I have spent a lot of time in the past month looking at DaaS platforms and providers. While pricing tends to be about the same across the board, product quality and service vary widely. Some are excellent, others less so. Amazon is a case in point: while it entered the market with some fanfare, it would appear to be suffering more than its fair share of teething troubles, with still some way to go before it is ready for prime time.
Amazon provides only two hardware specifications: the Standard desktop offers 1 vCPU, 3.75 GB memory, and 50 GB user storage, which is generally acceptable for task workers. For more demanding users, there is a Performance desktop with 2 vCPU, 7.5 GB memory, and 100 GB user storage. Potential customers looking for GPU support will be disappointed. While it is possible to buy Amazon EC2 instances with GPU support (g2.2xlarge), Amazon has chosen not to make it available to Amazon WorkSpaces, at least not yet. Amazon’s decision to offer only a 50 GB or 100 GB storage, depending on the desktop package selected, is hardly generous given how cheap basic disk is today. Customers looking for more disk space must take on the additional cost and effort of integrating external cloud storage into the desktop. Amazon does offer 50 GB of its Zocalo file sync and share service free with WorkSpaces, and those who wish to will be able to upgrade to 200 GB for a discounted rate of $2 per month. Both packages are available either as a bare-bones implementation with Adobe Reader, Internet Explorer 9, Firefox (the default browser), 7-Zip, and Adobe Flash (although this for some reason is the 32-bit version), or as a Plus package, which adds Microsoft Office Professional 2010 (but not 2013) and Trend Micro Worry-Free Business Security Services. The majority of customers are likely to adopt one or the other of the Standard packages and use it as the foundation for building their own custom desktop platform. The only real attraction of a Plus package with Microsoft Office 2010 would be in its plug-and-go usability as a means of piloting Amazon WorkSpaces without requiring any significant setup time. Pricing ranges from $35 per month for a Standard desktop in one of the US AWS regions up to $75 per month for the Performance Plus desktop. Customers in the Asia-Pacific (Tokyo) AWS region see prices inflated to $47 for Standard and $93 for Performance Plus, with the European (Ireland) and Asia-Pacific (Sydney) regions falling in between. Not needing a copy of Office, and being unwilling to pay $60 per month for a Performance desktop when I have plenty of those in my office, I chose to build out a Standard desktop in my closest AWS region, US West (Oregon). Amazon supports three types of user accounts: ad hoc accounts created on demand through the Amazon WorkSpaces management console, accounts from an Amazon WorkSpaces Cloud Directory, and accounts in an Active Directory domain linked to WorkSpaces Connect and an Amazon Virtual Private Cloud (VPC) network connection. At $0.05 per VPN connection-hour, I decided to forgo Active Directory integration and created a new Amazon WorkSpaces user account directly from the management console. Twenty minutes later, exactly as advertised, I received notification that my desktop had been provisioned and was ready for use. Couldn’t be simpler.
While administrators may appreciate the simplicity of the basic virtual desktop setup process, not everything is so straightforward. New users receive an automated notification that provides password setup instructions, client download links, and a unique registration code, which is needed to complete the client configuration. Unfortunately, the Amazon WorkSpaces client appears to be oversensitive to the install environment. In testing the client on a range of devices, I had no problem with Windows 8 or the Windows 10 tech preview. Android and iOS tablets all connected without problem. However, I ran into problems with my primary Windows 7 workstation: the client simply would not install, no matter what I attempted. As one of the use cases for DaaS is the ability to offer a managed desktop on otherwise unmanaged employee-owned devices, greater emphasis should have been placed on ensuring that the Amazon WorkSpaces client worked and on providing some level of checking and reporting of any possible missing prerequisites. The only way to install the Windows client is via a Windows application manifest from the Amazon WorkSpaces downloads page; there is no self-contained download for offline installation. The simplicity of a manifest-driven installer may work well in consumer and small business environments, but it’s not exactly enterprise friendly.
I can forgive the lack of support for Windows RT, but I was disappointed that there was no support for my take-everywhere, low-cost laptop of choice, a $229 Chromebook. Given the advances that Google is making with Chromebook deployments in education, Amazon has shut itself out of what is perhaps today’s only growing laptop market. Amazon has had a “plan to support existing zero clients via a firmware update” for some time, although with the heavy lifting here having to come from thin-client vendors, it’s by no means clear which vendors will get on board. So far, only Scotland-based TDIST has indicated that its ALTO2321 and ALTO2140 thin clients will support Amazon WorkSpaces when they ship later this month.
Endpoint device integration is disappointing. As expected, network printing through Active Directory works satisfactorily, but local printing is weak. WorkSpaces has only recently gained local printer support, and this is only available for Windows clients. Unfortunately, according to Amazon, this only works for newly created desktops. Any desktops created before August will have to be rebuilt before local printing works, although here Amazon says it is working to retrofit local printing into existing desktops to circumvent the desktop rebuild process. Mac users are once again second-class citizens who will have to wait for a future release before they get local printing. Amazon does not offer any form of printer driver management service or universal printer driver with WorkSpaces, placing the burden back on the desktop admin to ensure that native printer drivers are available for local printers. With none of the printer driver management features that more established DaaS platforms offer, the easiest way to print is through services like Google Cloud Print. However, the need to fall back to unsupported third-party solutions to enable printing is a distinct weakness.
