AWS End User Computing
AppStream 2.0
Stream desktop applications to any device without managing hardware
Amazon AppStream 2.0 is a fully managed application streaming service that lets users access desktop applications in a browser without installing software locally or managing hardware. Unlike WorkSpaces (which provides a full persistent desktop), AppStream streams specific applications to a browser tab, with the session state either discarded at the end (non-persistent) or stored on S3 (persistent home folders) - making it ideal for contractor access, software demos, and SaaS delivery.
How AppStream 2.0 Delivers Applications
AppStream runs application instances on EC2 instances called streaming instances. Users connect via a web browser using the NICE DCV protocol (or HTML5 fallback). Each user session runs inside a Windows Server or Amazon Linux 2 environment where the application is already installed on a custom image.
| Component | Description |
|---|---|
| Image | EC2 AMI with your apps installed. Built using Image Builder, an interactive EC2 instance |
| Image Builder | Temporary EC2 instance used to install apps, configure settings, and create the image |
| Fleet | Pool of streaming instances built from your image that serve user sessions |
| Stack | Configuration layer - defines user access, storage, app catalog, and URL |
| Home Folders | Per-user S3-backed persistent storage across sessions (optional) |
| Application Catalog | Set of apps from the image that are shown to the user in the AppStream client |
The flow is: user authenticates (SAML 2.0 or API) -> AppStream selects an available fleet instance -> user sees the application catalog -> application launches on the instance -> display is streamed via NICE DCV to the browser.
AppStream 2.0 is session-based, not a persistent desktop. If home folders are not configured, all user data written to local paths is lost when the session ends. This is one of the most common architect mistakes.
Fleet Types: Always-On, On-Demand, and Elastic
AppStream 2.0 offers three fleet types that trade off between cost, session start latency, and management overhead.
| Fleet Type | Instance State When Idle | Session Start Time | Best For |
|---|---|---|---|
| Always-On | Running (billed continuously) | Immediate (<1 sec) | Business-hours users who need instant access |
| On-Demand | Stopped (not billed) | 1-2 minutes to start | Occasional users where startup delay is acceptable |
| Elastic | No persistent instances - pull from pool | 15-30 sec (warm pool) | Variable bursty demand, modern app packaging (AppBlocks) |
Elastic fleets are the newest option and require applications to be packaged as AppBlocks (VHD files stored in S3). The fleet scales to zero between sessions and pulls from a managed warm pool, providing lower idle cost than Always-On with faster starts than On-Demand.
On-Demand fleet instances take 1-2 minutes to start. If users expect immediate access, use Always-On or configure a buffer of running instances using the desired capacity setting.
Building Images and Packaging Applications
The image building process involves launching an Image Builder instance, installing your applications, running the Image Assistant to optimize the image, and then creating a snapshot as an AppStream image.
# Create an Image Builder instance via CLI
aws appstream create-image-builder \
--name my-image-builder \
--instance-type stream.standard.medium \
--image-name AppStream-WinServer2019-10-05-2023 \
--vpc-config SubnetIds=subnet-abc123,SecurityGroupIds=sg-xyz789
# List available images
aws appstream describe-images \
--type PRIVATE
# Create image from Image Builder (after using Image Assistant on the instance)
aws appstream create-image-builder-streaming-url \
--name my-image-builder \
--validity 3600Best practices for image building include: installing only the software needed (smaller images start faster), using the Image Optimization step in Image Assistant (pre-launches apps for faster first-launch), and keeping images updated monthly for security patches.
For Elastic fleets, applications are packaged as AppBlocks - VHD files stored in S3. The VHD is mounted per session. This means you can update an application without rebuilding the entire image, just update the AppBlock.
User Authentication and Access Methods
AppStream 2.0 supports three authentication methods for delivering sessions to users.
| Method | Description | Use Case |
|---|---|---|
| User Pool | Managed AppStream user directory with email invitation | Small deployments, no existing IdP |
| SAML 2.0 Federation | Federate with your IdP (Okta, Azure AD, ADFS) | Enterprise SSO, production deployments |
| Streaming URL | Programmatically generate a signed URL for a session | Embedding AppStream in your own web app or SaaS product |
# Generate a streaming URL for programmatic access (SaaS embedding)
aws appstream create-streaming-url \
--stack-name my-stack \
--fleet-name my-fleet \
--user-id user@example.com \
--application-id MyApp \
--validity 300
# Output:
# {
# "StreamingURL": "https://appstream2.us-east-1.aws.amazon.com/authenticate?parameters=...",
# "Expires": "2024-01-15T14:30:00Z"
# }Streaming URLs are single-use and expire. Do not cache or reuse them. Generate a new URL for each session. The maximum validity is 604800 seconds (7 days) but for security keep it short (5-15 minutes).
Persistent Storage: Home Folders and Google Drive/OneDrive
By default, AppStream sessions are stateless. To give users persistent storage, you configure one or more storage connectors on the stack.
| Storage Option | Backend | Max Size | Notes |
|---|---|---|---|
| Home Folders | S3 bucket in your account | No hard limit | Auto-created per user, appears as a drive in session |
| Google Drive for G Suite | Google Drive | Per Google plan | Requires Google Workspace domain, OAuth consent |
| OneDrive for Business | Microsoft OneDrive | Per Microsoft plan | Requires Microsoft 365, OAuth consent |
Home folders are stored in an S3 bucket that AppStream creates in your account (named appstream2-36fb080bb8-us-east-1-ACCOUNTID). Each user gets a prefix under appstream/home/USERNAME/. You own this data and can apply lifecycle rules, replication, or access policies.
Home folder data is accessible via S3 even when no AppStream session is running. This means you can pre-populate user home folders by copying data directly to S3 before users ever log in - useful for onboarding scenarios.
AppStream 2.0 vs WorkSpaces: Choosing the Right Service
AppStream and WorkSpaces are both virtual desktop/application services but serve different use cases. This is a common interview comparison.
| Dimension | AppStream 2.0 | WorkSpaces |
|---|---|---|
| Persistence | Session-based (stateless by default) | Persistent desktop with retained data |
| OS Access | Access specific apps only | Full desktop OS experience |
| User Experience | Browser-based (no client required) | Requires WorkSpaces client app |
| Use Case | SaaS delivery, contractors, software trials | Full-time remote employees, VDI replacement |
| Billing | Per streaming hour + instance type | Per-WorkSpace monthly or hourly |
| Scaling | Fleet auto-scaling, multiple users per instance possible | One WorkSpace per user, dedicated compute |
| Customization | Custom images per app suite | Custom bundles, full Windows experience |
| Data Handling | Stateless - data lost unless home folder configured | User volume persists between sessions |
A key architectural difference: AppStream can run multiple user sessions on a single instance (multi-session fleets), reducing cost for light users. WorkSpaces is always dedicated one-to-one.
Interview Focus Points
- 1When would you choose AppStream 2.0 over WorkSpaces for a customer requirement?
- 2Explain the difference between Always-On, On-Demand, and Elastic fleet types and the cost/latency tradeoffs.
- 3A SaaS company wants to embed a Windows desktop application in their web portal for customers. How would you architect this with AppStream?
- 4How do you ensure user files persist across AppStream sessions, and who owns the data in S3?
- 5What is an AppBlock and when would you use it over a traditional AppStream image?
- 6How does SAML 2.0 federation work with AppStream, and what IdPs are supported?
- 7Describe the image building process and best practices for keeping images updated.
- 8How would you scale an AppStream fleet to handle a burst of 500 concurrent users who all log in at 9am?
- 9What networking requirements does AppStream have - does it need to be in your VPC?