LogoLogo
  • WorkSpaces Manager (WSM) Architecture Guide
    • Management
    • Administration Tools
    • Cost Optimisation
    • Automation
  • Solution
    • Logical View
    • Application View
    • Deployment View (AWS Marketplace)
  • Resilence
    • Architecture Design
    • Deployment Environments
    • Integration
    • Service Recovery
    • Scalability
    • Business Continuity
    • Operations
    • Infrastructure as Code (IaC)
  • Security
    • Network Connectivity
    • Internal Access Security Controls
    • External Access Security Controls
    • Data Protection & Data Footprint
    • Events: Logging, Monitoring and Alerting
  • Systems Management
    • Monitoring
    • Logging
    • Alerting
    • Statistics Collection
    • Usage Log Collection
    • Other Toolchain Integration
Powered by GitBook
On this page
Export as PDF
  1. Resilence

Deployment Environments

PreviousArchitecture DesignNextIntegration

Last updated 6 months ago

The standard procedure to install the WorkSpaces Manager Appliance is as one AMI with all elements deployed via CloudFormation from the AWS Marketplace. This will deploy one EC2 instance containing all the required services for WSM to connect to AD and WorkSpace, including IIS, MS SQL Express and the .NET application.

WorkSpaces Manager requires access to an existing Active Directory Forest/Domain and can operate in Multi-Domain and Multi-Forest environments. Below are alternative deployment scenarios:

  1. Internal Network Load Balancer (NLB) for Presentation and SSL Offloading

    • This configuration uses a DNS name (e.g., wsm.example.com) to present the portal to users and admins.

    • The DNS record must be resolved internally, and the service is not accessible via the Internet.

  2. External Network Load Balancer (NLB) for Presentation and SSL Offloading

    • This setup also uses a DNS name (e.g., wsm.example.com) to present the portal to users and admins.

    • The DNS record must be resolved externally, and the service is accessible via the Internet (not recommended without a proper security analysis).

  3. Combination of Internal and External Network Load Balancers

    • Different DNS resolvers or DNS names can be used (e.g., wsm.example.com for external access and wsm.internal.example.com for internal access).

  4. Independent MS SQL Database

    • This database can be domain-joined or not and must be reachable from the WorkSpaces Manager Appliance.

    • MS SQL Express is recommended for estates of sub 1000 WorkSpaces, WorkSpaces Manager also supports other Microsoft SQL Database Server versions and RDS.

    • The database can run in different scenarios, such as a single availability zone or with read-only replicas in another availability zone.

  5. Combination of the Above Scenarios

    • For example, the three tiers (application, database, and load balancing) can be split into separate services, such as EC2, RDS, and a Load Balancer.

Presentation Tier Division with Network Load Balancer (NLB) and SSL Certificate Offload

If we divide the Presentation tier by incorporating a Network Load Balancer (NLB) with SSL Certificate offloading, the architecture will look as follows:

  • Network Load Balancer

    • The NLB can be deployed in either private or public subnets, depending on the specific requirements.

    • Recommendation: We recommend placing the NLB within the private subnet for enhanced security.

This setup is the most common implementation we observe within our clients

Decoupling the Three Tiers: Separating the Data Tier

Thirdly, to fully decouple all three tiers, we can separate the data tier by using an RDS database backend. In this setup:

  • The EC2 instance would host only the .NET application.

  • The Database would be managed separately on RDS.

Additionally, the database can be deployed in different configurations, such as with read-only replicas for scalability and fault tolerance. Below is an example of a single RDS deployment.

WorkSpaces Manager can also work with the Enterprise version of RDS for greater redundancy and reporting.