Infrastructure Design

Building Cloud Desktops with Amazon WorkSpaces - DaaS Design and Cost Optimization

Optimize costs based on usage patterns with AlwaysOn and AutoStop pricing models. Strengthen security with Active Directory integration, MFA, and IP access controls.

約 3 分で読めます

WorkSpaces Overview

WorkSpaces is a service that provides cloud-based virtual desktops (DaaS), starting at $21 per month, with desktop environments ready in minutes. It eliminates the need for physical PC procurement, setup, and management, and lets you build remote work environments in minutes. Since data is stored in the cloud, it reduces the risk of data leakage from lost or stolen devices.

Bundle Selection and Cost Optimization

Bundles are combinations of vCPU, memory, and storage, available in Value (development/testing), Standard (general business), Performance (CAD/data analysis), and Power (video editing/3D rendering) tiers. AutoStop mode automatically stops the desktop after a configurable period of inactivity (1-48 hours) and auto-starts on the next access. When monthly usage is under 80 hours, AutoStop is more cost-effective than AlwaysOn. WorkSpaces Web provides browser-based access, offering a lightweight virtual desktop specialized for SaaS application usage.

Directory Integration and Security

WorkSpaces integrates with on-premises Active Directory via AWS Managed Microsoft AD or AD Connector. Users log in to WorkSpaces with their existing AD credentials, and group policies centrally manage desktop settings. Enable MFA (multi-factor authentication) by integrating with a RADIUS server to strengthen authentication security. IP access control groups restrict connection source IP addresses, allowing access only from the corporate network or via VPN. Control clipboard, file transfer, and print redirection through group policies to prevent data exfiltration. WorkSpaces root and user volumes can be encrypted and managed with KMS keys. For a comprehensive understanding of WorkSpaces architecture, technical books (Amazon) are a useful reference.

WorkSpaces Pricing Models

WorkSpaces offers two pricing models: monthly flat rate (AlwaysOn) and hourly billing (AutoStop). AlwaysOn starts at $21 per month (Value bundle) and is suited for full-time users who work 8+ hours per day. AutoStop adds a monthly base fee (approximately $7.25) plus hourly charges (approximately $0.22/hour), making it ideal for part-time users who only use it a few hours per week. When monthly usage exceeds approximately 80 hours, AlwaysOn becomes more cost-effective. WorkSpaces Pool (formerly WorkSpaces Core) is a session-based virtual desktop billed by concurrent connections, making it cost-efficient for shift-work or call center environments where users rotate. Regularly audit unused WorkSpaces and optimize costs by switching to AutoStop or deleting them.

Summary

WorkSpaces is a cloud virtual desktop service that frees you from physical PC management. AlwaysOn and AutoStop pricing models enable cost optimization based on usage patterns, and Active Directory integration leverages your existing identity infrastructure. Strengthen security with MFA and IP access controls, and prevent data exfiltration by controlling clipboard and file transfer redirection through group policies.

Related Services

Amazon WorkSpacesA managed service providing cloud-based virtual desktops (VDI)AWS Directory ServiceA service that provides managed Active Directory on AWSAmazon VPCBuild a logically isolated virtual network on AWS

Related Articles

Building Managed Active Directory with AWS Directory Service - Identity Management for Hybrid EnvironmentsSet up AWS Managed Microsoft AD and design trust relationships with on-premises AD. This article covers hybrid identity management through integration with WorkSpaces, RDS, and FSx.The Fastest Container Deployment with AWS App Runner - From Source Code to Production in MinutesJust specify source code or a container image to get an HTTPS endpoint up and running. Learn the differences from ECS/Fargate and how to connect to private resources using VPC connectors.Achieving Microsecond Latency with Amazon DynamoDB Accelerator (DAX) - In-Memory Cache DesignLearn about read acceleration for DynamoDB with DAX, cache strategies, and cluster design.

More on This Topic

Why Auto Scaling Scales Out Fast but Scales In Cautiously - The Design Intent Behind Asymmetric Decision LogicThis article explains why EC2 Auto Scaling executes scale-out immediately while applying a cooldown period for scale-in, the flapping prevention mechanism, and the internal logic of target tracking scaling.Demand-Driven Infrastructure with AWS Auto Scaling - Designing and Optimizing Scaling PoliciesLearn how to use target tracking, predictive, and scheduled scaling policies effectively, and optimize costs with mixed instances policies that leverage Spot Instances.AWS Fault Domain Design - How the Three-Layer Structure of AZs, Regions, and Partitions Protects AvailabilityLearn why AWS infrastructure is designed with three layers of fault domains - AZs (fault isolation), Regions (geographic separation), and Partitions (political separation) - and how far failures propagate at each layer, with real-world examples.Distributed Systems Principles Learned from AWS Outages - How Past Major Incidents Reshaped ArchitectureUsing AWS's published incident reports as case studies - including the S3 outage (2017), Kinesis outage (2020), and the unique nature of us-east-1 - this article explains design principles such as Shuffle Sharding, Static Stability, and Cell-based Architecture.Why AWS Builds Regions Where It Does - The Hidden Criteria Behind Data Center Site SelectionWe explain the criteria AWS considers when deciding region locations, including power supply, geopolitical risk, data sovereignty legislation, network connectivity, and natural disaster risk, with concrete examples from specific regions.Why AWS Availability Zone IDs Differ Per Account - The Design Intent Behind AZ MappingExplains how us-east-1a maps to different physical AZs per account, why AZ IDs (use1-az1) were introduced, the design intent of even capacity distribution, and considerations for cross-account AZ specification.Batch Computing Infrastructure - Large-Scale Parallel Processing with AWS BatchLearn how to build large-scale batch processing with AWS Batch. Covers job queue design, auto-scaling compute environments, cost optimization with Spot Instances, and building batch infrastructure ideal for scientific computing and large-scale data processing.Automating Batch Computing with AWS Batch - Designing Job Queues and Compute EnvironmentsLearn about job scheduling with AWS Batch, choosing between Fargate and EC2 compute environments, and leveraging Spot Instances for cost optimization.

Similar Articles and Services

Amazon WorkSpacesA cloud DaaS (Desktop as a Service) that provides fully managed Windows or Linux virtual desktops accessible securely from any deviceVirtual Desktop Strategy with Amazon WorkSpaces - VDI Migration Criteria and Cost DesignCovers Amazon WorkSpaces pricing models, protocol selection, directory integration, and security design, along with migration criteria from on-premises VDI and practical cost optimization techniques.Building Managed Active Directory with AWS Directory Service - Identity Management for Hybrid EnvironmentsSet up AWS Managed Microsoft AD and design trust relationships with on-premises AD. This article covers hybrid identity management through integration with WorkSpaces, RDS, and FSx.Active Directory Integration - Extending Your On-Premises Identity Infrastructure to the Cloud with AWS Directory ServiceLearn how to integrate Active Directory with the cloud using AWS Directory Service. This article covers how to choose between AWS Managed Microsoft AD, AD Connector, and Simple AD, and how to integrate with WorkSpaces, RDS, and FSx.