AWS WorkSpaces Deep Dive 2026 | VDI Guy

// WorkSpaces Architecture

WorkSpaces Personal vs WorkSpaces Pools

AWS offers two distinct WorkSpaces products. Personal = persistent 1:1. Pools = non-persistent, session-based. Choose based on user persona, not AWS marketing.

👤 WorkSpaces Personal

Persistent cloud PC. Each user gets a dedicated WorkSpace VM that persists between sessions. User data, applications, and settings are preserved. Billed per-WorkSpace (hourly or monthly).

+User data persists — no profile container required (though FSLogix still recommended)

+Fully managed OS patching via AWS (or bring your own image)

+Hourly or monthly billing — monthly for daily users, hourly for part-time

–One VM per user — inefficient for shift workers or high user counts

–Cannot scale to zero — VM always exists (cost even when unused on monthly billing)

Best for: power users, developers, compliance-sensitive users

🔀 WorkSpaces Pools

Non-persistent session-based desktops. Multiple users share pool of VMs. Session data lost on disconnect unless FSLogix profile containers configured. Billed per-session-hour used.

+Scale to zero when not in use — major cost advantage for shift/part-time workers

+Higher density — one VM serves multiple users sequentially

+Session hours billing — pay only when users connected

–Requires FSLogix profile containers on Amazon FSx for user state

–Non-persistent — not suitable for stateful apps without App Volumes alternative

Best for: task workers, call centers, shift workers, kiosk deployments

Feature	WorkSpaces Personal	WorkSpaces Pools
VM persistence	Persistent (always exists)	Non-persistent (session only)
User ratio	1:1 (user:VM)	Many:1 (session:VM)
FSLogix needed?	Optional (local profile exists)	Required for user state
Billing	Monthly ($22–$84+) or hourly	Per session-hour ($0.59/hr+)
Scale to zero	No	Yes
Auto-stop	WorkSpace auto-stop (suspend after idle)	Session terminated — VM returned to pool
OS updates	AWS manages (or BYOL)	You manage pool image (custom bundle)
GPU support	Graphics bundles (g4dn)	GraphicsPro.g4dn bundle

Decision Guide: More than 3 hours/day every day → WorkSpaces Personal Monthly. Shift workers or <3h/day → WorkSpaces Pools (pay-per-session-hour). GPU users → Personal with Graphics or GraphicsPro bundle. Compliance requiring persistent isolated desktop → Personal only.

// Bundle Pricing Reference

WorkSpaces Bundle Pricing — 2026 Reference

Pricing varies by region. US East (N. Virginia) shown. Monthly includes unlimited hours. AutoStop: hourly (only charge when running). Always check current pricing ↗ — changes frequently.

Bundle	vCPU	RAM	Storage	Monthly ~	Hourly ~	Best For
Value	1	2 GB	80 GB	~$22/mo	$0.26/hr	Light tasks, single app, kiosk
Standard	2	4 GB	80 GB	~$35/mo	$0.44/hr	Knowledge worker, Office 365, browser
Performance	2	8 GB	175 GB	~$60/mo	$0.71/hr	Power user, analyst, moderate dev work
Power	4	16 GB	175 GB	~$84/mo	$0.98/hr	Developer, data analyst, thick apps
PowerPro	8	32 GB	175 GB	~$124/mo	$1.40/hr	Heavy developer, data science, compilation
Graphics.g4dn	4	16 GB	175 GB + 1 GPU	~$320/mo	$3.19/hr	Light GPU, 3D apps, NVIDIA T4 (1/4 GPU)
GraphicsPro.g4dn	16	64 GB	175 GB + full T4	~$799/mo	$7.19/hr	CAD, Revit, Solidworks, full NVIDIA T4

⚠ Monthly vs AutoStop (Hourly): Monthly billing makes sense only if users are connected >~85 hours/month. AutoStop (hourly) saves money for part-time users but requires WorkSpace to start (30–90s cold start). Set AutoStop timeout to 1–2 hours. For Pools: always session-based pricing — never monthly.

// FSLogix on Amazon FSx

FSLogix Profile Containers on Amazon FSx for Windows

Amazon FSx for Windows File Server is the recommended storage backend for FSLogix on WorkSpaces Pools. Always SSD tier — HDD is insufficient for profile IOPS. Multi-AZ for HA. Must be in same VPC as WorkSpaces.

