Create a streaming URL using the AWS Management Console or CLI to generate a streaming URL that can be used to connect to the image builder instance.Configure the instance to use the domain created. Create an AppStream 2.0 image builder instance in a private subnet and ensure it uses a VPC endpoint by selecting the AppStream 2.0 streaming VPC endpoint in the Availability Zone that the instance is deployed in.Use PowerShell for AWS to download the files to the image builder instance. Ensure that the AppStream 2.0 role used by the image builder has the permissions to access the S3 bucket. Upload application packages using the AWS Management Console, or CLI, to an S3 bucket.Verify that the VPN endpoint security group allows inbound traffic from the VPC IP range and allows all outbound traffic.Configure the Client VPN to use split tunnel.Add the VPC IP range to the ingress configuration.Refer to DNS attributes for your VPC for more information. In doing so, DNS resolution to IP addresses within the VPC are prioritized, and the AppStream 2.0 DNS names resolve to the AppStream 2.0 ENIs. This is instead of the public Amazon DNS server (169.254.169.253). Using a Windows-based domain-joined EC2 instance deployed in the public subnet, configure the DNS settings for the domain such that it uses the VPC Amazon DNS server (the reserved IP address at the base of the VPC IPv4 network range, plus two).Configure your VPC to use this DHCP options set. Create a new DHCP options set with the domain name servers being the private IP addresses of your Active Directory domain controllers.For the selected VPC, verify that “Enable DNS resolution” and “Enable DNS hostnames” are both checked.Create an administrator and some test users in the directory. Create an Amazon Managed Active Directory with “directory type” as “Microsoft AD” with domain controller endpoints in the two private subnets within the selected VPC.Set up an Amazon Managed Active Directory in Directory Service: Refer to this documentation for more information about how to use Amazon S3 interface VPC endpoints. Create an Amazon S3 interface VPC endpoint in the private subnets.Create AppStream 2.0 interface VPC streaming endpoints in the private subnets using this guide.The private subnets do not require a route to an internet gateway or NAT gateway. Create a VPC with private and public subnets in at least two Availability Zones.Solution Walkthrough Set up the VPC and VPC Endpoints: Note: to meet strict compliance requirements, where the traffic has to remain within the private corporate network, deploying AppStream 2.0 to a private subnet and using VPC endpoints for streaming can result in a performance trade-off compared to streaming AppStream 2.0 via the public internet, and this trade-off is dependent on the VPN used. Applications on the customer private network that are connected to the VPC can also be accessed from AppStream 2.0 instances. Additionally, Amazon FSx for Windows File Server can be mapped as a network drive for users to store files persistently. You use AWS Client VPN, AWS IAM Identity Center for authentication and Amazon Managed Active Directory for the user identity store. In this blog, you walk through how this solution can be deployed. With this, AppStream 2.0 sessions connect to AWS Identity and Access Management (IAM) and internet-based identity providers for user authentication. The Client VPN must use split tunnels for the authentication traffic to go through the internet while the streaming traffic remains within the VPC. However, note that user authentication traffic still must traverse the internet. You can use Amazon S3 to store and load in application packages, and download them from AppStream 2.0 image builder through an Amazon S3 VPC endpoint. You can also build an image for a desktop or application by streaming the AppStream 2.0 image builder using a VPC endpoint. With this configuration, a user connected to the network using a Client VPN can stream traffic across the VPN, rather than the internet. It can be accessed without traffic traversing the internet through an interface VPC endpoint in a Private Subnet within a VPC. Solution OverviewĪppStream 2.0 is a non-persistent desktop and application streaming solution. In this blog, I explain how users with such a constraints can stream a remote desktop session through the browser while facilitating the streaming traffic remain within the customer’s private network, including their virtual private cloud (VPC) and VPN connection. For these organizations, users are often required to connect to a Virtual Private Network (VPN) to access the private corporate network. Customers with strict compliance requirements such as financial industries, healthcare, and government sectors use End User Compute (EUC) solutions to regulate access and centralize tooling.
0 Comments
Leave a Reply. |
Details
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |