Home » aws » Page 2

Tag: aws

How to find an AWS AppStream 2.0 users homedrive path

Scenario

AWS AppStream 2.0 generates a SHA-256 hash of the users NameID for their Home Drive – when using SAML (aka Federated) authentication. This can potentially make it difficult to find the users home share if browsing from AWS S3 or for support teams when supporting users or uploading documents to the users ‘home drive’.

Example

In this document is an example of a federated users home drive autocreated in S3 after the user has accessed AppStream 2.0 for the first time.

This script will simply create a function in Windows powershell and allow you to generate the SHA256 hash based on the NameID and so you can discover the users homepath.

Function Get-StringHash([String] $String,$HashName = "MD5")
{
$StringBuilder = New-Object System.Text.StringBuilder
[System.Security.Cryptography.HashAlgorithm]::Create($HashName).ComputeHash([System.Text.Encoding]::UTF8.GetBytes($String))|%{
[Void]$StringBuilder.Append($_.ToString("x2"))
}
$StringBuilder.ToString()
}

$myvar = Read-Host –Prompt 'Enter string to hash'
Get-StringHash $myvar "SHA256"

Result

As we know the users NameID being passed into the AppStream session (in this instance its actually my email address)

AWS IAM CERTIFICATE_VERIFY_FAILED

Situation

When attempting to call AWS CLI commands we were receiving a CERTIFICATE_VERIFY_FAILED error message. We were using a proxy service. In this specific instance we were connecting to AWS IAM via zScaler Internet Access (ZIA)

Example

we were running a simple

aws iam get-role --role-name vmimport

 

Workaround

include–no-verifyssl to by pass the ssl verification

aws iam get-role --role-name vmimport --no-verify-ssl

Solution

Drop or whitelist the iam.amazonaws.com from SSL inspection on the proxy server

Enabling SAML Authentication for AWS AppStream 2.0 with OKTA

OKTA – Create Application

Step Description Screenshot
PRQ Generate metadata from Okta
 1 Be sure to be accessing the ‘Classic UI’ and not the developer console

2 Click Add Applications
3 Search for ‘appstream’

Click Add

4 Provide Application label

Click Done

 5 Click Sign On tab
6 Click Identity Provider metadata

Save the metadata file locally (you will upload this to AWS configuration)

AWS – Create SAML Provider

Step Description Screenshot
PRQ Generate metadata from Okta (above steps)
 1 Open AWS Console

Click IAM

2 Click Identity Providers

Click Create Provider

 3 Choose Provider Type: SAML

Give Provider a Name: <Name>

Upload your okta_metadata.xml file

4 Click Create

Note your ProviderARN

5 You will be taken back to the identity providers screen
6 Click on the provider name ‘Okta’

Take note of your Provider ARN

AWS – Create Policy and Role

Step Description Screenshot
7 In IAM Click Policies

Click Create Policy

8 Click Create Your Own Policy
 9 Give your policy a recognisable Name, Description and paste the policy details as provided

This will give users access to all published stacks

You can change the resource from* to your specific stacks like this:

“Resource”: “arn:aws:appstream:REGION-CODE:ACCOUNT-ID-WITHOUT-HYPHENS:stack/STACK-NAME“,

10 Policy Details:

This gives users access to stream AppStream apps and to access all Stacks and resources within.

{
“Version”: “2012-10-17”,
“Statement”: [
{
“Effect”: “Allow”,
“Action”: “appstream:Stream”,
“Resource”: “*”,
“Condition”: {
“StringEquals”: {
“appstream:userId”: “${saml:sub}”,
“saml:sub_type”: “persistent”
}
}
}
]
}
11 Click Roles

Click Create Role

 12 Click Saml 2.0 federation
13 Select your SAML Provider created previously

Tick ‘Allow programmatic access only’

Type in Attribute ‘SAML:aud’

Value: https://signin.aws.amazon.com/saml

Click Next: Permissions

 14 Select the Previously created AppStream Policy

Click Next: Review

 15 Click Create Role
16 Click onto the Role Name and take note of the ARN

 

OKTA – Configure Application

Step Description Screenshot
17 Take your ARN from both steps 12 and 22

And combine them separated with a comma

I.e. roleARN,providerARN

 

