Plan your deployment - Research and Engineering Studio

Plan your deployment

This section contains information on cost, security, supported regions, and quotas that can help you plan your deployment of Research and Engineering Studio on AWS.

Cost

Research and Engineering Studio on AWS is available at no additional charge, and you pay only for the AWS resources needed to run your applications. For more information, see AWS services in this product.

Note

You are responsible for the cost of the AWS services used while running this product.

We recommend creating a budget through  AWS Cost Explorer  to help manage costs. Prices are subject to change. For full details, see the pricing webpage for each AWS service used in this product.

Security

Cloud security at AWS is the highest priority. As an AWS customer, you benefit from data centers and network architectures that are built to meet the requirements of the most security-sensitive organizations.

Security is a shared responsibility between AWS and you. The shared responsibility model describes this as security of the cloud and security in the cloud:

  • Security of the cloud – AWS is responsible for protecting the infrastructure that runs AWS services in the AWS Cloud. AWS also provides you with services that you can use securely. Third-party auditors regularly test and verify the effectiveness of our security as part of the AWS Compliance Programs . To learn about the compliance programs that apply to Research and Engineering Studio on AWS, see AWS Services in Scope by Compliance Program .

  • Security in the cloud – Your responsibility is determined by the AWS service that you use. You are also responsible for other factors including the sensitivity of your data, your company’s requirements, and applicable laws and regulations.

To understand how to apply the shared responsibility model with the AWS services used by Research and Engineering Studio, see Security considerations for services in this product. For more information about AWS security, visit AWS Cloud Security.

IAM roles

AWS Identity and Access Management (IAM) roles allow customers to assign granular access policies and permissions to services and users on the AWS Cloud. This product creates IAM roles that grant the product’s AWS Lambda functions and Amazon EC2 instances access to create Regional resources.

RES supports identity-based policies within IAM. When deployed, RES creates policies to define the administrator permission and access. The administrator who implements the product creates and manages end users and project leaders within the existing customer Active Directory integrated with RES. For more information, see Creating IAM policies in the AWS Identity and Access Management User Guide.

Your organization's administrator can manage user access with an active directory. When end users access the RES user interface, RES authenticates with Amazon Cognito.

Security groups

The security groups created in this product are designed to control and isolate network traffic between the Lambda functions, EC2 instances, file systems CSR instances, and remote VPN endpoints. We recommend that you review the security groups and further restrict access as needed once the product is deployed.

Data encryption

By default, Research and Engineering Studio on AWS (RES) encrypts customer data at rest and in transit using an RES owned key. When you deploy RES, you may specify an AWS KMS key. RES uses your credentials to grant key access. If you supply a customer owned and managed AWS KMS key, customer data at rest will be encrypted using that key.

RES encrypts customer data in transit using SSL/TLS. We require TLS 1.2, but recommend TLS 1.3.

For more detailed information regarding security considerations for the services used by Research and Engineering Studio, follow the links in this table:

