Virtual Desktop Strategy with Amazon WorkSpaces - VDI Migration Criteria and Cost Design
Covers Amazon WorkSpaces pricing models, protocol selection, directory integration, and security design, along with migration criteria from on-premises VDI and practical cost optimization techniques.
Structural Problems with On-Premises VDI
On-premises VDI (Virtual Desktop Infrastructure) centered on Citrix and VMware Horizon has been in operation at many enterprises for over a decade, but structural problems have become apparent. First, hardware lifecycle management: VDI servers require refresh every 3-5 years, and at a scale of several hundred units, a refresh project alone requires investments of hundreds of millions of yen and over six months. Second, escalating licensing costs: Citrix Virtual Apps and Desktops licenses cost tens of thousands of yen per user per year, and at a 1,000-user scale, annual licensing fees reach tens of millions of yen. Third, limitations in remote work support: on-premises VDI depends on data center network bandwidth, so performance degrades when all employees access remotely at once. Many enterprises faced this problem during the COVID-19 pandemic. Amazon WorkSpaces solves these problems as a managed VDI service running on AWS's global infrastructure.
WorkSpaces Pricing Models and Break-Even Point
WorkSpaces offers two pricing models: monthly flat rate and hourly billing. The monthly flat rate for a Standard bundle (2 vCPU, 4GB memory, 50GB storage) is $35 per desktop per month (us-east-1). Hourly billing for the same Standard bundle is a monthly base fee of $9.75 plus $0.30 per hour of use. The break-even point is approximately 84 hours per month (9.75 + 0.30 x 84 ≈ 35). This means users who work more than 4 hours per day (80+ hours over 20 business days) benefit from the monthly rate, while those below that threshold benefit from hourly billing. In practice, full-time employees typically use the monthly rate while part-time and contract workers use hourly billing. Additionally, WorkSpaces offers AutoStop mode, which automatically shuts down after a configurable period of inactivity (1-48 hours) and auto-starts on the next access. Combining hourly billing with AutoStop completely eliminates charges during idle time. At a 1,000-user scale, appropriately mixing monthly and hourly billing can achieve 20-30% cost savings compared to putting everyone on the monthly rate.
Protocol Selection - PCoIP vs. WSP
WorkSpaces supports two streaming protocols: PCoIP (PC over IP) and WSP (WorkSpaces Streaming Protocol). PCoIP was developed by Teradici and has been available since WorkSpaces launched. It excels in image quality stability, particularly for graphics-intensive workloads (CAD, image editing). WSP is a protocol developed in-house by AWS, available since 2020. WSP's greatest advantage is network adaptability - it dynamically adjusts bitrate in environments with fluctuating bandwidth (mobile connections, overseas access) to maintain a stable user experience. WSP also supports webcam redirection, smart card redirection, and multi-monitor (up to 4 displays), giving it a feature advantage over PCoIP. Since 2024, AWS has positioned WSP as the recommended protocol, with new features prioritized for WSP. For new deployments, choose WSP and use PCoIP only for backward compatibility with existing environments.
Directory Integration and Security Design
WorkSpaces user authentication integrates with Active Directory (AD). Using AWS Managed Microsoft AD, you can establish a trust relationship with your on-premises AD and apply existing user accounts and group policies directly to WorkSpaces. This enables centralized management of password policies, screen lock, USB device control, and clipboard restrictions using the same group policies as on-premises. Data loss prevention is particularly critical in security design. WorkSpaces allows clipboard copy/paste, file upload/download, and printing by default, but all of these can be restricted through group policies or WorkSpaces management settings. In environments requiring strict data governance, such as financial institutions and healthcare organizations, common configurations include disabling the clipboard, prohibiting local drive redirection, and restricting printing to specific network printers. Additionally, WorkSpaces IP access control groups can restrict connection source IP addresses, enabling configurations that allow access only from the corporate network or via VPN.
Migration Decision Framework and Phased Approach
A phased approach rather than a full migration increases the success rate when moving from on-premises VDI to WorkSpaces. Start with a pilot phase migrating 50-100 users to WorkSpaces to validate performance, user experience, and operational processes. Good pilot candidates are IT departments or departments with high remote work ratios, as they can identify technical issues early and provide useful feedback. Key items to validate during the pilot are network latency (under 100ms recommended), application compatibility (especially internally developed applications), and peripheral device operation (printers, scanners, USB tokens). Based on pilot results, the expansion phase migrates departments sequentially. A rational priority order is: departments whose VDI hardware is approaching end of life, departments with high remote work ratios, and departments with strict security requirements (no data exfiltration). Departments with remaining on-premises VDI license contracts should time their migration to contract expiration to minimize dual costs. To systematically learn virtual desktop design and operations, specialized books (Amazon) are a helpful reference.