This post is part of my note taking while studying for the AWS Certified Advanced Networking - Specialty certification.
Amazon WorkSpaces is Amazon’s cloud virtual desktops. The network requirements are relatively simple.
You’ll need a VPC with two subnets. A public subnet that will host the PCoIP gateway. This gateway is wholly managed by AWS. It has an Elastic IP to allow access to virtual desktops via the Internet. Another subnet will host the VDI guests. For these hosts to have Internet access, it will either need to be a public subnet and the hosts have Public IPs or be a private subnet with a NAT instance or NAT gateway. Best practice would be to use a NAT gateway.
You can peer the VPCs with other VPCs and put other, unrelated (or related) instances in the VPC/subnets. You have full control over the networking. You can apply security groups to the ENIs just like you normally would.
Identity can be be from Simple AD, AD Connector Directory, or Microsoft AD. These can sit in their own VPC peered to the WorkSpaces subnet. The VPC can be connected to on-prem as well, either over VPN or DirectConnect.