Transcription
Best Practices for DeployingAmazon AppStream 2.0vihdeVPC design, image creation and management, fleetcustomization, fleet autoscaling, authentication, security,monitoring, and cost optimizationcrAJune 8, 2021This version has been archived. For the latest version, refer tpractices-for-deploying-amazon-appstream-2.
NoticesCustomers are responsible for making their own independent assessment of theinformation in this document. This document: (a) is for informational purposes only, (b)represents current AWS product offerings and practices, which are subject to changewithout notice, and (c) does not create any commitments or assurances from AWS andits affiliates, suppliers or licensors. AWS products or services are provided “as is”without warranties, representations, or conditions of any kind, whether express orimplied. The responsibilities and liabilities of AWS to its customers are controlled byAWS agreements, and this document is not part of, nor does it modify, any agreementbetween AWS and its customers.vihde 2021 Amazon Web Services, Inc. or its affiliates. All rights reserved.crA
ContentsIntroduction .1Key concepts .1VPC design .2Design guidelines .2Availability Zones .2deVPC endpoints .6Image creation and management .9Building an AppStream 2.0 image .9vihManaging users’ streaming experience .12Image updates.13Fleet customization.14Fleet type .14crAFleet sizing .15Choosing Desktop View or Application View .16Identity and Access Management role configuration .17Fleet auto scaling strategies .18Understanding AppStream 2.0 instances .18Scaling policies.18Best practices for scaling policy design .20Connection methods.22Summary feature and device support.23Web browser access .23AppStream 2.0 client for Windows .23Authentication .25Determining optimized method .25Configuring your identity provider .27
Integration with Microsoft Active Directory .29Service options .30Deployment scenarios.30Active Directory Service Site Topology .33Active Directory computer object cleanup .34Security .35Securing persistent data .35deAntivirus software .37Network exclusions .38Securing an AppStream session .39vihFirewalls and routing .39Controlling data ingress and egress .40Using AWS services.40crAMonitoring .42Using dashboards .42Anticipating growth .42Monitoring user usage.43Persisting application and Windows event logs .43Auditing network and administrative activity .44Custom domains .44Cost optimization .44Designing cost efficient AppStream 2.0 deployments .45Optimizing costs with choice of instance type .45Optimizing costs with fleet type choice .46User fees .46Image Builder usage .47Conclusion .47Contributors .48
Further reading .48Document revisions .49crAvihde
AbstractThis whitepaper outlines a set of best practices for the deployment of AmazonAppStream 2.0. The paper covers Virtual Private Cloud (VPC) design, image creationand management, fleet customization, and fleet auto scaling strategies. It includes userconnection methods, authentication, and integration with Microsoft Active Directory. Thepaper also includes recommendations for designing AppStream 2.0 security,monitoring, and cost optimization.deThis whitepaper was written to enable quick access to relevant information. It isintended for network engineers, application delivery specialists, directory engineers, orsecurity engineers.crAvih
Amazon Web ServicesBest Practices for Deploying Amazon AppStream 2.0IntroductionAmazon AppStream 2.0 is a fully managed application streaming service that providesusers with instant access to their desktop applications from anywhere. AppStream 2.0manages the AWS resources required to host and run your applications. It scalesautomatically and provides access to your users on demand. AppStream 2.0 providesend users access to the applications they need on the device of their choice, with aresponsive user experience, indistinguishable from natively installed applications.The following sections provide details about Amazon AppStream 2.0, explain how theservice works, describe what you need to launch the service, and tell you what optionsand features are available for you to use. When deploying AppStream 2.0 for end users,it is important to implement best practices to provide an outstanding user experience.Additionally, companies of all sizes benefit from cost optimization that reduces monthlyoperational costs.devihKey conceptsTo get the most out of AppStream 2.0, be familiar with the following concepts: crAImage — An image is a pre-configured instance template. An image containsapplications and that you can stream to your users, and default Windows andapplication settings to enable your users to get started with their applicationsquickly. AWS provides base images that you can use to create images thatinclude your own applications. After you create an image, you can't change it. Toadd other applications, update existing applications, or