cloud
Amazon WorkSpaces uses a directory to store and manage WorkSpace and user information,
and you can have Amazon WorkSpaces create this directory in the cloud for you using Simple
AD or Microsoft AD. Additionally, you can connect to an existing Active Directory using the
Active Directory Connector.
Creating a Microsoft AD Directory
For this walkthrough, we’ll create a Microsoft AD Directory using the Amazon Directory Services
To create the Microsoft AD directory
1. Open the Amazon Directory Services console
2. Choose Get Started Now.
3. Choose Create Microsoft AD.
4. Provide the following information:
Option Value
Directory DNS The fully qualified name for the directory, such
NetBIOS name The short name for the directory, such as workspaces
Administrator password The password for the directory administrator. The
directory creation process creates an administrator
account with the user name Admin and this password.
Note password requirements below.
Confirm password Retype the administrator password.

Administrator password requirements
The password for the directory administrator. The directory creation process creates an
administrator account with the user name Admin and this password.
The password cannot include the word “admin.”
The directory administrator password is case-sensitive and must be between 8 and 64
characters in length. It must also contain at least one character from three of the following
four categories:
• Lowercase letters (a-z)
• Uppercase letters (A-Z)
• Numbers (0-9)
• Non-alphanumeric characters ([email protected]#$%^&*_-+=`|\(){}[]:;”‘<>,.?/)
5. Provide the following information in the VPC Details section and choose Next Step.
Option Value
VPC The VPC for the directory (WorkSpaces VPC, or the VPC
with IP range
Subnets Select the two private subnets, WorkSpaces Private
subnet 1 and WorkSpaces Private Subnet 2 for
the directory servers (IP ranges and
6. Review the directory information and make any necessary changes. When the
information is correct, choose Create Microsoft AD.It takes several minutes for the directory to be created. When it has been successfully created,
the Status value changes to “ACTIVE”.

Step 4: Launch WorkSpaces
Once the Directory is set up WorkSpaces can now be launched via the console.
1. Navigate to Choose Launch WorkSpaces
(see figure 6 below).
launch workspaces

2. Select the directory you created in the previous section and choose Next Step. WorkSpaces
will register your directory with the WorkSpaces service; this could take up to five minutes.
3. You can now either add users to your directory or select from existing users. Since we just
created this directory, you’ll need to create at least one user. Enter all of the appropriate
information for the new user, and choose Create. The user accounts you created will
automatically be added to the WorkSpaces list.

i. The first WorkSpace you provision in this walkthrough will be used to create a
master image for subsequent deployments, so you may wish to indicate that by
naming the first account “ImageBuilder”
ii. It’s important to use a valid email address where you can receive email so that
you can receive the one-time activation link. In order for this user account to
become active, you need to set a password by following the instructions on the
activation page. If you don’t use a valid email address, you’ll need to retrieve
the registration link from the console.
4. Next you will assign a WorkSpaces Bundle to the user you just created. For this
walkthrough, select the Performance bundle and assign it to the user you created in the
prior step
5. You are now presented with the WorkSpaces Configuration options (see figure 9 below). On
this screen, you can select the AlwaysOn or AutoStop running mode, enable encrypted
drives, and specify tags. Note that the AlwaysOn running mode is used for monthly billing,
and AutoStop for hourly billing. Configure this WorkSpace for AutoStop, choose an option for
Encryption, and click Next. Note that encrypting the Root Volume will increase the time
required to provision a WorkSpace, but there is no operational performance impact once

6. On the next screen you will verify the details then choose Launch WorkSpaces which will
start the process and will take around 60 minutes to complete (20 minutes if you did not
select the option to encrypt the root volume). During this process, your WorkSpace will show
a status of “PENDING”. Once completed the user will receive an email containing the
Registration Code with instructions on downloading the client
If you do not receive the email, you can see the content of this message by selecting the
user’s WorkSpace and selecting Actions,
7. Follow the link in the Invitation email to complete your user profile, download the
WorkSpaces Client, and connect to the WorkSpace.

