AWS WorkSpaces is a great low cost Virtual Desktop experience. Extremely easy to get started and build quick images to support your needs. During the implementation you are going to want to provide a Quality of Service policy (QoS) much like you would if you had Citrix or VMWare Horizon on-premises. WorkSpaces is slightly different to other VDI solutions where it uses PCoIP protocol and basically streams the desktop to your endpoint much like a video conference would. With video conferencing in mind the biggest design flaw is to not prioritise the packets across your managed network segments.
WorkSpaces real-time traffic is going to be sensitive to packet loss, delay and jitter, which occur frequently in congested networks. Quality of Service (QoS) – sometimes called Class of Service – must also be deployed on managed external WANs, managed internal LANs, and enterprise-based WiFi networks. This will help to properly prioritise VDI real-time streaming over other non-real time traffic on local networks and over WAN, creating a better experience for end users. There are two types of clients we need to accomodate for in an environment:
- WorkSpaces Soft Client on Windows and Mac computers, Chromebooks, iPads, Fire tablets, and Android tablets.
- Teradici Zero Clients
Does WorkSpaces need any Quality of Service configurations to be updated on my network?If you wish to implement Quality of Service on your network for WorkSpaces traffic, you should prioritize the WorkSpaces interactive video stream which is comprised of real time traffic on UDP port 4172. If possible, this traffic should be prioritized just after VoIP to provide the best user experience.
What service class should WorkSpaces use?PCoIP traffic should be set to a QoS priority below Voice-over-IP (VOIP) traffic (if used), but above the priority level for any TCP traffic. For most networks, this translates to a DSCP value of AF41 or AF31 (if interactive video is prioritized above PCoIP traffic)
WorkSpaces streaming should be deployed in the AF41 (Assured Forwarding – DSCP 34) queue. Streaming media happens on TCP/UDP 4172 below is how we can enable this on the soft client on your network to leverage DSCP tagging.
Create a QoS Group Policy
- Create a GPO using Group Policy Management Console and link it to your workstations/computer Organizational Unit.
- Computer Configuration >Policies > Window Settings > Policy Based QoS.
- Right Click and create a new policy.
- Give the policy a name like “WorkSpaces Client QoS”. Assign the DSCP Value of 34.
- Change the Application the policy applies to from All to specific, enter “workspaces.exe”
- Add a destination IP address range as per this link
- From the Protocol selection, choose TCP and UDP and Select “From this destination port number or range”. Enter the range 4172.
To test whether the packets are being tagged, install Wireshark on your PC that has AWS Workspaces and take a capture while you have a VDI session active. Stop the capture and filter by the below expression.
udp.port eq 4172
Looking at the UDP packets we can see before/after DSCP tagging
And after the policy is enabled.
Handy Hints for Traffic
Bypass proxies and WAN optimization devices
All streaming traffic is encrypted and is typically not able to be inspected by proxy/firewall devices. For these reasons I’d recommend bypassing proxy devices and not decrypting the packets for all WorkSpaces network traffic.
Keep my traffic private
If you would like to keep your traffic completely private and as low latent as humanly possible, then implement an AWS Direct Connect Public Peering session to have the streaming media IP ranges for your region advertised as routes via Border Gateway Protocol (BGP) on your network.