FSx for Windows — Setup

# Create FSx for Windows File Server (Terraform):
resource "aws_fsx_windows_file_system" "profiles" {
  storage_capacity    = 1024  # 1 TiB
  subnet_ids          = [aws_subnet.private_a.id,
                         aws_subnet.private_b.id]
  deployment_type     = "MULTI_AZ_1"  # HA - use this
  preferred_subnet_id = aws_subnet.private_a.id
  storage_type        = "SSD"          # Never HDD
  throughput_capacity = 256            # MBps
  
  self_managed_active_directory {
    dns_ips     = var.ad_dns_ips
    domain_name = var.ad_domain
    username    = var.ad_join_user
    password    = var.ad_join_pass
  }
  
  tags = { Name = "workspaces-profiles-fsx" }
}
# Share UNC: \\fs-xxxx.corp.local\profiles

FSLogix GPO for WorkSpaces Pools

# FSLogix settings for WorkSpaces Pools
# Deploy via Group Policy or Intune

# HKLM\SOFTWARE\FSLogix\Profiles
Enabled                            = 1
VHDLocations                       = \\fs-xxxx.corp.local\profiles
VolumeType                         = VHDX
SizeInMBs                          = 30720    # 30 GB
DeleteLocalProfileWhenVHDShouldApply = 1
FlipFlopProfileDirectoryName       = 1
PreventLoginWithTempProfile        = 1
PreventLoginWithFailure            = 1

# Optional: Cloud Cache for Multi-AZ DR
# CCDLocations = type=smb,name="PrimaryAZ",
#   connectionString=\\fs-primary.corp.local\profiles;
#   type=smb,name="SecondaryAZ",
#   connectionString=\\fs-dr.corp.local\profiles-dr

# Verify FSx share permissions:
# BUILTIN\Users = Full Control (NTFS)
# Admins = Full Control (share + NTFS)

FSx Config	Recommended	Notes
Deployment Type	MULTI_AZ_1	HA across 2 AZs. Single-AZ is cheaper but risks profile availability.
Storage Type	SSD	HDD (IOPS: 12/TiB) is insufficient. SSD: 3,200 IOPS base + scale with throughput.
Throughput Capacity	256 MBps (up to 2,048)	256 MBps = good for ~500 users. Scale up for logon storm. Test with Sysbench before production.
Minimum Capacity	1 TiB	1 TiB minimum for reasonable IOPS baseline. IOPS = 3,200 base + (3 × additional GiB) for SSD.
Network placement	Same VPC as WorkSpaces	Must be in same VPC. Route tables must allow SMB (TCP 445) between WorkSpaces subnet → FSx subnet.
Backup	Daily automatic backup	Enable. Retention 7+ days. Does not protect against user self-deletion — use shadow copies.

// Custom Bundle Pipeline

Custom WorkSpaces Bundle — Build Pipeline

Custom bundles let you control exactly what applications and settings users get. Build → capture → deploy pipeline. Similar to AVD golden image but AWS-native.

Custom Bundle Steps

Launch Reference WorkSpace

Start from an AWS-managed bundle. Choose Windows 11 or Windows Server. This becomes your build machine.

Install & Configure

Install applications, configure settings, join domain, install FSLogix agent, install AWS WorkSpaces Experience Monitoring agent. Run Windows Update.

Create Image (Capture)

WorkSpaces Console → WorkSpace → Actions → Create Image. AWS runs Sysprep + captures. Takes 30–90 minutes. WorkSpace reboots during capture.

Create Custom Bundle

Console → Bundles → Create Bundle → select your image → choose hardware (Value/Standard/Performance/Power) → name it.

Deploy & Rebuild

Provision new WorkSpaces from custom bundle. To update: repeat process → new image → update pool/bundle. Users rebuilt on next session.

Bundle Automation (AWS CLI)

# List existing images:
aws workspaces describe-workspace-images \
  --query 'Images[*].{Name:Name,ID:ImageId,State:State}'

# Create bundle from image:
aws workspaces create-workspace-bundle \
  --bundle-name "Corp-Standard-2026-03" \
  --bundle-description "Office365 + LOB apps" \
  --image-id wsi-xxxxxxxxxxxx \
  --compute-type Name=STANDARD \
  --user-storage StorageCapacity=100 \
  --root-storage StorageCapacity=80

# Create WorkSpace from custom bundle:
aws workspaces create-workspaces \
  --workspaces '[{
    "DirectoryId": "d-xxxxxxxxxx",
    "UserName": "jsmith",
    "BundleId": "wsb-xxxxxxxxxx",
    "Tags": [{"Key":"Dept","Value":"Finance"}]
  }]'

# Rebuild WorkSpace (apply new bundle):
aws workspaces rebuild-workspaces \
  --rebuild-workspace-requests \
    WorkspaceId=ws-xxxxxxxxxx

// Networking & Active Directory

WorkSpaces Networking — AD Options & VPC Design

🔗 AD Connector

Proxy to your existing on-prem AD. All auth requests forwarded to on-prem DC. WorkSpaces VMs join your existing domain. Requires: Site-to-Site VPN or Direct Connect. Two AD Connectors for HA.