change image settings,you must create a new image. You can copy your images to other AWS Regionsor share them with other AWS accounts in the same Region.Image builder — An image builder is a virtual machine that you use to create animage. You can launch and connect to an image builder using the AppStream 2.0console. After you connect to an image builder, you can install, add, and testyour applications, and then use the image builder to create an image. You canlaunch new image builders by using private images that you own.Fleet — A fleet consists of fleet instances (also known as streaming instances)that run the image that you specify. You can set the desired number of streaminginstances for your fleet, and configure policies to scale your fleet automaticallybased on demand. Note that each user requires one instance.1
Amazon Web ServicesBest Practices for Deploying Amazon AppStream 2.0 Stack — A stack consists of an associated fleet, user access policies, andstorage configurations. You set up a stack to start streaming applications tousers. Streaming instance — A streaming instance (also known as a fleet instance) isan Amazon Elastic Compute Cloud (Amazon EC2) instance that is madeavailable to a single user for application streaming. After the user’s sessioncompletes, the instance is terminated by EC2.deVPC designDesign guidelinesvihDeploy AppStream 2.0 into a dedicated VPC. When designing the AppStream 2.0 VPC,size for forecasted growth. Reserve IP address capacity for new use cases, andadditional Availability Zones (AZs) that may be added at a later time. A fundamentaldesign point of AppStream 2.0 is that only one user can consume an AppStream 2.0instance. When allocating IP space, think one user as one IP address per AppStream2.0 instance. With AppStream 2.0, it is possible for a user to consume multipleAppStream 2.0 instances. Therefore, planning IP space must also account for usecases that require additional AppStream 2.0 instances.crAAlthough the maximum size of a VPC Classless Inter-Domain Routing (CIDR) is /16,AWS recommends not over-allocating private IP addresses. It is possible to extend thesize of the VPC through additional CIDRs, but there is a limit to this; therefore, allocatewhat is needed from the onset.If the AppStream 2.0 deployment is joined to an Active Directory domain, the DHCPoptions set for the VPC must have the domain DNS configured. The domain nameserver should specify the DNS IP addresses that are either authoritative for the ActiveDirectory domain, or the DNS should forward DNS requests to the authoritative DNSinstances for the Active Directory domain. Also, the VPC must haveenableDnsHostnames and EnableDnsSupport configured.Availability ZonesAn Availability Zone is one or more discrete data centers with redundant power,networking, and connectivity in an AWS Region. AZs are more highly available, faulttolerant, and scalable than traditional single or multiple data center infrastructures.2
Amazon Web ServicesBest Practices for Deploying Amazon AppStream 2.0Amazon AppStream 2.0 requires only one subnet for a fleet to launch in. The bestpractice is to configure a minimum of two Availability Zones, one subnet per uniqueAvailability Zone. To optimize fleet auto scaling, use more than two Availability Zones.Scaling horizontally has the added benefit of adding IP space in subnets for growth,which is covered in the following Subnet sizing section of this document. The AWSManagement Console provides for only two subnets to be specified during the creationof a fleet. Use the AWS Command Line Interface (AWS CLI) or AWS CloudFormation toallow for more than two subnet IDs.deSubnet sizingDedicate subnets to AppStream 2.0 fleets to allow for flexibility in routing policies, andNetwork Access Control List. Stacks will likely have separate resource requirements.For example, AppStream 2.0 Stacks can have isolation requirements giving way toseparate rule sets. When several Amazon AppStream 2.0 fleets use the same subnets,ensure the sum of all fleets’ Maximum Capacity doesn’t exceed the total number of IPaddresses available.vihIf the maximum capacity for all fleets in the same subnet could, or has, exceeded thetotal number of IP addresses available, migrate fleets to dedicated subnets. Thisprevents automatic scaling events from exhausting allocated IP space. If the totalcapacity for a fleet exceeds the allocated IP space of the subnets assigned, use theAPI, or AWS CLI “update fleet” to assign more subnets. You can review current AmazonVPC quotas, and how to increase them.crAIt is a best practice to scale out the number of subnets, sizing subnets accordingly whilereserving capacity to grow in your VPC. Additionally, ensure that AppStream 2.0 fleetmaximums do not exceed the total IP space allocated by subnets. For every subnet inAWS, five IP addresses are reserved when calculating the total amount of IP space.Using more than two subnets and scaling horizontally offers several benefits, such as: Greater resilience from an Availability Zone failureGreater throughput when automatic scaling fleet instancesMore efficient usage of private IP addresses, avoiding IP burnWhen sizing subnets for Amazon AppStream 2.0, consider the total number of subnets,and the expected peak concurrency during peak utilization. This can be monitored using(InUseCapacity) plus reserved capacity (AvailableCapacity) for a fleet. In AmazonAppStream 2.0, the sum of consumed and available-to-be-consumed AppStream 2.0fleet instances is labeled ActualCapacity. To properly size total IP space, forecast3
