End-User Computing (EUC)

Explore how to architect AWS End-User Computing solutions using Amazon WorkSpaces for persistent virtual desktops and Amazon AppStream 2.0 for application streaming. Understand identity integration, network isolation, and cost optimization strategies to deliver secure, scalable, and efficient computing environments tailored to user needs.

We'll cover the following...

Amazon WorkSpaces for virtual desktops
- Architectural components and deployment
  - Cost and billing trade-offs
Amazon AppStream 2.0 for application streaming
- Fleet architecture and image life cycle
  - Network design and data isolation
Secure identity and network architecture
- Identity integration patterns
- Network isolation and hybrid connectivity
  - Hybrid access paths
Choosing EUC architectures for workloads
Conclusion

When enterprises shift from managing physical desktops to delivering secure, centralized computing environments at scale, the architecture must address identity federation, network isolation, session persistence, and cost optimization simultaneously. In AWS End-User Computing (EUC) design, architects should resist the temptation to build self-managed, EC2-based VDI solutions. Instead, use AWS-managed services that reduce operational overhead while strengthening security posture. EUC decouples the user environment from the physical device, enabling centralized governance through AWS Organizations, identity control through Active Directory integration, and network-level isolation through VPC private-subnet deployment. Two AWS services anchor this domain. Amazon WorkSpaces delivers persistent, fully managed virtual desktops for users who need long-lived environments with full OS access. Amazon AppStream 2.0 streams individual applications to browsers, eliminating the need for full desktop provisioning when users require only specific tools. A common assessment focus is whether you can distinguish between these models based on session persistence, cost profile, and security requirements, rather than defaulting to over-engineered solutions.

The following diagram illustrates how both services integrate within a secure VPC architecture with hybrid connectivity and centralized identity.

Amazon WorkSpaces for virtual desktops

Amazon WorkSpaces operates as a Desktop-as-a-Service (DaaS)a fully managed service that provisions, maintains, and scales virtual desktop infrastructure without requiring customers to manage hypervisors, host servers, or OS patching workflows. Each WorkSpace is a persistent compute instance tied to a user identity, retaining installed applications, configurations, and data across sessions.

Architectural components and deployment

The foundational building blocks of a WorkSpaces deployment define how identity, compute, and storage interact within the VPC.

WorkSpaces directories link to AWS Managed Microsoft AD for full directory functionality within AWS, or to AD Connector when authentication must proxy to an existing on-premises Active Directory without replicating directory data into the cloud.
Bundles define the compute and storage configuration for each desktop, combining vCPU, memory, root volume, and user volume specifications into selectable profiles.
User volumes ...