For example if your Role ARN is:

arn:aws:iam::123456789012:role/OktaAppStreamUsers and your IDP ARN is arn:aws:iam::123456789012:saml-provider/OKTA, enter (no white spaces):

arn:aws:iam::123456789012:role/OktaAppStreamUsers,arn:aws:iam::123456789012:saml-provider/OKTA

18 In the Okta Console under your Application

Click the Sign On tab

19 Click Edit
20 Provide the Default Relay State for your appstream sessions

Example

Appstream infrastructure is based in Ireland eu-west-1

AppStream stack is called Appstream

Account id is 123456789123

Our Relay State URL example

https://appstream2.eu-west-1.aws.amazon.com/saml?stack=Appstream&accountId=123456789123

See AWS Documentation

21 Provide the Role ARN and Idp ARN

roleARN,providerARN

Select Application username format: Okta username

 22 Click Save
 23 Assign this application to your Okta users

Click Assignments Tab

Click Assign to People/groups

Click Assign button against each Okta user you want to have access to this new app.

References

Okta Guide –

http://saml-doc.okta.com/SAML_Docs/How-to-Configure-SAML-2.0-for-Amazon-AppStream-2-0.html

AWS Guide – http://docs.aws.amazon.com/appstream2/latest/developerguide/external-identity-providers-setting-up-saml.html#external-identity-providers-grantperms

Deploying to AWS with Citrix Smart Deploy – no NAT instance was detected

Situation:

During the deployment of a blueprint via Citrix Smart Tools > Smart Deploy we came across the following error when attempting to deploy to our AWS Resource Location

The following problems were detected with your configuration
Please re-configure as no NAT instance was detected in this AWS Resource location

Solution:

The blueprint / Citrix tools don’t seem to (yet) support AWS NAT Gateways. This also certainly wont work with the default VPC. To solve this we spun up a new NAT Instance in our own VPC with the servers in separate private subnets in order for the wizard to proceed / succeed. Also note If you deploy to the public subnet you need to provide an elastic IP address.

First Look – AWS AppStream 2.0

So what is Amazon AppStream 2.0? Here is the extract from the AWS Website: Amazon AppStream 2.0 is a fully managed, secure, application streaming service that allows you to stream desktop applications from AWS to any device running a web browser, without rewriting them. AppStream 2.0 provides users instant-on access to the applications they need, and a responsive, fluid user experience on the device of their choice. With AppStream 2.0, you can easily import your existing desktop applications to AWS and instantly start streaming them to an HTML5 compatible browser. You can maintain a single version of each of your apps, which makes application management easier. Your users always access the latest versions of their applications. Your applications run on AWS compute resources, and data is never stored on users’ devices, which means they always get a high performance, secure experience. Unlike traditional on-premises solutions for desktop application streaming, AppStream 2.0 offers pay-as-you-go pricing, with no upfront investment and no infrastructure to maintain. You can scale instantly and globally, ensuring that your users always have the best possible experience.

Summary

We like the simplicity of this product, and we hope it stays this way. The solution removes the complications of profile management, user settings and negates the need for other expensive delivery / middleware products solutions like Citrix – and just focuses on delivering the applications to the users. We believe you just need to couple this solution with the following additional components to be a viable replacement to some of your business applications:

  1. The image builder, to start hosting & testing your own applications (Update: Image Builder now available since end of Jan 2017 stay tuned for an update)
  2. A low latency link to the AWS Availability zone.
  3. A storage product like google drive, box, dropbox, or webdrive so you can be sure your clients/customers data is protected and automatically in the cloud and not in the local instance (and a policy that enforces this)