AWS service security info Service type How the service is used in RES
Amazon Elastic Compute Cloud Core Provides the underlying compute services to create virtual desktops with their chosen operating system and software stack.
Elastic Load Balancing Core Bastion, cluster-manager, and VDI hosts are created in Auto Scaling groups behind the load balancer. ELB balances traffic from the web portal across RES hosts.
Amazon Virtual Private Cloud Core All core product components are created within your VPC.
Amazon Cognito Core Manages user identities and authentication. Active Directory users are mapped to Amazon Cognito users and groups to authenticate access levels.
Amazon Elastic File System Core Provides the /home file system for the file browser and VDI hosts, as well as shared external file systems.
Amazon DynamoDB Core Stores configuration data such as users, groups, projects, file systems, and component settings.
AWS Systems Manager Core Stores documents for performing commands for VDI session management.
AWS Lambda Core Supports product functionalities such as updating settings within the DynamoDB table, starting Active Directory sync workflows, and updating the prefix list.
Amazon CloudWatch Supporting Provides metrics and activity logs for all Amazon EC2 hosts and Lambda functions.
Amazon Simple Storage Service Supporting Stores application binaries for host bootstrapping and configuration.
AWS Key Management Service Supporting Used for encryption at rest with Amazon SQS queues, DynamoDB tables, and Amazon SNS topics.
AWS Secrets Manager Supporting Stores service account credentials in Active Directory and self-signed certificates for VDIs.
AWS CloudFormation Supporting Provides a deployment mechanism for the product.
AWS Identity and Access Management Supporting Restricts the access level for hosts.
Amazon Route 53 Supporting Creates private hosted zone for resolving the internal load balancer and the bastion host domain name.
Amazon Simple Queue Service Supporting Creates task queues to support asynchronous executions.
Amazon Simple Notification Service Supporting Supports the publication-subscriber model between VDI components such as the controller and hosts.
AWS Fargate Supporting Installs, updates, and deletes environments using Fargate tasks.
Amazon FSx File Gateway Optional Provides external shared file system.
Amazon FSx for NetApp ONTAP Optional Provides external shared file system.
AWS Certificate Manager Optional Generates a trusted certificate for your custom domain.
AWS Backup Optional Offers backup capabilities for Amazon EC2 hosts, file systems, and DynamoDB.

Quotas

Service quotas, also referred to as limits, are the maximum number of service resources or operations for your AWS account.

Quotas for AWS services in this product

Make sure you have sufficient quota for each of the services implemented in this product. For more information, see AWS service quotas.

For this product, we recommend raising quotas for the following services:

  • Amazon Virtual Private Cloud

  • Amazon EC2

To request a quota increase, see Requesting a Quota Increase in the Service Quotas User Guide. If the quota is not yet available in Service Quotas, use the limit increase form.

AWS CloudFormation quotas

Your AWS account has AWS CloudFormation quotas that you should be aware of when launching the stack in this product. By understanding these quotas, you can avoid limitation errors that would prevent you from deploying this product successfully. For more information, see AWS CloudFormation quotas in the in the AWS CloudFormation User’s Guide.

Planning for resilience

The product deploys a default infrastructure with the minimum number and size of Amazon EC2 instances to operate the system. To improve resilience in large-scale production environments, we recommend increasing the default minimum capacity settings within the infrastructure's Auto Scaling groups (ASG). Increasing the value from one instance to two instances provides the benefit of multiple Availability Zones (AZ) and reduces the time to restore system functionality in the event of unexpected data loss.

ASG settings can be customized within the Amazon EC2 console at https://console.aws.amazon.com/ec2/. The product creates four ASGs by default with each name ending with -asg. You can change the minimum and desired values to an amount appropriate for your production environment. Select the group you want to modify, and then choose Actions and select Edit. For more information on ASGs, see Scale the size of your Auto Scaling group in the Amazon EC2 Auto Scaling User Guide.

Supported AWS Regions

This product uses services which are not currently available in all AWS Regions. You must launch this product in an AWS Region where all services are available. For the most current availability of AWS services by Region, see the AWS Regional Services List.

Research and Engineering Studio on AWS is supported in the following AWS Regions:

Region name Region Previous versions Latest version (2024.08)
US East (N. Virginia) us-east-1 yes yes
US East (Ohio) us-east-2 yes yes
US West (N. California) us-west-1 yes yes
US West (Oregon) us-west-2 yes yes
Asia Pacific (Tokyo) ap-northeast-1 yes yes
Asia Pacific (Seoul) ap-northeast-2 yes yes
Asia Pacific (Mumbai) ap-south-1 yes yes
Asia Pacific (Singapore) ap-southeast-1 yes yes
Asia Pacific (Sydney) ap-southeast-2 yes yes
Canada (Central) ca-central-1 yes yes
Europe (Frankfurt) eu-central-1 yes yes
Europe (Milan) eu-south-1 yes yes
Europe (Ireland) eu-west-1 yes yes
Europe (London) eu-west-2 yes yes
Europe (Paris) eu-west-3 yes yes
Europe (Stockholm) eu-north-1 no yes
Israel (Tel Aviv) il-central-1 yes yes
AWS GovCloud (US-West) us-gov-west-1 yes yes