Amazon Web ServicesBest Practices for Deploying Amazon AppStream 2.0the required ActualCapacity, and divide by the number of subnets, minus one subnetfor resilience, assigned to the fleet.For example, if the anticipated maximum number of fleet instances at peak is 1000, andthe business requirement is to be resilient in one Availability Zone failure, 3 x/23subnets satisfy the technical and business requirements. /23 512 Hosts — 5 Reserved 507 fleet instances per subnet 3 subnets — 1 subnet 2 subnets 2 subnets x 507 fleet instance per subnet 1,014 fleet instances at peakdevihcrASubnet sizing example4
Amazon Web ServicesBest Practices for Deploying Amazon AppStream 2.0While 2 x /22 subnets would also satisfy resiliency, consider the following: Instead of 1,536 IP addresses being reserved, using two AZs results in 2,048 IPaddresses being reserved, wasting IP addresses that could go to other functions. If one AZ becomes inaccessible, the ability to scale out fleet instances is limitedby the throughput of an AZ. This can extend the duration of PendingCapacity.Subnet routingdeIt is a best practice to create private subnets for AppStream 2.0 instances, routing to thepublic internet through a centralized VPC for outbound traffic. Inbound traffic for theAppStream 2.0 session streaming is handled through Amazon AppStream 2.0 servicevia Streaming Gateways: you do not need to configure public subnets for this.vihIntra-Region connectivityFor AppStream 2.0 fleet instances joined to an Active Directory Domain, configureActive Directory Domain Controllers in a Shared Services VPC in each AWS Region.Sources for Active Directory can be either Amazon EC2-based Domain Controllers orAWS Microsoft Managed AD. Routing between the shared services and AppStream 2.0VPCs can be either through a VPC peering connection or a transit gateway. Althoughtransit gateways solve the complexity of routing at scale, there are a number of reasonswhy VPC peering is preferable in most settings: crAVPC peering is a direct connection between the two VPCs (no extra hop).There is no hourly charge, just the standard data transfer rate betweenAvailability Zones.There is no limit on bandwidth.Support for accessing Security Groups between VPCs.This is especially true if AppStream 2.0 instances connect to application infrastructureand/or file servers with large datasets in a shared service VPC. By optimizing the pathto these commonly accessed resources, VPC peering connection is preferred, even indesigns where all other VPC and internet routing are performed via transit gateway.Outbound internet trafficWhile routing directly to shared services is mostly optimized through a peeringconnection, outbound traffic for AppStream 2.0 can be designed by creating a single5
Amazon Web ServicesBest Practices for Deploying Amazon AppStream 2.0internet exit point from multiple VPCs using AWS Transit Gateway. In a multi-VPCdesign, it is a standard practice to have a dedicated VPC that controls all outgoinginternet traffic. With this configuration, Transit Gateways have greater flexibility, andcontrol of routing over standard routing tables attached to subnets. This design alsosupports transitive routing without additional complexity, and removes the need forredundant network address translation (NAT) gateways, or NAT instances in each VPC.Once all outbound internet traffic is centralized into a singular VPC, NAT gateways orNAT instances are a common design choice. To determine which is best for yourorganization, view the administration guide for comparing NAT gateways and NATinstances. AWS Network Firewall can extend protection beyond security group andnetwork access control levels by protecting at the route level and offering stateless andstateful rules from layers 3 through 7 in the OSI model. See Deployment models forAWS Network Firewall for more information. If your organization has chosen a thirdparty product that performs advanced features such as URL filtering, deploy the serviceinto your outbound internet VPC. This can replace NAT gateways or NAT instances.Follow the guidelines provided by the third-party vendor.On-premisesdecrAvihWhen connectivity to on-premises resources is required, especially for