Step 5: Customize the Initial WorkSpace
By this point, you should be logged in to your first Amazon WorkSpace. Now, let’s update the
WorkSpace and add some applications.
1. Run Windows Update and apply any updates to bring your client up to date. Reboot when
prompted; it takes around 5 minutes to reboot a WorkSpace, and note that some Windows
Updates will cause the restart to take longer. Once all Windows Updates have been applied,
we’ll continue customizing this WorkSpace.
2. Change the Wallpaper.
3. Install the Chrome browser from //
4. Download and install the latest version of Notepad++ from
5. Choose Start, Run, and type “Server Manager” (Amazon WorkSpaces runs Windows Server
2008 R2 with the Windows 7 Experience Pack). Start Server Manager.
6. In Server Manager, choose Features. After Server Manager finishes collecting data, choose
Add Features from the Action menu
server manager

7. Under Remote Server Administration Tools, Role Administration Tools, select AD DS and
AD LDS Tools and choose Next
8. Under Remote Server Administration Tools, Role Administration Tools, select AD DS and
AD LDS Tools and choose Next
9. The Add Features Wizard will prompt you to restart the WorkSpace after adding this role. Go
ahead and restart. After about 5 minutes, reconnect to your WorkSpace.
10.The Server Manager Wizard will automatically resume. Close it once it completes.
11.Choose Start, Run, and type “Users and Computers.” You should see the Active Directory
Users and Computers administrative tool. Hold Ctrl+Shift, right-click Active Directory Users
and Computers, and choose “Run as different user”
12.When prompted, enter Admin as the username, and the password you used when creating
the directory in Step 3
windows security

13.This is your Microsoft AD directory. Go to the domain, expand the
workspaces Organization Unit (OU), and select the Users OU

14.From the Action menu, select New, then User, and create a new Test User in your directory
We’ll use this user later when deploying an additional WorkSpace, so on the next screen, set
a password you’ll remember, and deselect “User must change password at next logon.” After
creating the user account, right-click Test User, select Properties, and specify an email
address. Without an email address, you won’t be able to provision a WorkSpace in later
15.Close the Active Directory Users and Computers console, and restart the WorkSpace.

Step 6: Create a Custom Image and Bundle.
Now that you’ve customized your WorkSpace, it’s time to create an image that you can use for
subsequent deployments.
1. Go to the WorkSpaces console at
2. Ensure the status of the WorkSpace assigned to ImageBuilder is “AVAILABLE”.
3. Select the ImageBuilder WorkSpace, choose Actions, Create Image
images workspace

You can monitor the progress from the Images section of the WorkSpaces console. Once
the Image Status changes to “AVAILABLE”, your ImageBuilder WorkSpace will reboot and
be available for use.
5. Once the image is complete, we need to create a bundle based on this Image. On the
Images page, select the new image, choose Actions, and Create Bundle
6. Give the bundle a name, description, and select the Performance hardware type, then
choose Create Bundle
The Hardware Type does not have to match the hardware type you used when creating the initial
7. Back on the main WorkSpaces console, choose Launch WorkSpace.
8. Select the directory and choose Next Step.
9. Choose “Show All Users” and check the Test User account you previously created, then
choose Add Selected, and Next Step.
10.Assign your custom bundle to the testuser account and choose Next Step
11.Choose AutoStop for Running Mode on the WorkSpaces Configuration screen, then click
Next Step.
12.Click Launch WorkSpaces on the Review & Launch screen. It will take approximately 60
minutes for your WorkSpace to complete, if you selected the option to encrypt the root
13.Once the WorkSpace for Test User is complete, connect to the WorkSpace using the
WorkSpaces client. Note, registration codes are unique per directory, so the registration
code will be the same as it was for your initial WorkSpace.
14.Once you’re at the desktop for the Test User WorkSpace, you should see:
15.The Wallpaper is the same as for your ImageBuilder WorkSpace.
16.Chrome and Notepad++ are installed.
17.The Active Directory Remote Server Administration Tools are already available.
18.The WorkSpace has all Windows Updates available up to the point where you created the