+Reuses existing AD — no migration, users authenticate to same AD

+Existing GPOs, group memberships all work

–Requires VPN/Direct Connect — network dependency to on-prem

–Latency if on-prem DC is far from AWS region

Best for: existing on-prem AD, hybrid environments

☁️ AWS Managed Microsoft AD

Fully managed Active Directory in AWS. AWS handles patching, replication, backups. WorkSpaces join Managed AD. Forest trust to on-prem AD optional. Two DCs in separate AZs by default.

+No on-prem dependency — self-contained in AWS

+HA built in (2 AZs). AWS manages DC maintenance.

–Additional cost (~$100/mo Standard, ~$175/mo Enterprise)

–Schema extensions not supported on Standard tier

Best for: cloud-first, no on-prem AD, new AWS deployments

VPC & Security Group Requirements

Port	Direction	Source → Dest	Purpose
443	Outbound	WorkSpaces → Internet	WorkSpaces registration + PCoIP/WSP protocol over HTTPS
4172	Outbound	WorkSpaces → Internet	PCoIP protocol UDP (legacy client) — may be needed for older clients
445	Outbound	WorkSpaces → FSx	SMB to Amazon FSx for Windows (profile containers)
389/636	Outbound	WorkSpaces → AD	LDAP / LDAPS to AD (Managed AD or via VPN to on-prem)
88	Outbound	WorkSpaces → AD	Kerberos authentication
3389	Inbound (restricted)	Admin IPs → WorkSpaces	RDP for emergency admin access — restrict to bastion/admin IPs only

// Infrastructure as Code

WorkSpaces Terraform — IaC Reference

WorkSpaces Terraform Example

# Provision WorkSpaces via Terraform
terraform {
  required_providers {
    aws = { source = "hashicorp/aws", version = "~> 5.0" }
  }
}

# WorkSpaces directory registration:
resource "aws_workspaces_directory" "corp" {
  directory_id = aws_directory_service_directory.managed_ad.id
  subnet_ids   = [aws_subnet.ws_a.id, aws_subnet.ws_b.id]
  
  self_service_permissions {
    rebuild_workspace            = true
    change_compute_type          = false
    switch_running_mode          = true
    increase_volume_size         = true
    restart_workspace            = true
  }
  
  workspace_creation_properties {
    enable_internet_access       = false
    enable_maintenance_mode      = true
    user_enabled_as_local_administrator = false
    default_ou                   = "OU=WorkSpaces,DC=corp,DC=local"
  }
}

# Individual WorkSpace:
resource "aws_workspaces_workspace" "user_ws" {
  directory_id = aws_workspaces_directory.corp.id
  bundle_id    = data.aws_workspaces_bundle.performance.id
  user_name    = "jsmith"
  
  workspace_properties {
    compute_type_name             = "PERFORMANCE"
    user_volume_size_gib          = 100
    root_volume_size_gib          = 80
    running_mode                  = "AUTO_STOP"
    running_mode_auto_stop_timeout_in_minutes = 60
  }
  
  tags = { Environment = "prod", Dept = "Finance" }
}

WorkSpaces Pools Terraform

# WorkSpaces Pools (non-persistent)
resource "aws_workspaces_connection_alias" "pool" {
  connection_string = "pools.corp.example.com"
}

resource "aws_workspaces_pool" "task_workers" {
  name         = "task-worker-pool-2026"
  bundle_id    = data.aws_workspaces_bundle.standard.id
  directory_id = aws_workspaces_directory.corp.id
  description  = "Non-persistent task worker pool"
  
  application_settings {
    status                        = "ENABLED"
    settings_group                = "PROD_POOL"
  }
  
  timeout_settings {
    disconnect_timeout_in_seconds             = 3600   # 1hr
    idle_disconnect_timeout_in_seconds        = 1800   # 30min
    max_user_duration_in_seconds              = 86400  # 24hr
  }
  
  capacity {
    desired_user_sessions = 50  # scale as needed
  }
  
  tags = { Environment = "prod" }
}

// WorkSpaces Thin Client

AWS WorkSpaces Thin Client — 2026

AWS WorkSpaces Thin Client is a $195 physical device purpose-built for WorkSpaces. Managed via AWS Console. Zero-touch provisioning. Replaces repurposed laptops as thin clients.

