Plan your deployment
This section contains information on cost, security, supported regions, and quotas that can help you plan your deployment of Research and Engineering Studio on AWS.
Cost
Research and Engineering Studio on AWS is available at no additional charge, and you pay only for the AWS resources needed to run your applications. For more information, see AWS services in this product.
Note
You are responsible for the cost of the AWS services used while running this product.
We recommend creating a budget through
AWS Cost Explorer
Security
Cloud security at AWS is the highest priority. As an AWS customer, you benefit from data centers and network architectures that are built to meet the requirements of the most security-sensitive organizations.
Security is a shared responsibility between AWS and you. The
shared
responsibility model
-
Security of the cloud – AWS is responsible for protecting the infrastructure that runs AWS services in the AWS Cloud. AWS also provides you with services that you can use securely. Third-party auditors regularly test and verify the effectiveness of our security as part of the AWS Compliance Programs
. To learn about the compliance programs that apply to Research and Engineering Studio on AWS, see AWS Services in Scope by Compliance Program . -
Security in the cloud – Your responsibility is determined by the AWS service that you use. You are also responsible for other factors including the sensitivity of your data, your company’s requirements, and applicable laws and regulations.
To understand how to apply the shared responsibility model with the AWS services used
by Research and Engineering Studio, see Security considerations for services
in this product. For more information about AWS security,
visit AWS Cloud Security
IAM roles
AWS Identity and Access Management (IAM) roles allow customers to assign granular access policies and permissions to services and users on the AWS Cloud. This product creates IAM roles that grant the product’s AWS Lambda functions and Amazon EC2 instances access to create Regional resources.
RES supports identity-based policies within IAM. When deployed, RES creates policies to define the administrator permission and access. The administrator who implements the product creates and manages end users and project leaders within the existing customer Active Directory integrated with RES. For more information, see Creating IAM policies in the AWS Identity and Access Management User Guide.
Your organization's administrator can manage user access with an active directory. When end users access the RES user interface, RES authenticates with Amazon Cognito.
Security groups
The security groups created in this product are designed to control and isolate network traffic between the Lambda functions, EC2 instances, file systems CSR instances, and remote VPN endpoints. We recommend that you review the security groups and further restrict access as needed once the product is deployed.
Data encryption
By default, Research and Engineering Studio on AWS (RES) encrypts customer data at rest and in transit using an RES owned key. When you deploy RES, you may specify an AWS KMS key. RES uses your credentials to grant key access. If you supply a customer owned and managed AWS KMS key, customer data at rest will be encrypted using that key.
RES encrypts customer data in transit using SSL/TLS. We require TLS 1.2, but recommend TLS 1.3.
Security considerations for services in this product
For more detailed information regarding security considerations for the services used by Research and Engineering Studio, follow the links in this table:
AWS service security info | Service type | How the service is used in RES |
---|---|---|
Amazon Elastic Compute Cloud | Core | Provides the underlying compute services to create virtual desktops with their chosen operating system and software stack. |
Elastic Load Balancing | Core | Bastion, cluster-manager, and VDI hosts are created in Auto Scaling groups behind the load balancer. ELB balances traffic from the web portal across RES hosts. |
Amazon Virtual Private Cloud | Core | All core product components are created within your VPC. |
Amazon Cognito | Core | Manages user identities and authentication. Active Directory users are mapped to Amazon Cognito users and groups to authenticate access levels. |
Amazon Elastic File System | Core | Provides the /home file system for the file browser and
VDI hosts, as well as shared external file systems. |
Amazon DynamoDB | Core | Stores configuration data such as users, groups, projects, file systems, and component settings. |
AWS Systems Manager | Core | Stores documents for performing commands for VDI session management. |
AWS Lambda | Core | Supports product functionalities such as updating settings within the DynamoDB table, starting Active Directory sync workflows, and updating the prefix list. |
Amazon CloudWatch | Supporting | Provides metrics and activity logs for all Amazon EC2 hosts and Lambda functions. |
Amazon Simple Storage Service | Supporting | Stores application binaries for host bootstrapping and configuration. |
AWS Key Management Service | Supporting | Used for encryption at rest with Amazon SQS queues, DynamoDB tables, and Amazon SNS topics. |
AWS Secrets Manager | Supporting | Stores service account credentials in Active Directory and self-signed certificates for VDIs. |
AWS CloudFormation | Supporting | Provides a deployment mechanism for the product. |
AWS Identity and Access Management | Supporting | Restricts the access level for hosts. |
Amazon Route 53 | Supporting | Creates private hosted zone for resolving the internal load balancer and the bastion host domain name. |
Amazon Simple Queue Service | Supporting | Creates task queues to support asynchronous executions. |
Amazon Simple Notification Service | Supporting | Supports the publication-subscriber model between VDI components such as the controller and hosts. |
AWS Fargate | Supporting | Installs, updates, and deletes environments using Fargate tasks. |
Amazon FSx File Gateway | Optional | Provides external shared file system. |
Amazon FSx for NetApp ONTAP | Optional | Provides external shared file system. |
AWS Certificate Manager | Optional | Generates a trusted certificate for your custom domain. |
AWS Backup | Optional | Offers backup capabilities for Amazon EC2 hosts, file systems, and DynamoDB. |
Quotas
Service quotas, also referred to as limits, are the maximum number of service resources or operations for your AWS account.
