Cloud desktops in Elastic Desktop Service (EDS) are deployed in workspaces. You can configure cloud desktop settings such as secure office networks, account systems, and Internet access in a workspace. This topic describes the terms and features of workspaces.

Workspace types

You can deploy cloud desktops in the following types of workspaces:
  • Basic workspace
    Basic workspaces are created by the system. By default, the system provides a basic workspace in each region. If you want to have a trial use of EDS, or you require less than 50 cloud desktops, we recommend that you use a basic workspace.
    Note You can directly select the basic workspace that the system provides when you create a cloud desktop. The name of the basic workspace is default. After you create a cloud desktop in the basic workspace, you can view the information about the basic workspace on the Overview page.
    When you use a basic workspace, take note of the following limits:
    • Each region has only one basic workspace.
    • Only the convenience account system is supported in the basic workspace.
    • The default secure office network is used. You cannot specify a CIDR block for the workspace, or attach the workspace network to a Cloud Enterprise Network (CEN) instance.
    • You can connect to cloud desktops over the Internet or private networks such as virtual private clouds (VPCs).
    • You can create up to 50 cloud desktops in a basic workspace.
    • Only the China (Shanghai) region is supported.
  • Standard workspace

    Standard workspaces are created by administrators. You can specify the secure office network of a standard workspace and select an account system type and a network access mode based on your business requirements. If the basic workspace that is provided by the system cannot meet your business requirements, you can use a standard workspace.

Secure office networks

A secure office network is a VPC that a workspace uses. When you create a workspace, you can specify an IPv4 CIDR block that is contained in a secure office network. The system creates a VPC for the workspace based on the CIDR block. When you create a cloud desktop in a workspace, the system assigns an IP address to the cloud desktop based on the CIDR block that is contained in the workspace VPC. By default, cloud desktops in the same workspace cannot communicate with each other. To enable communication between the cloud desktops, modify the properties of the workspace after the workspace is created.

Notice Alibaba Cloud maintains the workspace VPC. You cannot modify the CIDR block of the workspace VPC after the workspace is created. The number of cloud desktops that you can create in a workspace varies based on the number of IP addresses in the CIDR block of the workspace VPC. Before you create a workspace, make sure that the CIDR block of the workspace VPC meets your business requirements.
You can set the IPv4 CIDR blocks and their subnets of the workspace VPC to one of the following values:
Note If you want to use a custom IPv4 CIDR block, submit a ticket.

Secure office networks are logically isolated from each other. You can create workspaces in different secure office networks based on your requirements. This way, you can manage workspaces in a more efficient and secure manner. You can attach workspaces to the same CEN instance to enable network connectivity between the workspaces. For more information, see Attach a workspace VPC to or detach a workspace VPC from a CEN instance.

Account systems

EDS provides the following account systems:
  • Convenience accounts

    Convenience accounts are dedicated for EDS. Convenience accounts are suitable for scenarios in which Active Directory (AD) is not required. You can manage convenience accounts in the EDS console.

  • Enterprise AD accounts
    You can synchronize AD accounts by using AD connectors that are connected to enterprise AD systems. You can use AD domain controllers to manage user permissions and resources in a centralized manner.
    Note When you connect to an enterprise AD system, you are charged for the AD connector that is used. For more information, see Billing of AD connectors.

Internet access

If you want to access the Internet from your cloud desktop, you can enable the Internet access feature for the workspace to which your cloud desktop belongs. The system creates a NAT gateway and configures the SNAT feature to enable Internet access. For more information, see Manage Internet access.

Logon settings

Cloud desktops support multi-factor authentication (MFA) and single sign-on (SSO) features based on Security Assertion Markup Language (SAML). After you create a workspace, you can enable or disable these features on the workspace details page.
  • MFA

    After you enable MFA, a regular user must enter the username, password, and dynamic verification code that is generated on a specified MFA device to log on to the EDS client. This enhances account security. The first time that the regular user logs on to the EDS client, the regular user must bind an MFA device, such as an Alibaba Cloud app, to the client. For more information, see Configure MFA.

  • SSO
    After you enable SSO, mutual trust is required between identity providers (IdPs) such as Active Directory Federation Services (AD FS) and service providers (SPs) such as Alibaba Cloud EDS. After mutual trust is configured, the regular user must pass the logon verification of an IdP to log on to the EDS client and implement SSO. For more information, see the following topics:
  • Client logon verification

    After you enable client logon verification, a regular user is required to enter a verification code to log on to a new client.

  • If you change the settings of MFA, SSO, or client logon verification in a workspace, the changes take effect for all cloud desktops in the workspace.
  • The SSO feature is supported only for workspaces of the enterprise AD account type.

Shared storage

You can create an Apsara File Storage NAS (NAS) file system for each workspace. The cloud desktops in a workspace can share files by using the NAS file system. For more information, see Create a NAS file system.

Freezing mechanism of an idle workspace

If a workspace of the convenience account type has not been used for 15 days or more and no cloud desktops are created in the workspace, the system releases VPC resources in the workspace, freezes the workspace, and then retains only the workspace ID. If you want to continue using the workspace, click the workspace ID on the Overview page and activate the workspace on the workspace details page. When you activate the workspace, the system recreates VPC resources based on the original configurations.
Note If you fail to activate the workspace, submit a ticket.
Idle workspaces that meet the following requirements are not frozen:
  • Your workspace is of the enterprise AD account type.
  • Internet access is enabled for your workspace.
  • A CEN instance is attached to your workspace.
  • Access to cloud desktops over a private network, such as a VPC, is enabled for your workspace.