Step 7: Reboot and Rebuild
The two primary actions you’ll use when troubleshooting a WorkSpace are Reboot and Rebuild.
If you’re connected to the WorkSpace, you can always restart the WorkSpace as with any other
Windows client, from the start menu. For this example, we’re going to connect to the
WorkSpace, then force and administrative reboot from the WorkSpaces console.
1. After confirming the state of the Test User WorkSpace, connect to the WorkSpace, then go
back to the main screen of the WorkSpaces console. While still logged in and connected to
the Test User WorkSpace, select the Test User WorkSpace in the console, choose Actions,
and then Reboot Workspaces
You’ll be disconnected from the WorkSpace while it reboots.
2. Wait around five minutes for the workspace to transition states from AVAILABLE, to
REBOOTING, and back to AVAILABLE, then reconnect.
Rebuilding a WorkSpace is a more destructive action. The system volume (Drive C) will be
rebuilt from the image used to provision the WorkSpace, and the User Data volume (Drive D)
will be restored to the last snapshot. Any new applications installed to the System volume will
not be restored. Snapshots of the Data volume are taken every 12 hours, but the exact time
varies. For this lab, if you wish to see the snapshot recovery in action, you may wish to write
some data files to the D: drive, then come back 12 hours later to try the rebuild operation.
Let’s see how a Rebuild works.
1. Connect to the Test User WorkSpace.
2. Go to Add or Remove Programs
3. Uninstall Notepad++
4. Go to and download the installer for Windows 64 bit. Save
the downloaded file on the D drive.
5. Run the install with the default install directory of c:\Program Files\Sublime Text 3.
Now, your Test User WorkSpace has Sublime Text 3 installed, but you’ve removed Notepad++.
If you rebuild right now, you’ll revert to the prior state, but since this WorkSpace is less than 12
hours old, you will not get an updated snapshot of the D volume. To see the data volume
snapshot restore at work, you’ll have to pause the lab and come back tomorrow. If you wish, go
ahead and copy some additional files to the D: volume.
….12 hours later
Welcome back! Let’s continue with the Rebuild operation.
6. Log back in to the WorkSpaces console.
7. Select the Test User WorkSpace.
8. Choose Actions, Rebuild WorkSpace. You’ll be prompted to confirm
The rebuild operation takes about half an hour to complete. Once the process is complete,
reconnect to the Test User WorkSpace. You should notice the following:
• SublimeText is gone.
• Notepad++ is back.
• Assuming you waited at least 12 hours, any files you created on the D drive are still present.
This would include the SublimeText installer you previously downloaded and saved to the D

Step 8: Modify Running Mode Properties
Amazon WorkSpaces provides the flexibility to pay monthly or hourly. With monthly billing, you
pay a fixed monthly fee for unlimited usage during the month. With hourly billing you pay a small
fixed monthly fee per WorkSpace to cover infrastructure costs and storage, and a low hourly
rate for each hour the WorkSpace is used during the month. To pay monthly, your Amazon
WorkSpaces needs to be configured to run in the AlwaysOn running mode. To pay hourly, your
Amazon WorkSpace needs to be configured to run in the AutoStop running mode. You can mix
monthly and hourly billing within your AWS account, and you can also switch between billing
options at any time during a billing period to optimize your AWS bill. You can learn more about
billing options and pricing here.
To change the running mode for one of your WorkSpaces:
1. Log back in to the WorkSpaces console.
2. Select the Test User WorkSpace (previously configured to run in the AutoStop running
3. Click Actions, and select Modify Running Mode Properties
4. Select the new running mode for your WorkSpace
5. You’ll see the Running Mode reflected in the console. For AutoStop instances, there are
additional options under the Actions menu to start or stop the WorkSpace.
Step 9: Cleanup
Congratulations! You’ve successfully provisioned a WorkSpace, created an Image of the initial
WorkSpace, created a Bundle from the Image, deployed a new WorkSpace from a custom
Bundle, rebooted and rebuilt a WorkSpace, and switched Running Modes.
If you’re ready to clean up the environment, you’ll have to delete components in the right order.
Go to the WorkSpaces console. Under Bundles, select your custom bundle, choose Actions,
and Delete Bundle. The action will not succeed, because all WorkSpaces built from that bundle
must be deleted first. The same is true if you attempt to delete the Image while a Bundle is still
attached to the Image.
To unwind what we’ve done:
1. Go to the WorkSpace page, select the Test User WorkSpace, choose Actions, Remove
WorkSpaces, and confirm by choosing Remove WorkSpaces.
2. After the WorkSpace terminates, go to Bundles, select the custom bundle, choose Actions,
Delete Bundle.
3. Now go to Images. Select the custom image, Actions, Delete Image.
4. If you want to delete the directory, you’ll need to remove the ImageBuilder WorkSpace as
well. Go back to the WorkSpaces page, select the ImageBuilder WorkSpace, choose
Actions, Remove WorkSpaces, and confirm.
5. Before deleting the directory, we have to de-register from the WorkSpace service.
6. Go to the Directories tab of the WorkSpaces console. Select the directory, choose Actions,
7. Select the Directory again, but this time, choose Actions, then Delete, and confirm
It will take a few minutes for the directory to delete. Wait for the process to complete.
8. You can now go to the VPC console and delete the WorkSpaces VPC
9. Delete the Elastic IP address from the EC2 Console

Informational Links – List of downloadable clients – Global health check for WorkSpaces
Service – FAQs on WorkSpaces – WorkSpaces

Leave A Comment

Your email address will not be published. Required fields are marked *