Amazon WorkSpaces migration best practice essentials
Migrating to Amazon WorkSpaces requires planning and team collaboration to ensure security, network, VPC, and interfaces for device access are configured properly and function as expected. The first step must be creating a strategic plan. Strategic planning is critical for any technology migration project with significant impact on a business network.
Strategic planning helps identify problem areas and possible risks while enabling collaboration between stakeholders to ensure work is completed accurately and the system functions as expected. Without a strategic plan for a WorkSpaces migration, businesses quickly get lost in the technology setup details, options, and contractual requirements. The strategic plan doesn’t need to be a long, formal document but it does need to contain the project goal, risks, decisions made, and the project leaders’ names and contact information.
Migrating to AWS WorkSpaces from another system starts with strategic planning. After the planning, what’s next? What are the common best practices for a successful migration? How long does it take? Where can a user find troubleshooting tips for the WorkSpaces console?
This resource guide provides an overview of the best practices for managing a successful migration to AWS WorkSpaces including how to create a working system.
Best practices for a successful WorkSpaces migration
The first step after developing a strategic plan is to confirm the technology system meets AWS WorkSpaces system requirements. Ensure the system components function with WorkSpaces before attempting the migration.
WorkSpaces system requirements include:
- WorkSpaces-supported client device or choose PCoIP Zero Clients to connect to WorkSpaces
- Directory service for user authentication and user account access
- Amazon Virtual Private Cloud (VPC) needs configured with two subnets for managing the AWS Directory Service construct
Next, review the network considerations required for a WorkSpaces migration. Network considerations include:
- Associating each WorkSpaces with the specific VPC and Directory Service construct used. The subnets created will map to different availability zones and are permanently affiliated with the Directory Service once configured. When doing so you’ll need to:
- Remember to size each subnet appropriately before creating the Directory Services construct
- Determine how many WorkSpaces are needed over time
- Determine the expected growth in users and what types of users there will be
- Decide how many AD domains need to be connected
- Decide where and who controls enterprise user accounts on the system
- Creating user personas that assist in segmenting users into roles and controlling network access control lists, routing tables, and VPC security groupings.
Once the network considerations are addressed, move to VPC design. The VPC design controls the sizing of the VPC, subnets, traffic flow, and directory services design. A solid VPC design enables a responsive, secure, and scalable WorkSpaces environment. VPC Design for migrating to WorkSpaces includes:
- Defining security groups
- Creating routing policies
- Networking access control lists (ACLs)
- Separating the VPC into a single entity to ensure governance and security guardrails
- Designing the Directory Service constructs for the VPC
- Defining a default security group for the Directory Service chosen
Remember to design the VPC with future needs in mind. For example, one may need to add an antivirus server, patch management, or a RADIUS MFA server to better manage network growth impacts.
Then, move on to network interface setup. Considerations for this step include:
- Ensuring each workspace network contains two elastic interfaces (ENIs), a management network interface (eth0), and a primary network interface (eth1)
- Not connecting anything else to these private IP address ranges so that network routing will function
- Reviewing this list of private IP ranges used per region to ensure interfaces are not mapped to IP ranges already in use
Finally, traffic flow consists of two components: the traffic between a client device and the WorkSpaces server, and the traffic between the WorkSpaces service and customer network traffic.
The first component involves setting the client device to the same ports for connectivity to the WorkSpaces service using:
- Port 443 for all authentication and session information
- Port 4172 with both TCP and UDP
Ensure traffic on both ports is encrypted (it is encrypted by default). Also, limit outbound traffic on port 4172 to specific regions used in the WorkSpaces service.
Then, move on to the second component. Configure traffic flow from the WorkSpaces service to the VPC:
- Authenticate a connection from a client and set to display a Windows or Linux desktop
- Verify the client connects to the VPC and the WorkSpaces system
- Set firewall limits on the WorkSpaces system to limit network access to resources within the VPC
Timing for a WorkSpaces migration
The time it takes for a migration depends on how many WorkSpaces are created. The migration process takes around one hour per WorkSpace when no errors are encountered. For planning purposes, expect some errors and plan for two hours per WorkSpace. Approximately three days should be added to allow for the time to develop a strategic plan and make WorkSpace migration network decisions.
Migration time also varies based on the size of the WorkSpace created, and the experience level of the users configuring the network and security requirements setup.
Testing the WorkSpaces migration
Test the migrated WorkSpaces system before communicating access details to the entire user group. Testing that users can successfully access their WorkSpace allows for administrators to verify the connection details within the WorkSpaces console. Testing ensures the migration configuration is properly configured and the interfaces are connecting and secured as expected.
Here are a few tips for testing a WorkSpaces system:
- Test with a small group of trial users first. Using a trial group limits the number of defects or communication necessary to test the system.
- Allow trial users to log in and perform basic job functions that test the VPC and application access.
- Make any necessary configuration corrections after the trial group testing is complete, then retest.
- Release access to all users once testing has ensured the system works as expected.
Troubleshooting tips for WorkSpaces console
Regardless of the experience level of the resources performing the migration to WorkSpaces, there will be adjustments needed. Understanding how to meet the setup requirements and configuration options needed is a complex process. Plan time to address configuration issues or system issues. Troubleshooting information for common errors is available with detailed resolution steps for guidance.
WorkSpaces offers an effective, secure, and managed method of providing access to remote employees and enabling a flexible workforce. Make sure the system is secured within the AWS infrastructure and meets all relevant compliance requirements based on where the business is active.
Need help migrating to a WorkSpaces network? CloudHesive provides support and deep expertise in using the Amazon Web Services cloud for the best business advantage. As an Amazon Managed Services Partner, and Amazon Premier Partner, CloudHesive helps businesses take full advantage of the features AWS offers including Amazon WorkSpaces implementation and management. See what other customers have to say in case studies available from CloudHesive.