Client drive mapping is another area where Amazon is falling short. Client drive mapping was available when Amazon WorkSpaces was introduced, but the feature was disabled back in March, following reports that it was crashing Windows Explorer. Until a fix is released, Amazon is recommending that customers use Zocalo to sync files between virtual desktop and client. The ability to map client device drives into a remote session is an essential feature of any VDI or RDSH implementation. Zocalo, while useful for collaboration, should not be a prerequisite to access local files. Strangely, Amazon has neglected to install Zocalo as part of the default build, although it has at least placed a shortcut to Zocalo on the desktop.
In use, the single vCPU Standard desktop performed acceptably, but it started to struggle after I loaded up Word, Excel, and the Chrome browser with about twenty tabs open. vCPUs don’t adhere to any fixed performance benchmark; an Amazon vCPU is not necessarily the same as a vCPU from Rackspace or VMware’s cloud, and in this case the desktop started to run out of CPU before memory became constrained. Whatever the bottleneck, the blame could not be laid at Teradici’s door. The PCoIP remote display protocol performed admirably on my broadband connection. Amazon does not use the Teradici Hardware Accelerator; however, in practice its absence was not noted. Watching video at 480p is acceptable (not the most realistic simulation of business use, but useful as a quick test); granted, playback is not quite as smooth as local, but there were no problems with audio getting out of sync. I wouldn’t want to watch movies this way, but performance was more than good enough for a webcast or watching PowerPoint animations. Videoconferencing, however, flat-out did not work. Here, there was no possibility that network bandwidth was to blame. While Amazon WorkSpaces uses the same Teradici PCoIP remote display protocol as VMware Horizon, some of the more advanced features available in Horizon are missing from Amazon WorkSpaces. Horizon has supported USB multimedia devices (e.g., USB microphones and webcams) and server-side content redirection through PCoIP for several years (Citrix has had comparable features in HDX for even longer). Amazon has yet to begin to offering these more advanced features.
Regardless of these weaknesses, the biggest drawback to Amazon Workspaces had nothing to do with the virtual desktop or its presentation: it’s the management. Amazon WorkSpaces itself requires very little administration: create a user account, delete a user account, occasionally reset a session. Trivial stuff. Unfortunately, the only way to do this is through the Amazon WorkSpaces management console, which does not lend itself to operating at scale. Disappointingly, Amazon does not provide an API to enable any level of automation of this task. It’s hard to accept today the need to manually poke user accounts into a webpage to manage a service capable of creating any number of cloud-hosted desktops in minutes. Worse, when in order to create a viable service, a separate Zocalo account must be created and perhaps additional S3 storage allocated.
Once created, Amazon WorkSpaces instances are essentially unmanaged. While Amazon provides the heavy lifting of desktop provisioning and brokering connections, it provides nothing in the way of desktop management services. All desktop management activities are left in the hands of the administrator. In enterprise environments, consistency is everything. However, because Amazon controls the base machine image, a desktop created today might not—almost certainly will not—be the same as one created next month. If Amazon introduces a new Microsoft hot fix that just happens to clash with one of your business-critical applications, the only opportunity to catch it is live in production, and when you do there’s still the thorny question of finding it and rolling it back. Furthermore, Amazon’s control is absolute. When Amazon first announced Amazon WorkSpaces, it claimed that customers would be able to import their own custom Amazon Machine Image (AMI) into WorkSpaces for use as a base image. However, almost a year after this was first announced, Amazon still has not provided this service. The only means of modifying a base image that Amazon supports is by placing it in an Active Directory OU and controlling it through GPOs, which is fine if that is how you like to manage your desktop, but for organizations with investment in alternative management tools, it does nothing.
I still have hopes for Amazon WorkSpaces. The prospect of leveraging Amazon’s cloud as a worldwide desktop hosting platform is attractive, and were this 2012, I might be impressed by Amazon WorkSpaces. However, with 2014 drawing to a close, it will take more than this to impress. With key WorkSpaces features missing or broken, Amazon has entered a highly competitive market with a half-baked solution offering not a lot of desktop and very little service. When other DaaS providers are offering feature-complete, highly customizable services with much richer management interfaces as equivalents, and in some cases at significantly lower prices, I’m tempted to suggest that Amazon stick with what it’s good at and leave DaaS to the desktop guys.
After writing the above article, I happened across Amazon’s TCO calculator that compares the cost of Amazon WorkSpaces with a conventional VDI implementation. As calculators go it is reasonably complete, however it is at the same time hopelessly inaccurate, based on self-contradictory assumptions and design decisions that any half-competent architect would dismiss out of hand. If it is a representative example of the thinking behind the service then without major change Amazon WorkSpaces future looks very cloudy.