Every WorkSpace is linked to the specific Amazon VPC and AWS Directory Service construct that was utilized to create it. Each AWS Directory Service construct (Simple AD, AD Connector, and Microsoft AD) needs two subnets, in different Availability Zones (AZs), to function. Once created, these subnets are permanently tied to a Directory Service construct and cannot be altered. Hence, it’s crucial to determine the appropriate subnet sizes prior to creating the Directory Services construct.
While creating the subnets, consider:
The number of WorkSpaces required over time
The projected growth
The types of users to accommodate
The number of AD domains to connect
The location of your enterprise accounts
Amazon suggests establishing user groups, or personas, based on access type and user authentication requirements as part of your planning. These insights can assist in restricting access to specific applications or resources. User personas can guide segmentation and restriction of access using AWS Directory Service, network access control lists, routing tables, and VPC security groups.
Each AWS Directory Service construct employs two subnets and applies uniform settings to all WorkSpaces launched from that construct. For instance, a security group attached to an AD Connector could dictate whether Multi-Factor Authentication (MFA) is necessary or whether an end-user can have local admin access on their WorkSpace.
Remember that each AD Connector links to your existing Enterprise Microsoft AD. To specify an Organizational Unit (OU) and leverage this capability, your Directory Service must be constructed with your user personas in mind.