AppStream 2.0instances joined to Active Directory, establish a highly resilient connection through AWSDirect Connect.VPC endpointsAmazon S3 VPC endpointMany Amazon AppStream 2.0 deployments require user state persistence throughhome folders and application settings. Enable private communication to these AmazonSimple Storage Service (Amazon S3) locations, as this avoids using the public internet.You can achieve this through a VPC endpoint gateway. A VPC endpoint gateway ispreferred over the AWS PrivateLink for Amazon S3 because: It is cost optimized for AppStream 2.0 network access requirements Amazon S3 bucket access is not required from on-premises resources A custom policy document can be used to restrict access only from theAppStream 2.0 instances6
Amazon Web ServicesBest Practices for Deploying Amazon AppStream 2.0Once you create the VPC endpoint gateway, it is a best practice to secure the privatizedconnection by creating a custom policy. Custom policy starts with the Amazon ResourceName (ARN) of the AppStream 2.0 service Identity and Access Management role.Explicitly specify the S3 actions required for user state persistence. Note in the followingexample that the Resources section specifies the state home folder path first and theapplications settings path second.{"Version": "2012-10-17","Statement": [{"Sid": ion-settings","Effect": "Allow","Principal": {"AWS": tion": ectVersion"],"Resource": 3:::appstream-app-settings-*"]}]}devihcrAAmazon AppStream 2.0 API interface VPC endpointIn design scenarios where API and CLI commands to Amazon AppStream 2.0 originatein your VPC, privatize these programmatic calls through an interface VPC endpoint.7
Amazon Web ServicesBest Practices for Deploying Amazon AppStream 2.0Amazon AppStream 2.0 streaming interface VPC endpointWhile it is possible to route Amazon AppStream 2.0 streaming traffic through aninterface VPC endpoint, use this configuration with caution. The default streamingbehavior through the public internet is the most efficient and performant delivery methodfor Amazon AppStream 2.0 streaming traffic.devihcrAAmazon AppStream 2.0 streaming interface VPC endpointAs shown in the preceding figure, the public internet is the most efficient path toAmazon AppStream 2.0 Streaming Gateways. Routing through the customer-managedVPC and networking adds complexity and latency. It also adds data transfer fees overAWS Direct Connect.Note: Only streaming is supported by the VPC endpoint, andauthentication must still take place over the public internet. Prerequisiteaccess such as SAML Single Sign-On (SSO) Identity Provider (IdP)remain a requirement that are accessible only through the public internet.8
Amazon Web ServicesBest Practices for Deploying Amazon AppStream 2.0Image creation and managementWhen launching a fleet or image builder in AppStream 2.0, you must select one of theAppStream 2.0 base images. Administrators can then build on the base image to addtheir own applications and configuration settings.There are key considerations when building an image to ensure applications workcorrectly and securely. In addition, there are design considerations for how that imagewill be maintained.deBuilding an AppStream 2.0 imageWhen building a new image, it is important to consider the following: Applications User profile Security Performance vihcrAAgent versionImage Assistant CLIApplicationsPrior to installing applications, it is important to review application requirements such asapplication dependencies and hardware requirements. After successfully installingapplications on image builder instances, make sure to switch users and test applicationsunder the test user context.If you would like to modify the catalog of applications your users can access in real time,dynamic application framework provides API operations. The applications managed bythe dynamic app providers can be within the image, or they can be off-instance, such asfrom a Windows file share or an application virtualization technology. This featurerequires an AppStream 2.0 fleet that is joined to a Microsoft Active Directory domain.For more information, see Using Active Directory with AppStream 2.0.9
