Accelerating AWS EUC Migrations

Introduction

Taking the right approach to an EUC Migration, whether to cloud DaaS, OS to OS, site to site, or any combination will save any organization significant time and money. A solid security, identity and networking foundation sets an organization up for success. Automation and giving users an excellent experience reduce operational overheads and accelerate adoption. The methods here involve architecture, technology as well as planning and user engagement and, in my experience, have cut project timelines in half or prevented avoidable obstacles.

Items to migrate

A typical EUC migration needs to consider what to do with the following:-

Security
Identity
Networking
Device Management
Applications
Images
Configurations and settings
User data
Shared data
User experience

Security

Good up-front engagement with security will ensure that an approved design is available, minimizing significant re-work late on due to push back. AWS EUC services have been certified as compliant with SOC, PCI DSS, ISO amongst other and have approval for use with government departments around the world. AWS EUC Services can provide an opportunity to improve security and gain CISO buy in to drive adoption.

Identity and authentication migration

Authentication is the first experience a user has when accessing a new environment so providing the right solution is important. User identities typically reside in an Active Directory (AD) and or an Identity Provider (IdP) such as OKTA . The fastest way to migrate AD to AWS is to extend AD to AWS, typically by building domain controllers in the Availability Zones used. Extending the domain to AWS allows the rapid re-use of existing identities, IDP synchronizations as well as configurations in Active Directory.
Adoption of IdPs is an increasingly common strategy organizations have to provide a consistent UX and to simplify identity management whilst improving security.

Networking

AWS EUC requires a new environment for user instances and a build of following will ensure users can access required data and applications securely:-

Paths to any directories e.g. Active Directory
Paths to on premises data centers where applications, data and database servers are located
An internet egress for SaaS applications, IDPs etc.

Application discovery tooling will identify what is in use in the current environment and provide information on networking to minimize UAT failures.

Network considerations - Best Practices for Deploying WorkSpaces

Device Management

Extending the existing device management platform enables the rapid re-use of known working packages, patches and configurations.
Device management provides automation and user self service capabilities at scale. Device management platforms come in two broad categories:-

On premises platforms that host configuration and content
Cloud based MDM solutions

On premises solutions can be extended to AWS as another site, preferably with a local content host to minimize download time and ingress traffic. In time, the management and database servers can be migrated to AWS.
Organizations running Windows 10 and Windows 11 can also manage their persistent fleets using an MDM Solution like Intune. Ensure that internet ingress traffic is optimal to ensure AWS Networks handle the load and provide a rapid delivery of applications and patches.

Migrating Applications

Application discovery early on will help identify what is needed and by who so that good planning can occur. The key is to keep the discovery simple and avoid paralysis by analysis. Once the applications are known, planning for deployment, packaging and UAT can start. In small environments, a simple spreadsheet will do.

. There are 3 ways applications are delivered in an environment:-

Embedded in the image
Delivered via management tooling after packaging
Manual installation (typically for small no of installations)

Re-use of applications packaged in your device management solution prevents time consuming re-work. Some organizations use a rule of thumb that triggers packaging for applications with more than five installations to ensure the return on investment.

The use of application self service portals empowers users and reduces help desk loads, enabling more users to be migrated at a time.

What to do about images?

Whilst image management and creation are increasingly considered a non value add activity, the placement of large applications like office and secure configurations can speed the availability of an instance. Non-persistent services like Amazon WorkSpaces Pool and Amazon AppStream 2.0 require image management.
A good practice is to re-generate an image for a new hardware or hypervisor platform to avoid issues with core system drivers used by the chipset and graphics card. Whilst this may seem like a heavy lift, automation patterns for both image generation and fleet hydration will relieve the ops team and provide a stable platform.

When importing images to Amazon WorkSpaces, follow the best practice guides to avoid common pitfalls.

Bring Your Own Windows desktop licenses in WorkSpaces - Amazon WorkSpaces

Automating image generation, capture and hydration accelerates any required changes whilst reducing operational overhead for patching. The following patterns will guide you creating an image with automation:-

Creating an image programmatically with AppStream 2.0 Image Assistant CLI operations | Desktop and Application Streaming

How to automate Amazon AppStream 2.0 image deployment | Desktop and Application Streaming

Automatically create customized AppStream 2.0 Windows images | Desktop and Application Streaming

User Profile Data

Availability of user data and application configurations allows the immediate productive use of the new solution without creating support calls. The following blog outlines ways of managing user data in AWS EUC Services. Using advanced profile management solutions eases transition from one service to another. The right profile management strategy will mean users have their data and settings available at first login. Capacity planning and selecting the right profile store will ensure a successful migration. Citrix Profile Management and Omnissa Environment Manager can be configured to use storage in AWS to continue the previous end user experience.

Amazon WorkSpaces Core

Customers with existing Omnissa (Previously known as VMWare Horizon) and Citrix installs can extend their solutions to AWS and use Amazon WorkSpaces Core for compute without the need to re-tool and change the user experience. The re-use of existing investments speeds up migrations without changing the endpoint client. Amazon WorkSpaces Core is allowed platform for M365 Applications - Microsoft 365 Apps for enterprise now available on Amazon WorkSpaces services

Shared Data

Organizations that have already invested in cloud native storage solutions such as Drop Box etc. can easily migrate to AWS EUC. AWS provides file storage services such as FSX Windows, FSX NetApp ONTAP as well as file servers on EC2. The strategy should look at whether the migration is a one way activity or a part of a hybrid solution allowing flexibility. Data can be replicated with on-premises systems, or fully migrated.

Settings and configuration management

Settings and configurations are typically managed by AD or the device management tool. The fastest way to move those settings to AWS EUC is to extend AD and or the tooling to AWS. GPOs and settings can be copied to a the new OU or across domains and adjusted to the new environment.

Automation

AWS Provides APIs and CloudFormation templates to deliver infrastructure as code. The automation is part of the AWS Well Architected Framework and is proven to speed up delivery, reduce operational burden and improve security. Service Delivery tooling such as Service Now and Jira have AWS Connectors to automatically provision instances and resources. AWS Services such as AWS Lambda and Event Bridge can automate the provisioning of WorkSpaces, and, de-commission to maintain hygiene.

Change management

Early positive adoption stories from users can be a great driver for colleagues to start using new EUC Services. Good change management not only improves the perception of DaaS, but drives adoption and minimizes the overhead on support. The following items help with change management:-

Business engagement for UAT and feedback
How to guides and FAQs on changes that can improve productivity and trap support calls
Self service portals for group guided support
EUC Champions who are insiders to enable users and minimize resistance to adoption

Partners

AWS EUC Partners have a wealth of knowledge and experience and can bring to customers accelerators with prebuilt materials. Partners have proven code for automation, reusable change management material negating the need to re-invent the wheel.

Conclusion

The foundations for an AWS EUC project's success need to be built up front so that good automation and user adoption becomes a predictable and positive experience. AWS brings good automation with cloud infrastructure as code to further speed up roll outs and improve operations.

The key lessons from being on the front line of multiple EUC migrations are:-

Build good foundations with security, networking and identity.
Re-use and extend existing investments e.g. AD, device and management
Use infrastructure as code for automation
Smart discovery tools to map out applications and network requirements
Engage end users and bring them on the journey with how-tos, champions and communication
Use partners who have pre-built accelerators

Any opinions in this post are those of the individual author and may not reflect the opinions of AWS.

Site Terms, Privacy, and more.