Warm AWS WorkSpaces On a Schedule

AWS WorkSpaces VDI solution has two pricing options that you need to choose between for your implementation.

  1. Monthly
  2. Hourly (On demand)

In my opinion it is always worth attempting to run your WorkSpaces VDI deployment in on-demand where there is chance of cost savings when the virtual desktops can be turned off and you will not be charged.

With hourly billing you pay a small fixed monthly fee per WorkSpace to cover infrastructure costs and storage, and a low hourly rate for each hour the WorkSpace is used during the month. Hourly billing works best when Amazon WorkSpaces are used, on average, for less than a full working day or for just a few days a month, making it ideal for part-time workers, job sharing, road warriors, short-term projects, corporate training, and education.

https://aws.amazon.com/workspaces/pricing/

Turning off the VDI is done by AWS using a setting called Running Mode per VDI:

Always on – Billed monthly. Instant access to an always running WorkSpaces

AutoStop – Billed by the hour. WorkSpaces start automatically when you login, and stop when no longer being used (1-48hrs).

In my opinion a turn off period of 1 hour is too short, it doesn’t cover a user who has a long lunch or meeting that runs slightly over. 2 hours cool down period seems to be perfect for cost optimisation. With this in mind, all your VDI’s will be off at the beginning of your working day. To eliminate the need for the 60-90 second boot up time imposed by AWS for cold starts we can pre-warm the VDI’s using Lambda function on a schedule. The process will be as follows:

  1. CloudWatch Event that runs based on a CRON schedule.
  2. Event triggers the execution of a Lambda function
  3. The Lambda function runs python that starts WorkSpaces based on a set of conditions using the boto3 library to interact with the service.

The python code block below wakes all VDI’s in a region that are in a ‘STOPPED’ state but there is no reason why you couldn’t be more granular with tagging per VDI.


import boto3

def lambda_handler(event, context):
    directory_id= ''
    region = 'ap-southeast-2'
    running_mode = 'AVAILABLE'
    # Event
    session = boto3.session.Session(
        aws_access_key_id='',
        aws_secret_access_key=''
    )
    
    ws = session.client('workspaces')
    workspaces = []
    
    resp = ws.describe_workspaces(DirectoryId=directory_id)
    
    while resp:
      workspaces += resp['Workspaces']
      resp = ws.describe_workspaces(DirectoryId=directory_id, NextToken=resp['NextToken']) if 'NextToken' in resp else None
    
    for workspace in workspaces:
    
      if workspace['State'] == running_mode:
        continue
    
      if workspace['State'] in ['STOPPED']:
    
        ws.start_workspaces(
          StartWorkspaceRequests=[
            {
                'WorkspaceId': workspace['WorkspaceId'],
            },
          ]
        )
      
        print 'Starting WorkSpace for user: ' + workspace['UserName']
    
      else:
        print 'Could not start workspace for user: ' + workspace['UserName']


To start the Workspaces on a schedule, Lambda can invoke using a CRON expression:

cron(0 22 ? * SUN-THU *)

The cron schedule runs in GMT, so in this case 10:00 PM in GMT is 8:00 AM in AEST for following day (GMT +10:00).

The end result is the WorkSpaces you have chosen to wake up would start at 8am and shutdown again at 10am if not used. If you had departments or user groups that are heavy users versus sometimes users this might be where your code looks at some tags you’ve set per VDI.


QoS for AWS WorkSpaces Client

AWS WorkSpaces is a great low cost Virtual Desktop experience. Extremely easy to get started and build quick images to support your needs. During the implementation you are going to want to provide a Quality of Service policy (QoS) much like you would if you had Citrix or VMWare Horizon on-premises. WorkSpaces is slightly different to other VDI solutions where it uses PCoIP protocol and basically streams the desktop to your endpoint much like a video conference would. With video conferencing in mind the biggest design flaw is to not prioritise the packets across your managed network segments.

WorkSpaces real-time traffic is going to be sensitive to packet loss, delay and jitter, which occur frequently in congested networks. Quality of Service (QoS) – sometimes called Class of Service – must also be deployed on managed external WANs, managed internal LANs, and enterprise-based WiFi networks. This will help to properly prioritise VDI real-time streaming over other non-real time traffic on local networks and over WAN, creating a better experience for end users. There are two types of clients we need to accomodate for in an environment:

  1. WorkSpaces Soft Client on Windows and Mac computers, Chromebooks, iPads, Fire tablets, and Android tablets.
  2. Teradici Zero Clients

Does WorkSpaces need any Quality of Service configurations to be updated on my network?

If you wish to implement Quality of Service on your network for WorkSpaces traffic, you should prioritize the WorkSpaces interactive video stream which is comprised of real time traffic on UDP port 4172. If possible, this traffic should be prioritized just after VoIP to provide the best user experience.
https://aws.amazon.com/workspaces/faqs/

What service class should WorkSpaces use?

PCoIP traffic should be set to a QoS priority below Voice-over-IP (VOIP) traffic (if used), but above the priority level for any TCP traffic. For most networks, this translates to a DSCP value of AF41 or AF31 (if interactive video is prioritized above PCoIP traffic)
https://help.teradici.com/s/article/1590

WorkSpaces streaming should be deployed in the AF41 (Assured Forwarding – DSCP 34) queue. Streaming media happens on TCP/UDP 4172 below is how we can enable this on the soft client on your network to leverage DSCP tagging.

Create a QoS Group Policy

  • Create a GPO using Group Policy Management Console and link it to your workstations/computer Organizational Unit.
  • Computer Configuration >Policies > Window Settings > Policy Based QoS.
  • Right Click and create a new policy.
  • Give the policy a name like “WorkSpaces Client QoS”. Assign the DSCP Value of 34.
  • Change the Application the policy applies to from All to specific, enter “workspaces.exe”
  • Add a destination IP address range as per this link
  • From the Protocol selection, choose TCP and UDP and Select “From this destination port number or range”. Enter the range 4172.

Testing

To test whether the packets are being tagged, install Wireshark on your PC that has AWS Workspaces and take a capture while you have a VDI session active. Stop the capture and filter by the below expression.

udp.port eq 4172

Looking at the UDP packets we can see before/after DSCP tagging

DSCP Before
Differentiated Service Field = CS0

And after the policy is enabled.

DSCP After
Differentiated Service Field = AF41

Handy Hints for Traffic

Bypass proxies and WAN optimization devices

All streaming traffic is encrypted and is typically not able to be inspected by proxy/firewall devices. For these reasons I’d recommend bypassing proxy devices and not decrypting the packets for all WorkSpaces network traffic.

Keep my traffic private

If you would like to keep your traffic completely private and as low latent as humanly possible, then implement an AWS Direct Connect Public Peering session to have the streaming media IP ranges for your region advertised as routes via Border Gateway Protocol (BGP) on your network.