Customize your users' access to Web Access for Amazon WorkSpaces

With Amazon WorkSpaces Personal, users are able to choose from many different clients to connect to their desktop. When using the WorkSpaces Web Client (Web Access) users must provide their registration code to be presented with the next steps for the logon process. When using one of our thick clients, administrators are able to provide a uniform resource identifier (URI) to simplify the logon experience for their users. Often my customers ask how they can provide a similar logon experience for their users when using Web Access. In this post, I will walk you through configuring a redirect that will direct your users to the WorkSpaces Web Access client with the registration code prefilled easing their logon experience.

· An Amazon WorkSpaces environment already configured

· A domain registered in Amazon Route 53

· A general understanding of AWS Lambda and Elastic Load Balancing (ELB)

1. In order to perform the 302 redirect to send users to the correct Web Access URL, we need something that handles that redirect. In this example, we will be using Lambda. The Lambda function is used to redirect the users to the Web Access URL that you specify.

2. Open the Lambda console in the Region which you have Amazon WorkSpaces deployed.

3. Choose Create function, then select Author from scratch.

4. For the Function Name, enter a value.

5. For Runtime, select Python 3.12.

6. Choose Create Function.

7. Remove the default code from the Code Source for the lambda_function.py file. Add the following code. In the updated code, replace <region> and <registration code> with the web access URL for the region where your WorkSpaces are deployed and the registration code for your directory.

8. Choose Deploy.

9. Make a note of the Function ARN.

An Application Load Balancer (ALB) directs the users requests to the Lambda function.

1. Open the EC2 Console.

2. In the navigation pane, select Load Balancers.

3. Choose Create Load balancer.

4. Choose Create under Application Load Balancer.

5. For the Basic Configuration:

9. For Listeners, keep the default at HTTP and port 80 for Load Balancer Protocol.Note: You can enable HTTPS. This requires certifications for the encrypted communication. For more information review how to create an HTTPS listener for your Application Load Balancer.

10. For Availability Zones, choose the VPC to deploy the load balancer in.

11. Select the chosen VPC’s public subnets.

12. Choose Next to Configure Security Settings, then Next to Configure Security Groups.

13. Either create a new security group, or select an existing security group that allows for HTTP traffic from the internet or a subset of IP addresses that users will source from. Choose Next: Configure Routing.

14. For the Target group settings

17. Choose Next: Register Targets.

18. Enter a Lambda function ARN you copied in Step 1, or select your function for the dropdown picker. For version use the $LATEST.

19. Click Next: Review, then Create.

20. Note the ALB DNS Name.

Route 53 will alias the A record to the ALB. The A record is what the user will enter into their web browser which will redirect them to the Web Access logon page.

1. Open the Route 53 Console.

2. In the navigation pane choose Hosted zones.

3. Choose the domain by Hosted zone name in which you will be creating the A record.

4. Choose Create Record.

5. For Record name, input the subdomain of your choosing.

6. Choose A – Routes traffic to an IPv4 address and some AWS resources as the Record type.

7. Turn on the switch for Alias.

8. Under Route traffic to, choose the endpoint type Alias to Application and Classic Load Balancer.

9. Choose the region where you created the load balancer in step 2.

10. Choose the load balancer you created in step 2.

11. Leave the Routing policy as the default Simple routing and turn off the Evaluate target health option.

12. Choose Create Records.

Once DNS has had time to propagate, typically five minutes, you can test your configuration. Browse to the subdomain you created in step 3. If everything is working correctly, you should be directed to the Web Access page with the WorkSpaces registration code already filled.

In this article, I walked you through steps to provide your users quick access to WorkSpaces Web Access. This method allows your users to connect to their WorkSpaces via browser without needing to know the registration code. If you do not already have a WorkSpaces environment configured, it is easy to get started.