Deployment Environments
Last updated
Last updated
The standard procedure to install the WorkSpaces Manager Appliance is as one AMI with all elements deployed via CloudFormation from the AWS Marketplace. This will deploy one EC2 instance containing all the required services for WSM to connect to AD and WorkSpace, including IIS, MS SQL Express and the .NET application.
WorkSpaces Manager requires access to an existing Active Directory Forest/Domain and can operate in Multi-Domain and Multi-Forest environments. Below are alternative deployment scenarios:
Internal Network Load Balancer (NLB) for Presentation and SSL Offloading
This configuration uses a DNS name (e.g., wsm.example.com) to present the portal to users and admins.
The DNS record must be resolved internally, and the service is not accessible via the Internet.
External Network Load Balancer (NLB) for Presentation and SSL Offloading
This setup also uses a DNS name (e.g., wsm.example.com) to present the portal to users and admins.
The DNS record must be resolved externally, and the service is accessible via the Internet (not recommended without a proper security analysis).
Combination of Internal and External Network Load Balancers
Different DNS resolvers or DNS names can be used (e.g., wsm.example.com for external access and wsm.internal.example.com for internal access).
Independent MS SQL Database
This database can be domain-joined or not and must be reachable from the WorkSpaces Manager Appliance.
MS SQL Express is recommended for estates of sub 1000 WorkSpaces, WorkSpaces Manager also supports other Microsoft SQL Database Server versions and RDS.
The database can run in different scenarios, such as a single availability zone or with read-only replicas in another availability zone.
Combination of the Above Scenarios
For example, the three tiers (application, database, and load balancing) can be split into separate services, such as EC2, RDS, and a Load Balancer.
Presentation Tier Division with Network Load Balancer (NLB) and SSL Certificate Offload
If we divide the Presentation tier by incorporating a Network Load Balancer (NLB) with SSL Certificate offloading, the architecture will look as follows:
Network Load Balancer
The NLB can be deployed in either private or public subnets, depending on the specific requirements.
Recommendation: We recommend placing the NLB within the private subnet for enhanced security.
This setup is the most common implementation we observe within our clients
Decoupling the Three Tiers: Separating the Data Tier
Thirdly, to fully decouple all three tiers, we can separate the data tier by using an RDS database backend. In this setup:
The EC2 instance would host only the .NET application.
The Database would be managed separately on RDS.
Additionally, the database can be deployed in different configurations, such as with read-only replicas for scalability and fault tolerance. Below is an example of a single RDS deployment.
WorkSpaces Manager can also work with the Enterprise version of RDS for greater redundancy and reporting.