Amazon Web ServicesBest Practices for Deploying Amazon AppStream 2.0User profile customizationAmazon AppStream 2.0 is by design a non-persistent application and desktop solution.When a user session is terminated, both system and user changes are terminated aswell. Enable Application settings persistence only when required. It can add overhead tothe logon process, and cost considerations for the required S3 storage.In situations where application settings persistence is required, AWS recommendssecuring that connection through custom policy and S3 VPC gateway endpoint.Evaluate the overall application settings size, and minimize the settings saved inapplication settings persistence to optimize cost and performance.deUser profile customization can be configured on an AppStream 2.0 Image Builderinstance. This includes adding and modifying registry keys, adding files, and other userspecific configurations. From the AppStream 2.0 Image Assistant, there is an option tocreate a user profile. This copies the template user profile to the default user profile.After the image is deployed to a fleet, end users who stream sessions from the fleet willhave their user profile created from the default user profile. It is important to considerminimizing the user profile size, especially when Application Settings Persistence isenabled. By default, the maximum VHDx size for user profile is 1 GB. Each time astreaming session starts, a user profile VHDx file is downloaded from an S3 bucket.This increases the streaming session preparation time and introduces a risk ofexceeding the limit, which will cause a failure of the user profile mount using the VHDxfile.vihcrAFor use cases which require a user profile larger than 1 GB, AWS recommends usingalternative methods to store profiles. For example, using Roaming profiles, or FSLogixProfile Containers on shared storage such as Amazon FSx for Windows File Server. Formore information, see Use Amazon FSx for Windows File Server and FSLogix toOptimize Application Settings Persistence on Amazon AppStream 2.0.SecurityThere are different security measurements developers need to consider. AppStreamadministrators are responsible for installing and maintaining the updates for theWindows operating system, your applications, and their dependencies. See Keep YourAppStream 2.0 Image Up-to-Date for additional guidance on keeping base images up todate.By default, AppStream 2.0 allows users or applications to start any program on theinstance, beyond what is specified in the image application catalog. This is useful when10
Amazon Web ServicesBest Practices for Deploying Amazon AppStream 2.0your application relies on another application as part of a workflow, but you don’t wantthe user to be able to start that dependent application directly. For example, yourapplication starts the browser to provide help instructions from the application vendor’swebsite, but you don’t want the user to start the browser directly. In some situations,you may want to control which applications can be launched on the streaminginstances. Microsoft AppLocker is application control software that uses explicit controlpolicies to enable, or disable, which applications a user can run.Antivirus software can adversely affect streaming sessions and image builder instances.AWS recommends that you do not enable automatic updates for the antivirus software.For Windows Defender, see Antivirus Software for more information.dePerformancevihBefore creating a new image, it is important to test applications as a test user. Testingas a test user enables you to ensure that applications can run under a non-administratoruser context. Additionally, check application performance and user experience usingbuilt-in tools such as Task Manager and Performance Monitor. It is a best practice tomonitor resource utilization such as CPU, memory, and GPU memory. If there is CPU,memory, or GPU memory resource constraint, consider upgrading the instance type. Toenhance performance: crADisable browser pop-up windowsDisable Enhanced IE SecurityAppStream 2.0 agent version selectionWhen creating a new image, you can opt to use the latest AppStream 2.0 agentsoftware, or not update. Each version of the AppStream 2.0 agent software includesbug fixes and feature enhancements. Keep your image with the most up-to-datesoftware. Review mechanisms for this in the Image updates section of this document.You can choose the Use latest agent option. This option ensures that on start, thelatest AppStream 2.0 agent is always installed. However, unexpected changes mayaffect user experiences, and an agent update can increase the time to start an instance.Updating a base image requires recreation of the image. It is also important that youperform testing before rolling out the updated image to production to minimize startuptime.11
Amazon Web ServicesBest Practices for Deploying Amazon AppStream 2.0Image Assistant Command Line Interface (CLI)For developers who want to automate or programmatically create AppStream 2.0images, use the Image Assistant CLI. This is available on image builders with theAppStream 2.0 agent software released on or after July 26, 2019. The following highlevel overview describes the process for programmatically creating an AppStream 2.0image:1. Use your application ins
Amazon Web Services Best Practices for Deploying Amazon AppStream 2.0 3 Amazon AppStream 2.0 requires only one subnet for a fleet to launch in. The best practice is to configure a minimum of two Availability Zones, one subnet per unique Availability Zone. To optimize fleet auto scaling, use more than two Availability Zones.