Thin Client Key Details

▸Price: ~$195 device + $7/device/month management fee
▸OS: AWS-managed Fire TV OS variant (not Windows)
▸Provisioning: Zero-touch via environments — plug in, auto-configure
▸Managed via: AWS Console → WorkSpaces Thin Client → Environments
▸Software updates: AWS-managed, automatic
▸Connects to: WorkSpaces Personal, WorkSpaces Pools, AppStream 2.0
!Limitation: No local apps — only remote sessions. Web browser only on device.

When to use WorkSpaces Thin Client:
Call centers, kiosks, regulated environments where endpoint security matters. At $195/device + $7/mo, it's cheaper than repurposing old hardware (power consumption, support cost, security risk). Compare: Igel OS on old laptop (~$150 license + existing hardware) for more flexibility. For security-sensitive envs: Thin Client wins (AWS-managed, no local attack surface).

Alternative: Repurposed PCs with WorkSpaces Client
Install Amazon WorkSpaces Client (Windows, macOS, Linux, ChromeOS, web browser) on any existing device. Free. Best for orgs with existing hardware. Chromebooks + WorkSpaces Web Client = popular zero-infrastructure option.

// Monitoring

WorkSpaces Monitoring — CloudWatch Metrics & Alarms

Key CloudWatch Metrics

Metric	Namespace	Alert Threshold
ConnectionAttempt	AWS/WorkSpaces	Spike = logon storm
ConnectionSuccess	AWS/WorkSpaces	<95% success = investigate
ConnectionFailure	AWS/WorkSpaces	Alert on any spike
InSessionLatency	AWS/WorkSpaces	>100ms = user complaints
SessionLaunchTime	AWS/WorkSpaces	>30s = investigate
WorkspaceStatus	AWS/WorkSpaces	UNHEALTHY = page on-call

CloudWatch Alarm Setup (CLI)

# Alert when connection failure rate spikes:
aws cloudwatch put-metric-alarm \
  --alarm-name "WorkSpaces-ConnFailures" \
  --namespace "AWS/WorkSpaces" \
  --metric-name ConnectionFailure \
  --dimensions Name=DirectoryId,Value=d-xxxx \
  --period 300 \
  --evaluation-periods 2 \
  --threshold 5 \
  --comparison-operator GreaterThanThreshold \
  --statistic Sum \
  --alarm-actions arn:aws:sns:us-east-1:xxxx:vdi-alerts

# View all WorkSpaces CloudWatch metrics:
aws cloudwatch list-metrics \
  --namespace "AWS/WorkSpaces" \
  --query 'Metrics[*].MetricName' \
  --output table

// Cost Optimization

WorkSpaces Cost Optimization — 2026

Optimization	Savings	How	Notes
AutoStop (hourly billing)	40–70%	Switch part-time users to hourly billing with 1-hour AutoStop	User pays only when connected. 60min idle → suspended. ~$0.26–$0.98/hr depends on bundle.
WorkSpaces Pools for shift workers	50–80%	Replace Personal WorkSpaces with Pools for call center/kiosk	Pay per session-hour, not per persistent VM. Scale to zero overnight.
Right-size bundles	20–40%	Audit actual CPU/RAM usage. Downgrade from Performance → Standard if under-utilized	Use CloudWatch CPUUsage + MemUsage. Many orgs over-provision by 1-2 bundle sizes.
Delete unused WorkSpaces	$22–$124/WorkSpace	Audit last-connected date. Delete WorkSpaces >90 days unused.	AWS: Console → WorkSpaces → filter by LastKnownUserConnection. CLI script to automate.
Reserved WorkSpaces (Personal)	~30%	Commit to monthly billing for full-time users — discounted vs on-demand monthly	WorkSpaces reserved pricing = lower monthly rate vs on-demand. Must be monthly billing mode.

// Related Pages

Continue the Deep Dive

📦

FSLogix 26.01 CU1

Full FSLogix reference for Pools

☁️

Azure Virtual Desktop

AWS vs Azure cloud DaaS comparison

⚖️

Platform Compare

All platforms side by side

🤝

VDI Consulting

Need help with AWS WorkSpaces?