Useful Notes during the Test

  • Fleet build takes approximately 30-35+ minutes at creation
  • If you stop the fleet and start it again, the startup time is just as long as the initial creation.
  • You need an individual instance for every user so 5 servers in a fleet = 5 concurrent users.
  • Instances of Appstream do not appear under EC2
  • Opening and displaying the demo applications is lightening quick
  • Connecting from London to Ireland Appstream instance was laggy (keyboard and mouse) in fact at time it was worse than normal RDP, with a latency ave of 371ms
  • Connecting from a site with a Direct Connection to AWS and a latency of 30ms the experience was much improved
  • The entire session ran in a browser windows over HTML5 and full screen mode looked great.
  • Youtube in firefox actually would run and display videos – but in no use-able fashion, even browsing the youtube page with all the video thumbnails was borderline unusable, the session was laggy, and unresponsive, in comparison RDP actually performs better with the same youtube page, resolution and site (not that this would be the main purpose for the platform anyway, just interesting for a comparison)
  • Keys would sometimes get ‘stuck’ so instead of typing you could end up closing windows instead (but bashing the Windows, CTRL and Alt keys quickly fixed this.
  • As Appstream is only currently available in US East – N Virginia, US West-Oregon, EU – Ireland, AsiaPacific – Tokyo – I couldn’t test the new London Zone.
  • Creation of the streaming URL (username to access the instance) failed if I change the logonID to the same ‘instance’ within the same fleet (I only had one instance), after that user had logged in (im guessing this is because the session was still active / running for the previous user as there was no log off button, only a disconnect.
  • Currently image availability is only limited to Windows 2012 with the AWS demo applications (Firefox OpenOffice, Notepad++)
  • A image builder component is planned which is exciting to see what options it will have. <Stay tuned for an update review>
  • We modified settings and saved files to desktop, documents and the X:\ session share all which remained available so long as we used the same connection string (or recreated one with the same ‘loginID’ aka Windows username)
  • You can choose the VPC Appstream runs on so you should be able to run it on your internal VPC (note: we didn’t test or try this)
  • For 3 users and 6 hours of running we were billed $13.23 USD which included:
    • $4.19 per user per month RDS Cal
    • $0.11 per hour the instance was running (whether the users were connected or not)

Note: you will need an instance per concurrent user so hourly usage = $0.11 * number of concurrent users

1 user, 8 hours a day – 160 hours a month = $21.79 (Annualised $261.48)

1 user, 24 Hours a day – 480 hours a month = $56.99 (Annualised $683.88)

We are excited to see where Amazon will take this new service and how we can leverage this for our customers and as a business tool especially if it means removing the complicated middle layers of delivery software.

Walk Through

Description Screenshot
Opening the AWS Console and selecting Appsteam 2.0

Create a ‘stack’

Get the naming right

Cant choose any other image at this point

Spin up the template ‘instance’ and select the resources

Choosing the details network Subnet in our default VPC

Choose your ‘fleet’ size (1 streaming instance = 1 concurrent user)

You still pay for the resources whether users are logged in or not as the instance will remain on unless you instruct AppStream to stop it.

Review the rest of the deployment details then click ‘create’

Wait for the creation of the fleet instance There is little feedback at this point and the whole process took over 35 minutes

After waiting for a while and when the console said it was active I tried creating a streaming URL

This failed, as the instance was still not ready

Turns out you need to be using the Fleet details tab for the progress of the instance (status)

Note: seems they are bringing an image builder option so you can deploy your own images (assuming where you can install your own applications)

Update: This has been released as of End of Jan 2017! Review coming soon!

Running instances are NOT created in EC2  
Finally the fleet was running

Create the streaming URL – which you can set to expire

Once that had been created however I was unable to reauthenticate a second time i the user name was NOT the same as the original streaming URL ‘userid’

But based on that all my settings and saved files ‘still existed.

 

Open the URL

 

Launch your apps

The Appstream ’task bar’ gives you the following options

‘Start’

All Windows

Upload and Download files

Copy and Paste

Settings (display resolution and info re session details)

And a full screen option or numerous other options

The Appstreamed application opens ‘seamlessly’ (to use a Citrix term)

Closing the app, ‘ close the window

More apps could be launched from the ‘appstream’ start button

Multiple apps running

Currently there seems to be restricted access to the local disks / shared (when test saving a notepad++ document)

 

I tested a save to Session Folder, Desktop and Documents directory – and I am assuming these settings & documents ‘stick’ as I only have the one machine, not multiple instances in the ‘fleet’ and also one device to one user ‘requirement.

 

This makes sense to keep the solution simple and not have to over complicate it with user profiles and the like.

