Architecture overview - Research and Engineering Studio

Architecture overview

This section provides an architecture diagram for the components deployed with this product.

Architecture diagram

Deploying this product with the default parameters deploys the following components in your AWS account.

          Figure 1: Research and Engineering Studio on AWS architecture

Figure 1: Research and Engineering Studio on AWS architecture


AWS CloudFormation resources are created from AWS Cloud Development Kit (AWS CDK) constructs.

The high-level process flow for the product components deployed with the AWS CloudFormation template is as follows:

  1. RES installs components for the web portal as well as:

    1. Engineering Virtual Desktop (eVDI) component for interactive workloads

    2. Metrics component

      Amazon CloudWatch receives metrics from the eVDI components.

    3. Bastion Host component

      Administrators may connect to the bastion host component using SSH to manage the underlying infrastructure.

  2. RES installs components in private subnets behind a NAT gateway. Administrators access the private subnets via the Application Load Balancer (ALB) or the Bastion Host component.

  3. Amazon DynamoDB stores the environment configuration.

  4. AWS Certificate Manager (ACM) generates and stores a public certificate for the Application Load Balancer (ALB).


    We recommend using AWS Certificate Manager to generate a trusted certificate for your domain.

  5. Amazon Elastic File System (EFS) hosts the default /home file system mounted on all applicable infrastructure hosts and eVDI Linux sessions.

  6. RES uses Amazon Cognito to create an initial bootstrap user called clusteradmin within and sends temporary credentials to the email address provided during installation. The clusteradmin must change the password with first-time login.

  7. Amazon Cognito integrates with your organization's Active Directory and user identities for permissions management.

  8. Security zones allow administrators to restrict access to specific components within the product based on permissions.

AWS services in this product

AWS service Description
Amazon Elastic Compute Cloud Core. Provides the underlying compute services to create virtual desktops with their chosen operating system and software stack.
Elastic Load Balancing Core. Bastion, cluster-manager, and VDI hosts are created in Auto Scaling groups behind the load balancer. ELB balances traffic from the web portal across RES hosts.
Amazon Virtual Private Cloud Core. All core product components are created within your VPC.
Amazon Cognito Core. Manages user identities and authentication. Active Directory users are mapped to Amazon Cognito users and groups to authenticate access levels.
Amazon Elastic File System Core. Provides the /home file system for the file browser and VDI hosts, as well as shared external file systems.
Amazon DynamoDB Core. Stores configuration data such as users, groups, projects, file systems, and component settings.
AWS Systems Manager Core. Stores documents for performing commands for VDI session management.
AWS Lambda Core. Supports product functionalities such as updating settings within the DynamoDB table, starting Active Directory sync workflows, and updating the prefix list.
Amazon CloudWatch Supporting. Provides metrics and activity logs for all Amazon EC2 hosts and Lambda functions.
Amazon Simple Storage Service Supporting. Stores application binaries for host bootstrapping and configuration.
AWS Key Management Service Supporting. Used for encryption at rest with Amazon SQS queues, DynamoDB tables, and Amazon SNS topics.
AWS Secrets Manager Supporting. Stores service account credentials in Active Directory and self-signed certificates for VDIs.
AWS CloudFormation Supporting. Provides a deployment mechanism for the product.
AWS Identity and Access Management Supporting. Restricts the access level for hosts.
Amazon RouteĀ 53 Supporting. Creates private hosted zone for resolving the internal load balancer and the bastion host domain name.
Amazon Simple Queue Service Supporting. Creates task queues to support asynchronous executions.
Amazon Simple Notification Service Supporting. Supports the publication-subscriber model between VDI components such as the controller and hosts.
AWS Fargate Supporting. Installs, updates, and deletes environments using Fargate tasks.
Amazon FSx File Gateway Optional. Provides external shared file system.
Amazon FSx for NetApp ONTAP Optional. Provides external shared file system.
AWS Certificate Manager Optional. Generates a trusted certificate for your custom domain.
AWS Backup Optional. Offers backup capabilities for Amazon EC2 hosts, file systems, and DynamoDB.