This is the third blog in our Remote Working series. Please see our first blog on Remote Working here and the second blog discussing Amazon WorkSpaces – here.
A quick overview of AppStream…
Amazon AppStream 2.0 is a fully-managed application management and streaming service. It combines remote desktop and web app solutions to stream apps directly to any device. For those familiar with the AWS remote working product set: AppStream only streams the application window, unlike Amazon WorkSpaces which streams an entire desktop.
How Amazon AppStream 2.0 supports your business
With Amazon AppStream 2.0, you can stream and manage your desktop apps to users outside your corporate firewall. Users have the flexibility of secure, on-demand access without restriction of network or location. You can run Amazon AppStream 2.0 desktop applications on any device, including Windows, Linux, Macs, and Chromebooks.
AppStream offers multiple streaming options, including General Purpose, Compute Optimised, and Memory Optimised. AppStream boasts robust security features including network and web application firewalls, a protected streaming gateway, and encryption in transit across all services. Additionally, you can enhance secure delivery by isolating your applications. Amazon stores your data on their cloud infrastructure, minimising the risk of compromising confidential data if your device is lost or stolen.
Accessing AppStream in a web browser does not require browser extensions or plugins. You can access fleet streaming sessions with Chrome or Safari on an iPad (iOS 11 or later), Android 8 or later, and Microsoft Surface Pro.
AppStream supports dual monitors for browser-based streaming sessions, in addition to administrative connections and image builders. The maximum display resolution is 2560×1440 pixels per monitor, but if you require more than two monitors or a higher display resolution, the AppStream 2.0 client is available.
You can also leverage familiar touch gestures on touch-enabled devices. These gestures, such as swipe to scroll, pinch to zoom, and two-finger rotation, are handled by Windows conventions to pass through the streaming session.
Amazon AppStream 2.0 adheres to the data protection guidelines and regulations in the AWS shared responsibility model. It is AWS’ responsibility to protect the global infrastructure that runs the AWS services. AWS is responsible for the security of the cloud, and the users are responsible for security in the cloud.
Ensure you protect your AWS account credentials and set up individual user accounts by leveraging AWS Identity and Access Management (IAM). You can securely manage access to AWS services and resources by creating and managing AWS users and groups. By implementing permissions, you can allow and deny users access to AWS resources, so they only gain access to the relevant permissions they need to carry out specific roles.
You can add additional security with:
Multi-factor authentication (MFA) – users must input their username and password (the first factor), in addition to a second factor which is an authentication code from their AWS MFA device.
Communicating with AWS resources using Transport Layer Security (TLS) – TLS improves security for data in transit by authenticating the other party in a connection and checking the integrity of data. TLS also provides encrypted protection.
Setting up API and user activity logging with AWS CloudTrail – monitor, log and retain account activity related to actions across your AWS infrastructure. You can examine the history of your AWS account activity and detect unusual activity in your AWS accounts.
AWS encryption solutions – encrypt data at rest with AWS encryption solutions.
Amazon Macie, which helps you find and secure personal data in Amazon S3.
Ensure that you never enter sensitive information, such as your customers’ account numbers, into free-form fields or metadata, as this could get included in diagnostic logs. No credentials should be entered into a URL to validate your request to that server.
AppStream 2.0 has short-lived fleet instances. When your streaming session ends, AppStream deletes your fleet instances and the associated Amazon Elastic Block Store (EBS). Data generated and stored in Amazon Simple Storage Service buckets are encrypted at rest if you enable application settings persistence or home folders.
Application Settings Persistence
The Virtual Hard Disk (VHD) file is where users save all persistent application settings. The initial time a user streams an application, the automatic creation of a file takes place from a stack enabled with application settings persistence. The user’s first session will include the default settings if fleets connected with the stack are based on an image containing default application and Windows settings.
The VHD is unmounted and uploaded to an Amazon S3 bucket within your account when the streaming session ends. The creation of buckets takes place when users enable persistent application settings when using it for the first time for a stack. Buckets are unique to each AWS account and Region. The VHD includes in-transit encryption through Amazon S3 SSL endpoints as well as when it is at rest using Amazon S3-managed encryption keys.
One downfall of application settings persistence is that it does not work across different operating versions. Admins that enable application settings persistence on a stack associated with a fleet that uses a Windows Server 2012 R2 image find that saving settings from previous streaming sessions does not occur if they update the fleet to use an image that runs a different operating system. If they update the fleet to use the new image, it creates a new Windows user profile. The saving of users’ streaming session only takes place if they apply an update to the similar operating system on the image. When this happens, it uses the same Windows user profile when launching streaming sessions from the fleet instance.
AppStream 2.0 enables you to scale to unlimited users around the globe without the need to obtain additional operating hardware or infrastructure. The app allows software vendors to stream GPU-intensive 3D design and other applications, such as engineering apps. Enterprises are leveraging AppStream 2.0 to replace their application streaming technologies as well as for an array of graphic applications.
Many administrators are in favour of the AppStream 2.0 pricing model of only paying for streaming resources that you provision. To determine their AppStream 2.0 price, you must provide the following:
The total number of users.
Concurrent usage per hour.
With the information provided above, the pricing tool estimates your per-user price using an On-Demand fleet and compares it to the costs of an Always-On fleet. The app only provides you with an estimate of AWS fees relating to the AppStream 2.0 usage.
The AppStream 2.0 Pricing Tool lets you enter the necessary information about your usage into a Microsoft Excel spreadsheet, and provides an AppStream 2.0 environment cost estimate. There is a Price Estimator worksheet and a Usage Pattern worksheet. Cells are colour-coded, with those requiring information having a light blue background. Grey backgrounds are informational or aggregations, and green backgrounds are cost estimates.
PolarSeven configure and manage Amazon AppStream 2.0
We can help you leverage the full range of AWS remote working solutions to enable user productivity and secure your applications.
Please visit our remote working page to learn more about our AppStream offering, or go to book a complimentary workshop with a PolarSeven engineer.