Quotas for AWS services in this product
Make sure you have sufficient quota for each of the services implemented in this product. For more information, see AWS service quotas.
For this product, we recommend raising quotas for the following services:
-
Amazon Virtual Private Cloud
-
Amazon EC2
To request a quota increase, see Requesting a Quota
Increase in the Service Quotas User Guide. If the quota is not yet
available in Service Quotas, use the limit increase
form
AWS CloudFormation quotas
Your AWS account has AWS CloudFormation quotas that you should be aware of when launching the stack in this product. By understanding these quotas, you can avoid limitation errors that would prevent you from deploying this product successfully. For more information, see AWS CloudFormation quotas in the in the AWS CloudFormation User’s Guide.
Planning for resilience
The product deploys a default infrastructure with the minimum number and size of Amazon EC2 instances to operate the system. To improve resilience in large-scale production environments, we recommend increasing the default minimum capacity settings within the infrastructure's Auto Scaling groups (ASG). Increasing the value from one instance to two instances provides the benefit of multiple Availability Zones (AZ) and reduces the time to restore system functionality in the event of unexpected data loss.
ASG settings can be customized within the Amazon EC2 console at https://console.aws.amazon.com/ec2/-asg
. You can
change the minimum and desired values to an amount appropriate for your production
environment. Select the group you want to modify, and then choose Actions
and select Edit. For more information on ASGs, see Scale the size
of your Auto Scaling group in the Amazon EC2 Auto Scaling User Guide.
Supported AWS Regions
This product uses services which are not currently available in all AWS Regions. You
must launch this product in an AWS Region where all services are available. For the most
current availability of AWS services by Region, see the AWS Regional Services
List
Research and Engineering Studio on AWS is supported in the following AWS Regions:
Region name | Region | Previous versions | Latest version (2024.08) |
---|---|---|---|
US East (N. Virginia) | us-east-1 | yes | yes |
US East (Ohio) | us-east-2 | yes | yes |
US West (N. California) | us-west-1 | yes | yes |
US West (Oregon) | us-west-2 | yes | yes |
Asia Pacific (Tokyo) | ap-northeast-1 | yes | yes |
Asia Pacific (Seoul) | ap-northeast-2 | yes | yes |
Asia Pacific (Mumbai) | ap-south-1 | yes | yes |
Asia Pacific (Singapore) | ap-southeast-1 | yes | yes |
Asia Pacific (Sydney) | ap-southeast-2 | yes | yes |
Canada (Central) | ca-central-1 | yes | yes |
Europe (Frankfurt) | eu-central-1 | yes | yes |
Europe (Milan) | eu-south-1 | yes | yes |
Europe (Ireland) | eu-west-1 | yes | yes |
Europe (London) | eu-west-2 | yes | yes |
Europe (Paris) | eu-west-3 | yes | yes |
Europe (Stockholm) | eu-north-1 | no | yes |
Israel (Tel Aviv) | il-central-1 | yes | yes |
AWS GovCloud (US-West) | us-gov-west-1 | yes | yes |