VDI Migration to Amazon Workspaces

Arizona Department of Transportation

Customer Details

The Arizona Department of Transportation (ADOT) is a multimodal transportation agency serving one of the fastest-growing areas of the country. ADOT is responsible for planning, building and operating a complex highway system in addition to building and maintaining bridges and the Grand Canyon Airport. A major component of the organization is the Motor Vehicle Division, which provides title, registration and driver-license services to the general public throughout the state of Arizona.

Arizona Department of Transportation (ADOT) operates hundreds of remote offices with thousands of agents and supports hundreds of Authorized Third Party locations through their on-premises VDI infrastructure. The Reliability, Availability and Security of this infrastructure is critical to serving the residents of the State of Arizona in an efficient and timely manner for their motor vehicle title, registration and driver-license services.

Problem Statement

ADOTs existing VDI on-premises was old and prone to outages and at the same time costly to manage. For this reason, the executive leadership at ADOT decided to migrate from their on-premises VDI on to Amazon Web Services to eliminate the need to manage the compute and storage infrastructure and significantly reduce operating costs while improving reliability and security.

Use managed services where possible to reduce the burden of patching and managing endpoint devices in addition to reducing the attack surface.

Provide a consistent, low latency connectivity between the cloud and on-premises network that would result in a better experience for the end user running apps on their edge devices.

Be able to scale to hundreds of devices without affecting the end user experience.

Automate the provisioning of virtual desktops to improve service levels by eliminating human error and reducing operating costs. This would also enable ADOT to shutdown their infrastructure during non-business hours, driving costs down further.

High Level Requirements:

  • Migrate the VDI infrastructure from On-Premise to AWS.
  • Improve the security posture for the virtual desktops by protecting network communications, using encryption at rest and in transit and limiting the blast radius.
  • Reduce capital expenditure by switching to pay-as-you-go model and increase return on investment.
  • Improve the reliability of the system by incorporating managed services where possible into the solution.
  • Ease the management of resources and operations through automation.
  • Determine and implement opportunities for cost savings.
  • Collect and monitor, logs and metrics from various AWS services.

Proposed Solution & Architecture

The proposed solution was to:

  1. Utilize Amazon Workspaces Desktop-as-a-Service (DaaS) solution to manage virtual desktops in the cloud.
  2. Provision AWS Direct Connect to establish dedicated network connection between ADOTs on-premises and cloud environments. This would provide a consistent network experience to the virtual desktop end users.
  3. Setup redundant Site-to-Site VPN tunnels over AWS Direct Connect to establish secure and private encrypted connection to AWS from ADOT networks.
  4. Integrate with ADOTs corporate Active Directory using AWS Directory Service for domain joins, GPOs and managing users and permissions centrally.
  5. Procure Terradici Zero Clients, that would greatly reduce endpoint management, further reduce capital and operational expenditure and improve network security.
  6. Setup AWS Systems Manager patch and maintain EC2 instances on AWS.
  7. Use Amazon AppStream 2.0 for application streaming to centrally manage desktop applications on AppStream 2.0 and securely deliver them to any client.
  8. Setup CloudWatch logs and alarms monitoring and notifications. 
  9. Setup backup and recovery of files and folders using MSP360 (Formerly Cloudberry Lab) Backup and Recovery Solution.

Below is the architecture diagram for the overall solution in AWS and a list of AWS services used along with their definitions.

ADOT VPC Architecture
ADOT-WorkSpace

List of AWS Services Used

The following AWS Services were implemented as part of the solution:

  • AWS Directory Service: Also known as AWS Managed Microsoft AD, enables your directory-aware workloads and AWS resources to use managed Active Directory in the AWS Cloud.
  • AWS Systems Manager: AWS Systems Manager helps maintain security and compliance by scanning your instances against your patch, configuration, and custom policies. You can define patch baselines, maintain up-to-date anti-virus definitions, and enforce firewall policies. You can also remotely manage your servers at scale without manually logging in to each server.
  • Amazon Workspaces: Amazon WorkSpaces is a managed, secure Desktop-as-a-Service (DaaS) solution. You can use Amazon WorkSpaces to provision either Windows or Linux desktops in just a few minutes and quickly scale to provide thousands of desktops to workers across the globe. Amazon WorkSpaces helps you eliminate the complexity in managing hardware inventory, OS versions and patches, and Virtual Desktop Infrastructure (VDI), which helps simplify your desktop delivery strategy. With Amazon WorkSpaces, your users get a fast, responsive desktop of their choice that they can access anywhere, anytime, from any supported device.
  • Amazon EC2: Amazon Elastic Compute Cloud (Amazon EC2) is a web service that provides secure, resizable compute capacity in the cloud. It is designed to make web-scale cloud computing easier for developers. Amazon EC2’s simple web service interface allows you to obtain and configure capacity with minimal friction. It provides you with complete control of your computing resources and lets you run on Amazon’s proven computing environment.
  • Amazon EBS: Amazon Elastic Block Store (EBS) is an easy to use, high performance block storage service designed for use with Amazon Elastic Compute Cloud (EC2) for both throughput and transaction intensive workloads at any scale.
  • AWS Direct Connect: AWS Direct Connect lets you establish a dedicated network connection between your network and one of the AWS Direct Connect locations. Using industry standard 802.1q VLANs, this dedicated connection can be partitioned into multiple virtual interfaces. This allows you to use the same connection to access public resources such as objects stored in Amazon S3 using public IP address space, and private resources such as Amazon EC2 instances running within an Amazon Virtual Private Cloud (VPC) using private IP space, while maintaining network separation between the public and private environments.
  • AWS VPN: AWS Virtual Private Network (AWS VPN) lets you establish a secure and private tunnel from your network or device to the AWS global network. AWS VPN is comprised of two services: AWS Site-to-Site VPN and AWS Client VPN. AWS Site-to-Site VPN enables you to securely connect your on-premises network or branch office site to your Amazon Virtual Private Cloud (Amazon VPC). AWS Client VPN enables you to securely connect users to AWS or on-premises networks.
  • Amazon AppStream 2.0: Amazon AppStream 2.0 is a fully managed application streaming service. You centrally manage your desktop applications on AppStream 2.0 and securely deliver them to any computer. You can easily scale to any number of users across the globe without acquiring, provisioning, and operating hardware or infrastructure.
  • AWS VPN: AWS Virtual Private Network (AWS VPN) lets you establish a secure and private tunnel from your network or device to the AWS global network. AWS VPN is comprised of two services: AWS Site-to-Site VPN and AWS Client VPN. AWS Site-to-Site VPN enables you to securely connect your on-premises network or branch office site to your Amazon Virtual Private Cloud (Amazon VPC). AWS Client VPN enables you to securely connect users to AWS or on-premises networks.
  • Amazon WorkDocs: Amazon WorkDocs is a fully managed, secure content creation, storage, and collaboration service. With Amazon WorkDocs, you can easily create, edit, and share content, and because it’s stored centrally on AWS, access it from anywhere on any device. Amazon WorkDocs makes it easy to collaborate with others, and lets you easily share content, provide rich feedback, and collaboratively edit documents.
  • Amazon CloudWatch: Amazon CloudWatch is a monitoring and management service that collects monitoring and operational data in the form of logs, metrics, and events, providing you with a unified view of AWS resources, applications and services that run on AWS, and on-premises servers.
  • AWS Config: AWS Config is a service that enables you to assess, audit, and evaluate the configurations of your AWS resources. Config continuously monitors and records your AWS resource configurations and allows you to automate the evaluation of recorded configurations against desired configurations.
  • AWS Trusted Advisor: AWS Trusted Advisor is an online tool that provides you real time guidance to help you provision your resources following AWS best practices.
  • AWS Key Management Service (KMS): AWS Key Management Service (KMS) makes it easy for you to create and manage keys and control the use of encryption across a wide range of AWS services and in your applications. AWS KMS is a secure and resilient service that uses FIPS 140-2 validated hardware security modules to protect your keys.

List of Third Party Services Used

Third Party Services that were implemented as part of the solution

  • N2WS AWS Backup and Recovery: Automated AWS Backups with centralized management and monitoring. File and folder backup for Windows workstations and servers.
  • Teradici PCoIP Zero Clients: PCoIP Zero Clients are ultra-secure endpoints that use a highly integrated, purpose-built processor to transmit pixels instead of data to the user’s desktop. They are easy-to-manage, dependable, and secure endpoints to access Amazon WorkSpaces desktops and applications.
  • FabulaTech USB for Remote Desktop: FabulaTech USB for Remote Desktop is a software allowing redirection of locally plugged USB devices to you remote desktop session. It appears like the USB device is plugged directly to the remote side. Using the Administrative Utility, USB for Remote Desktop can be configured to redirect any newly plugged USB device immediately and automatically.

Alignment to Well Architected Framework (WAF)

By optimizing the architecture around the five (5) WAF pillars, ADOT was able to gain the benefits of a well-architected design in the cloud:

Cost Optimization:

  • Optimize costs by using Managed services like WorkSpaces, AppStream, WorkDocs, AWS Directory Services etc.
  • Monitor AWS Spend using billing alarms.
  • Right size Instances by using recommendations from Trusted Advisor for optimizing resources, instance types and sizes.

Performance Efficiency:

  • Made architectural choices based on cost/budget, business needs and benchmarking.
  • Selection of compute resources, instance family, type and size based on characteristics, cost and business needs.
  • Selection of storage solution bases on access patterns, characteristics and requirements.
  • Proactively record and monitor performance related metrics and generate alarm based notifications.

Operational Excellence:

  • Determine priorities by extensively evaluating customer and compliance needs.
  • Ensure operational readiness by training personnel to support production workloads.
  • Identify key performance indicators and define workload metrics.
  • Monitor the performance of resources through metrics collected in CloudWatch.

Security:

  • Control human access by granting least privileges.
  • Tighten firewall rules to protect compute resources by reducing the blast radius.
  • Regularly scan for vulnerabilities and patching using AWS Systems Manager.
  • Protect all data at rest using KMS keys for encrypting EBS volumes, Snapshots and S3 buckets.
  • Protect all data in transit by enforcing SSL encryption and managing SSL Certificates inside AWS Certificate Manager.

Reliability:

  • Redundant VPN tunnels for highly available and secure access to AWS resources.
  • Direct Connect for increased dedicated bandwidth throughput, and a consistent network connectivity.
  • Regularly monitor and manage service limits with AWS Trusted Advisor.
  • Perform data backups automatically and encrypt it using KMS keys.
  • Define recovery objectives for downtime and data loss use recovery strategies to meet the recovery objectives

Outcomes

After successfully migrating ADOTs VDI solution into AWS, Amazon WorkSpaces significantly reduced the burden of infrastructure management and scales instantly. ADOT was able to realize better ROI by eliminating CapEx while saving costs and improving the security posture and reliability of the system by utilizing several Managed Services and automation inside AWS.