At the time of writing this the only option was to disconnect the session, there is no option to reboot from the session, or log off?

You can do this from the fleet details ‘management page’.

Stopping the instance took sub 10 seconds to stop.

However starting it again (which I now deeply regret) took another 35+ minutes)

Server was back online But all settings, documents created were gone (as expected for a demo really)

Brief Comparison of AWS and Azure – IaaS

Introduction

This article was created as a very quick reference between the Amazon’s AWS EC2 and Microsoft’s Azure. There was little in the way of scientific tests carried out, it is purely a list of observations during the testing so these results below are personal opinion / experience only. You should carry out your own scientific testing and ensure that your design and chosen platform meet all the requirements for your business need!

Summary

I find that I typically read these articles like this for the summary only and then read the ‘explanation’ (if I can be bothered!) so with that in mind here is the summary / findings below first, then it is up to you if the rest is worth it!

I personally believe that Azure offers a more simple, friendly (almost familiar) interface to quickly spin up and use cloud based VM’s, however even though the AWS solution seemed more complicated initially, from the initial investigations it has a few more options for flexibility (firewall rules, Private networking etc, VM Images etc.

Regardless of the console used or how the VM’s are deployed it ultimately comes down to VM performance. On both platforms the VMs operated as if they were local and were as quick as each other. In fact most applications opened quicker than locally (I.E Office etc) everything was snappy and ‘near instant’,

Choosing the VM / cloud / IaaS solution is easy so how about integrating it with your existing network? The users data? The users files? The business applications? The users home drive? Personalised settings, favourites? Email etc… This is where the most of the effort, expense and time must be spent so the cloud transition happens automatically and seamlessly for the users and is a winning solution overall.

If I had to personally spend my money and was looking at this for a hybrid cloud solution, server replacement or possibly even DaaS with a very simple setup and easy console I would choose the Azure platform, particularly because of the other offerings around Office 365, One drive, and remoteapps over RDP (Seamless published apps)

Amazon Web Services – AWS EC2

After registration (and providing credit card details and verifying a valid answerable phone number) and logging in you first notice that console is busy and confusing.

As part of the 12 months trial we are offered Windows 2012 R2 server. Plenty of other options to configure like Virtual private networking etc – but I just wanted the quickest VM setup in the shortest amount of time.

Login security of the VM (once provisioned) required a few more steps as you need to create key pairs (pem certificate) then use that pem file to decrypt the password of the VM once its provisioned, however connection to the VM was as simple as downloading an RDP file. There were quite a few other options that would be confusing for ‘non I.T’ savvy users (firewall rules, RDP ports etc)

The instance provisioning and login was quicker than Azure by a couple of minutes. ICMP was allowed with pings out to 4.4.4.4 (google DNS server) at around 6ms from the selected availability zone (AZ). (us-west-2 – only US was selectable during provisioning)

Moving VMs between the availability zones the VM needs to be shutdown and an AMI (Amazon Image) created and then a new VM deployed from another availability zone on that image.

Internet speeds were ridiculously quick but varied greatly depending on the time the tests were run. The trial wasn’t restricted in anyway and on the machine you can literally do whatever you want out of the box. The AWS VM was registered and activated online without any errors or faults.

The configuration of AWS seems more flexible with a myriad of other IT Admin options provided if not initially more complicated and confusing. The VM setup and deployment worked without any error, glitch, or problem and the performance of the VM was snappy responsive and as an end user would come to expect from a local desktop or server.

Microsoft Azure

The console and the configuration of the Windows trial VM, was quite a simple experience.

Login with Microsoft LIVE credentials; provide credit card details, provision instance of VM. The provision to actual login time was slower than that of AWS by around 2 minutes. Connection to the VM was immediate and as simple a downloading an RDP file and providing the original credentials I set during provisioning.

Weirdly during testing of the VM Google ads and the Google site continued to default to Japanese though the server locale was set to US and the Availability Zone was West Europe? Doing a lookup on the external IP address came up as a US based IP address so this was left unexplained.

