Desktop and Application Streaming

Using Amazon FSx with Amazon AppStream 2.0

Amazon AppStream 2.0 provides a range of solutions for users to save and access data through their applications. These include Amazon WorkDocs, Google Drive for G Suite, OneDrive for Business, and Amazon S3 backed Home Folders. These solutions download files from their respective file storage provider when the files are opened in a streamed application. Any updated, or newly created, files are then synced back to the storage provider at the end of a streaming session. While this approach meets the requirements of many use cases (where a single user is accessing only their own set of data), there are applications where user experience is best delivered with files available without synchronization — for example, in cases where the same users are accessing the same set of data concurrently, and do not want to worry about data consistency issues. Also, we have customers who say they prefer a Windows file share to help them ensure security based on their existing Active Directory user groups and users: this best matches their existing workflow, and helps transition their migration to AWS.

Until today, customers who wanted to use a Windows file share with AppStream 2.0 had to create and maintain one. This meant worrying about availability, durability, patching, and troubleshooting performance. Overall – a cumbersome experience.

Enter Amazon FSx. Amazon FSx for Windows File Server provides a fully managed native Microsoft Windows file system. You don’t have to worry about managing file servers and storage, as Amazon FSx automates the time-consuming administration tasks such as hardware provisioning, software configuration, patching, and backups. You can launch an Amazon FSx file system in your own Amazon VPC and connect it to AppStream 2.0. You join it to your Active Directory domain, and use native Windows capabilities to manage user and group permissions.

This blog post lays out how to use Amazon FSx with AppStream 2.0 for two use-cases: 1) Provide personal persistent storage drive using Amazon FSx and 2) Provide a shared folder to access common files. If you are new to AppStream 2.0, you can create your first AppStream 2.0 environment by following our getting started guide.

Before you proceed, you need the following

  • An Amazon FSx file system – See Getting Started with Amazon FSx for learning how to create an Amazon FSx file system.
  • A shared folder across users, and shared per-user folders created within the Amazon FSx file system – See Managing File Shares for learning how to create a shared folder within the Amazon FSx file system.
  • An AWS Directory Service for Microsoft Active Directory (AWS Microsoft AD) domain – For providing user drives on domain-joined AppStream 2.0 sessions.
  • An AppStream 2.0 image builder.

The next few sections show how to :

  • Provide every AppStream 2.0 user with their own persistent storage drive using Amazon FSx.
  • Provide a shared folder using Amazon FSx.

1) Providing Personal Persistent Storage to Each User

You can use Amazon FSx to provide every user in your organization a unique storage drive within AppStream 2.0 streaming sessions. A user will have permissions to access only their folder. The drive is automatically mounted at the start of a streaming session and files added or updated to the drive are automatically persisted between streaming sessions.
There are three procedures you’ll need to perform to complete this task.

To create home folders for domain users using Amazon FSx

  1. Create an Amazon FSx file system. For more information, see Getting Started with Amazon FSx.
  2. Once the file system is available, create a folder for every domain AppStream 2.0 user within your Amazon FSx file system. This blog post uses the domain username of the user as the name of the corresponding folder, allowing you to build the UNC name of the file share to map easily using the Windows environment variable %username%.
  3. Share each of these folders out as a shared folder. For more information, see Managing File Shares.

To launch a domain-joined AppStream 2.0 image builder

  1. Sign into the AppStream 2.0 console.
  2. Choose Directory Configsfrom the navigation menu, and create a Directory Config object. For more information, see Using Active Directory with AppStream 2.0 in the Amazon AppStream 2.0 Developer Guide
  3. Choose Images, Image Builder, and launch a new image builder.
  4. Choose the directory config object created earlier in the image builder launch wizard to join the image builder to your Active Directory.
  5. Launch the image builder in the same VPC as that of your Amazon FSx file system, and associated with the same AWS Managed Microsoft AD directory to which your Amazon FSx file system is joined. The VPC security groups that you associate with the image builder must allow access to your Amazon FSx file system.
  6. Once the image builder is available, connect to the image builder and login using your domain administrator account.
  7. Install your applications.

To link Amazon FSx file shares with AppStream 2.0

  1. In the image builder, create a batch scriptwith the following command and store it in a known file location (Example:C:\Scripts\mount-fs.bat). I am using S: as the drive letter for the Amazon FSx file share. You use the DNS name of your Amazon FSx file system in this script (which you can get from the file system details view in the Amazon FSx Console). 
    @echo off
net use S: /delete 
net use S: \\<file-share-address>\users\%username%
  2. Launch Powershell and run gpedit.msc. I am using local group policy to configure a user logon script that will mount the user drive at the start of a streaming session. You can also use domain GPO. For more information on domain GPO, see Using Group Policy Preferences to map drives based on group membership
  3. Choose User Configuration → Windows Settings → Logon.
  4. Browse and choose your batch script that was created earlier.
  5. Browse to Computer Configuration → Windows Administrative Templates → System → Group Policy.
  6. Choose the policy Configure Logon Script delay. Enable the policy and reduce the time delay to 0. This setting helps to ensure that the user logon script is executed immediately when the user starts a streaming session.
  7. Create your image and assign it to an AppStream 2.0 fleet. Ensure that you also join the AppStream 2.0 fleet to the same Active Directory domain that you used for image builder. Launch the fleet in the same VPC that is used by your FSx file share. The VPC security groups that you can associate with the fleet must provide access to your FSx file share.
  8. Launch a streaming session using SAML SSO. To connect to an Active Directory joined fleet, you have to configure single-sign on federation using a SAML provider. For information about how to setup federation to AppStream 2.0 stacks, see Single Sign-on Access to AppStream 2.0 using SAML 2.0
  9. Your Amazon FSx file share is mapped to S: drive letter within the streaming session.

2) Providing a Shared Folder Across Users

You can use Amazon FSx to provide a shared folder to users in your organization. A shared folder can be used to maintain common files (e.g., demo files, code examples, instruction manuals, etc.) needed by all users.

There are three procedures you’ll need to perform to complete this task.

To create a shared folder using Amazon FSx

  1. Create an Amazon FSx file system. For more information, see Getting Started with Amazon FSx.
  2. Every Amazon FSx file system includes a shared folder by default that can be accessed using the address \\file-system-DNS-name\share. You can use the default share or create a different shared folder. For more information, see Managing File Shares.

To launch an AppStream 2.0 image builder

  1. From the AppStream 2.0 console, launch a new image builder or connect to an existing image builder. Launch the image builder in the same VPC that is used by your Amazon FSx file system. The VPC security groups that you associate with the image builder must allow access to your Amazon FSx file system.
  2. Once the image builder is available, connect to the image builder as the Administrator user.
  3. Install or update your applications as Administrator.

To link the shared folder with AppStream 2.0

  1. Create a batch script, as described in the previous procedure, to automatically mount the shared folder whenever a user launches a streaming session. To complete the script, you need the file system DNS name, the file share name, and credentials for accessing the shared folder. You can obtain these details from the Amazon FSx console. 
    @echo off
net use S: /delete
net use S: \\file-system-DNS-name\share /user:<username> <password>
  2. Create a Group Policy to execute this batch script at every user logon. You can follow the same instructions as described in the previous section.
  3. Create your image and assign it to your fleet.
  4. Launch a streaming session. You should now see the shared folder automatically mounted and mapped to drive letter.

This completes our blog post for using Amazon FSx with Amazon AppStream 2.0. See the following links to learn more about the services.