Introduction to AppStream 2.0 and FSx Integration

Amazon AppStream 2.0 is a fully managed application streaming service that enables users to securely access their desktop applications from any device without needing software installations or local resources. It provides a scalable way to run high-performance applications in the cloud while maintaining security and compliance. A key component in ensuring seamless user experience within AppStream environments is persistent storage, where Amazon FSx comes into play. FSx provides scalable, high-performance storage solutions, which can be integrated with AppStream 2.0 to enable users to retain data across sessions.

Challenges with Domain-Joined AppStream Fleets

Traditionally, AppStream 2.0 fleets are joined to an Active Directory (AD) domain to allow for file sharing, Group Policy enforcement, and seamless access to corporate resources. However, this approach presents a set of challenges:

  1. Complexity in Setup: Domain joining requires managing Active Directory infrastructure and maintaining network connectivity between AppStream instances and AD services.
  2. Increased Overhead: This adds administrative overhead for managing domain controllers and troubleshooting AD-related issues.
  3. Scaling Concerns: Scaling domain-joined fleets can lead to additional complications, such as handling large-scale AD synchronization across multiple regions.

For organizations looking to simplify their AppStream fleet setup, integrating Amazon FSx without domain joining offers an alternative that reduces complexity while maintaining persistent storage.

Introducing Amazon FSx for Persistent Storage

Amazon FSx provides high-performance file systems for various workloads. For AppStream 2.0 users, FSx enables persistent storage accessible across multiple sessions, allowing data to persist even after the AppStream instance is terminated. Key benefits of Amazon FSx include:

  • Fully Managed Service: FSx offers a managed storage solution with automatic backups, patching, and monitoring.
  • Scalability: Users can scale storage capacity and performance based on their needs.
  • Integration with AppStream 2.0: FSx can be easily integrated with AppStream, providing persistent storage for non-domain joined fleets.

Architecture Setup for Non-Domain Joined AppStream

Implementing FSx with non-domain-joined AppStream fleets requires a specific architecture. Below is a detailed architecture setup to integrate FSx for persistent storage in AppStream without relying on Active Directory.

  1. AppStream Fleet Configuration: Create a non-domain-joined fleet in AppStream. This fleet will use session scripts to map Amazon FSx to each user’s session.
  2. Amazon FSx Setup: Configure an FSx file system that supports SMB file sharing, ensuring it is deployed in the same VPC as the AppStream fleet for optimal performance.
  3. VPC Configuration: Set up the appropriate subnets, route tables, and security groups in your VPC to allow communication between the AppStream instances and FSx file systems.

By separating the file storage from the AD infrastructure, you can streamline AppStream’s deployment while leveraging persistent storage with Amazon FSx.

Implementing the Solution: Session Scripts and DNS Resolution

The main challenge is ensuring AppStream instances can access the FSx file system without domain joining. Implementing session scripts and configuring DNS resolution can achieve this.

Step-by-Step Guide:

  1. Configure FSx File Share Permissions: Configure access control lists (ACLs) for the file system to grant access to users or groups.
  2. Session Scripts: Implement scripts that automatically map the FSx file share to the AppStream session when logging in. The script can be uploaded to an S3 bucket and set to run as part of the AppStream session startup.

Example session script:
net use Z: \\fsx-dns-name\share /persistent: no /user:username password

  1. DNS Resolution: Ensure proper DNS resolution for the FSx file system. Since the file system is not part of an AD domain, use DNS records or Route53 to resolve the file system’s DNS name from within the VPC.
  2. Test the Configuration: Verify that users can access the mapped FSx file system and that data persists across sessions.

Optimization: VPC Endpoints and Route53 Resolver

You can optimize this setup using VPC Endpoints and Route53 Resolver to enhance its performance and reliability further.

  • VPC Endpoints: Set up VPC endpoints to allow secure communication between the AppStream instances and the FSx file system without traversing the internet. This reduces latency and improves security by ensuring traffic stays within the AWS network.
  • Route53 Resolver: Use Route53 Resolver to configure custom DNS resolution for your FSx file system. AppStream instances can consistently resolve the FSx DNS name without domain joining.

Implementation Steps:

  1. Create VPC Endpoints: Add VPC endpoints for FSx and other necessary services, such as S3 or EC2.
  2. Configure Route53 Resolver Rules: Set up DNS forwarding rules to resolve the DNS name of your FSx file system using Route53 Resolver.
  3. Optimize Security Groups: Fine-tune your security groups to allow traffic between AppStream instances and FSx, ensuring that only the necessary ports (e.g., SMB port 445) are open.

Conclusion

By leveraging Amazon FSx with AppStream 2.0 without domain joining, organizations can simplify their architecture while still providing users with the benefits of persistent storage. This approach reduces complexity and administrative overhead, making it ideal for organizations looking to streamline their AppStream deployment.

Using session scripts, DNS resolution, VPC endpoints, and Route53 Resolver, you can ensure a secure, high-performance connection between AppStream instances and FSx file systems, delivering a seamless user experience.

References

Using Amazon FSx with Amazon AppStream 2.0

AWS Workshops