ICMP out from the VM was blocked so was unable to perform a simple ping latency test. There are quite a few discussions online around this and it seems that it snot yet possible to open it (AWS was more flexible form this point of view)

The Azure management console (manage.windowsazure.com) is far cleaner and simpler to find the right ‘buttons and tools’ than that of the AWS though there are still a number of options and details to get your head around. The entire design of the console feels more like a Windows 8 type page.

Moving VMs between the availability zones doesn’t seem to be as simple as right click ‘move’ however there is a great article here on how to do it.

There is a management portal (portal.azure.com) which seems to be Microsoft’s single pane of glass approach to Azure and it is fantastic, intuitive, simple, and has everything you want to know about your cloud based estate available in a typical Windows 8 ‘tile’ style.

The Windows VM was super quick and snappy, but, rather ironically, during testing Windows reported that it wasn’t activated, nor could it be activated (possibly due to the trial?)

The site is transparent and upfront about its charges and costs the majority of which can be found under the billing section of the portal.

Via my MacBook RDP client there was also integration and configuration for Azure RemoteApps (aka Office 2013 published seamlessly over RDP) though the initial setup of remote app took well over 25 minutes, and launching of the apps was actually slow and rather tedious so more investigation and time required to review this one appropriately.

The Availability Zones at the time of writing are:

Aside from the small annoyances with the configuration of the VM, the console and portal for management of the Azure stack is fantastic and the performance of the VM was snappy, responsive and as an end user would come to expect from a local desktop or server.

Comparison Table

Comparison Table AZURE AWS
Desc Details Details Notes
Setup time for subscription to begin 02:30 01:00  Account Provision time
Timing VM Deployment to login Deploy Deploy Connect icon available after start – but obviously server not yet ready
01:20 VM start 00:52 – Running
03:30 running (provisioning) 02:41 – Password ready
07:00 – Logon to desktop 03:30 Logon to desktop
09:50 – Finished 04:01 Finished
Responsiveness of desktop 9/10 9/10  Both equally as good – rated purely on personal feel
Internet connectivity speed See Below Table for connectivity See Below Table for connectivity  Results varied greatly
Availability zones West Europe  US-West-2
Store / Console ease of use 9/10 7/10 The Azure Console is fantastic, sleek and similar to Windows 8 Look and feel.
The AWS Console looks a little dated, and is confusing with so many options in your face.
Trial Offers 30 Days 12 Months
Ease of connectivity to VM Easy – Direct RDP Easy – Direct RDP
Youtube over RDP! 6/10 6/10 Surprisingly quick on both servers, if not majorly compressed and a bit laggy.

Internet Speed Tests

Internet Speed tests AWS     AZURE  
Ping Down (Mbps) Up (Mbps) Ping Down (Mbps) Up (Mbps)
speedtest.org 1 4.6 35.71 40.07 53.52
speedtest.org 2 9.74 20.83 41.87 56.42
speedtest.org 3 4.18 26.32 38.81 37.25
Ave 6.173333333 27.62 Ave 40.25 49.063333
speedtest.net 1 26 712.62 280.79 151 3.75 1.29
speedtest.net 2 17 701.18 949.91 146 6.61 9.82
speedtest.net 3 18 693.65 950.95 148 194.64 27.16
Ave 702.4833333 727.21667 Ave 68.33333333 12.756667

 

Tested VM Configuations

Tested Configurations  Azure AWS 
OS Windows Datacenter 2012 R2 Windows Datacenter 2012 R2
CPU 2 1
RAM 1.75 1
Disk configs C drive of 110gb C Drive of 30GB Azure temp drive blurb
Advertised Internet connectivity No Limit Low to Moderate
Data persistent YES YES Folder exists and remains across reboots.
Pricing HERE HERE
Other Services / Images / VMs Huge list of preconfigured VMs, Images and templates Huge list of preconfigured VMs, Images and templates
Simple Integration with other Vendor Services YES – easy plug into one drive, Office 2013 Remote app, Office 365
Approx costs PH in $USD $0.09 USD A1 Windows Tier $0.018 USD Windows T2 micro The Windows Pricing seems much simpler and easier, though AWS have far more granulatiry and control*These are the machines that were offered as part of the free trial. They were not selected as an exact like for like.