Cloud desktops in Elastic Desktop Service (EDS) are deployed inside workspaces. Inside a workspace, you can configure cloud desktop settings such as secure office networks, user account systems, and Internet access. This topic describes the terms and features of workspaces.

Secure office networks

A secure office network is the virtual private cloud (VPC) that a workspace uses and is an Alibaba Cloud private network. When you create a workspace, you can specify an IPv4 CIDR block that is contained in a secure office network. The system creates a VPC based on the CIDR block. When you create a cloud desktop in a workspace, the system assigns an IP address to the cloud desktop from the CIDR block that is contained in the workspace VPC. By default, cloud desktops in the same workspace cannot communicate with each other. To enable communication between the cloud desktops, modify the properties of the workspace after it is created.

Notice Alibaba Cloud maintains the workspace VPC. You cannot modify the CIDR block of the workspace VPC after a workspace is created. The number of IP addresses in the CIDR block of the workspace VPC determines how many cloud desktops that you can create. Before you create a workspace, make sure that the CIDR block of the workspace VPC meets your requirements.

Secure office networks are logically isolated from each other. You can create workspaces in different secure office networks based on your requirements. This way, you can manage workspaces in a more efficient and secure manner. If network connectivity is required between workspaces, you can attach the workspaces to Cloud Enterprise Network (CEN) instances. For more information, see Attach a secure office network to or detach a secure office network from a CEN instance.

Account systems

The following account systems are provided by EDS:
  • Convenience accounts

    Convenience accounts are applied to EDS and suitable for scenarios in which Active Directory (AD) is not required. You can manage convenience accounts in the EDS console.

  • Enterprise AD accounts
    AD connectors connect to enterprise AD systems to synchronize AD accounts. The AD domain controller is used for management of user permissions and resources in a centralized manner.
    Note You are charged for AD connectors that you use to connect to enterprise AD systems. For more information about the billing of AC connectors, see Billing of AD connectors.

Internet access

If your cloud desktop requires Internet access, you can enable the Internet access feature for the workspace to which your cloud desktop belongs. The system creates a NAT gateway and configures the SNAT feature to enable Internet access. For more information, see Manage Internet access.

Logon settings

Cloud desktops support multi-factor authentication (MFA) and Security Assertion Markup Language (SAML)-based single sign-on (SSO). After you create a workspace, you can enable or disable these features on the workspace details page.
  • MFA

    After MFA is enabled, regular users must enter their usernames and passwords and enter the verification code that is sent to MFA devices to log on to the EDS client. This enhances account security. The first time regular users log on to the EDS client, the regular users must bind an MFA device such as an Alibaba Cloud app to the client. For more information, see Configure MFA.

  • SSO
    After SSO is enabled, mutual trust is required between identity providers (IdPs) such as Active Directory Federation Services (AD FS) and service providers (SPs) such as Alibaba Cloud EDS. After mutual trust is configured, a regular user needs only to pass logon verification at an IdP before the user can log on to the client and implement SSO. For more information, see the following references:
  • Changes to the MFA or SSO settings of a workspace apply to all cloud desktops in the workspace.
  • The SSO feature is supported only for workspaces of the enterprise AD account type.

Shared storage

You can create an Apsara File Storage NAS (NAS) file system for each workspace, and cloud desktops in the workspace can share files by using the NAS file system. For more information, see Create a NAS file system.

Freezing mechanism of an idle workspace

If no cloud desktops are created in a workspace of the convenience account type, and the workspace has not been used for 15 days or more, the system freezes the workspace. The system releases VPC resources in the workspace and retains only the workspace ID. If you want to continue using the workspace, you can click the workspace ID on the Overview page and activate it on the workspace details page. When you activate the workspace, the system recreates the VPC resources based on the original configurations.
Note If you fail to activate the workspace, submit a ticket to contact Alibaba Cloud technical support.
Idle workspaces are not frozen if the following requirements are met:
  • Your workspace is of the enterprise AD account type.
  • Internet access is enabled for your workspace.
  • A CEN instance is attached to your workspace.
  • Access to cloud desktops over a VPC is enabled for your workspace.