{"id":98,"date":"2026-04-12T19:51:54","date_gmt":"2026-04-12T19:51:54","guid":{"rendered":"https:\/\/www.devopsschool.com\/tutorials\/alibaba-cloud-workspace-tutorial-architecture-pricing-use-cases-and-hands-on-guide-for-end-user-computing\/"},"modified":"2026-04-12T19:51:54","modified_gmt":"2026-04-12T19:51:54","slug":"alibaba-cloud-workspace-tutorial-architecture-pricing-use-cases-and-hands-on-guide-for-end-user-computing","status":"publish","type":"post","link":"https:\/\/www.devopsschool.com\/tutorials\/alibaba-cloud-workspace-tutorial-architecture-pricing-use-cases-and-hands-on-guide-for-end-user-computing\/","title":{"rendered":"Alibaba Cloud Workspace Tutorial: Architecture, Pricing, Use Cases, and Hands-On Guide for End User Computing"},"content":{"rendered":"\n

Category<\/h2>\n\n\n\n

End User Computing<\/p>\n\n\n\n

1. Introduction<\/h2>\n\n\n\n

Alibaba Cloud Workspace is an End User Computing service designed to deliver managed desktops (and, depending on region\/edition, potentially application access) from Alibaba Cloud to end users through a secure client.<\/p>\n\n\n\n

In simple terms: instead of giving every employee a physical PC that stores business data locally, you create cloud desktops in Alibaba Cloud and let users connect to them from almost any device. The desktop runs in the cloud; the user sees a streamed desktop experience.<\/p>\n\n\n\n

Technically, Alibaba Cloud Workspace is a control plane for provisioning, assigning, and operating cloud desktop resources integrated with Alibaba Cloud networking and identity. You create a \u201cworkspace\/directory\u201d for identities, place desktops into a VPC, define desktop specifications and images, apply policies, and let users connect using a supported client. Administrative access is controlled via Alibaba Cloud RAM (Resource Access Management), while end-user sign-in is typically managed through the directory mechanism provided by Workspace (and can optionally integrate with enterprise identity such as AD\u2014verify in official docs for your region).<\/p>\n\n\n\n

What problem it solves:<\/strong> secure, centrally managed end-user desktops for remote work, contractors, BYOD, regulated environments, and scenarios where you want to keep data in the cloud and simplify endpoint operations.<\/p>\n\n\n\n

\n

Naming note (verify for your region): Alibaba Cloud has used multiple brands for cloud desktops historically (for example, WUYING in some markets). In the international console and documentation, the service is commonly presented as Alibaba Cloud Workspace<\/strong>. Always confirm the exact feature set and supported options from the current official documentation for your selected region.<\/p>\n<\/blockquote>\n\n\n\n

\n\n\n\n

2. What is Alibaba Cloud Workspace?<\/h2>\n\n\n\n

Official purpose (service intent):<\/strong> Alibaba Cloud Workspace provides a managed platform to create and deliver cloud desktops to end users with centralized administration, policy control, and cloud-based security boundaries.<\/p>\n\n\n\n

Core capabilities (what it does)<\/h3>\n\n\n\n

At a practical level, Alibaba Cloud Workspace typically enables you to:<\/p>\n\n\n\n

    \n
  • Create and manage cloud desktops (Desktop-as-a-Service)<\/li>\n
  • Organize users through a workspace directory\/identity construct<\/li>\n
  • Assign desktops to users and control user access<\/li>\n
  • Manage desktop \u201cimages\u201d (base OS + patches + apps) and lifecycle (create, start\/stop, rebuild\/replace\u2014exact operations vary)<\/li>\n
  • Integrate with Alibaba Cloud VPC networking to control connectivity<\/li>\n
  • Apply security and operational policies (for example: session controls, peripheral redirection controls, clipboard\/file transfer controls\u2014availability depends on edition\/region; verify in official docs)<\/li>\n
  • Monitor usage and audit administrative actions via Alibaba Cloud governance tools (for example ActionTrail for API auditing; metrics integration may vary\u2014verify in official docs)<\/li>\n<\/ul>\n\n\n\n

    Major components (conceptual model)<\/h3>\n\n\n\n

    While Alibaba Cloud Workspace terminology can vary by region\/edition, most deployments involve:<\/p>\n\n\n\n

      \n
    • Workspace \/ Directory<\/strong>: The identity boundary for end users and desktops. Some consoles present multiple directory types (for example, a simple directory vs. AD integration). <\/li>\n
    • Cloud Desktops<\/strong>: The actual desktop instances users connect to. These desktops have CPU\/memory specs, system disk, data disk, and network placement.<\/li>\n
    • Images<\/strong>: Templates for desktops. Images can be vendor-provided or custom (golden image approach).<\/li>\n
    • Policies<\/strong>: Configuration rules applied to desktops\/users (session, security, device redirection, etc.\u2014verify exact policy catalog).<\/li>\n
    • Clients \/ Access methods<\/strong>: User connection applications and\/or web access options (availability depends on offering; verify in official docs).<\/li>\n
    • Networking (VPC)<\/strong>: Desktops reside in a VPC and subnets\/vSwitches; connectivity is controlled by route tables, security groups, NAT, VPN, or Express Connect.<\/li>\n<\/ul>\n\n\n\n

      Service type<\/h3>\n\n\n\n
        \n
      • Managed End User Computing \/ DaaS<\/strong> control plane with cloud-hosted desktop compute.<\/li>\n
      • Uses Alibaba Cloud infrastructure primitives (VPC, storage, security).<\/li>\n<\/ul>\n\n\n\n

        Scope: regional vs. global<\/h3>\n\n\n\n

        Alibaba Cloud services are generally regional<\/strong>, meaning resources (directories, desktops) are created in a specific region and tied to that region\u2019s networking and capacity.\nVerify<\/strong> the exact resource scope (region-bound vs. global directory concepts) in the official docs for Alibaba Cloud Workspace.<\/p>\n\n\n\n

        How it fits into the Alibaba Cloud ecosystem<\/h3>\n\n\n\n

        Alibaba Cloud Workspace typically connects to:<\/p>\n\n\n\n

          \n
        • VPC<\/strong> for desktop network placement and segmentation<\/li>\n
        • RAM<\/strong> for administrator access control<\/li>\n
        • ActionTrail<\/strong> for audit logging of API events<\/li>\n
        • CloudMonitor<\/strong> (and\/or other monitoring integrations) for operational visibility (verify Workspace\u2019s exact metrics support)<\/li>\n
        • NAT Gateway \/ VPN Gateway \/ Express Connect<\/strong> for controlled outbound internet and private access to on-prem systems<\/li>\n
        • Storage and backup services<\/strong> depending on your user profile strategy (for example, separating OS and user data disks; backing up user data using enterprise tooling\u2014verify supported approaches)<\/li>\n<\/ul>\n\n\n\n
          \n\n\n\n

          3. Why use Alibaba Cloud Workspace?<\/h2>\n\n\n\n

          Business reasons<\/h3>\n\n\n\n
            \n
          • Faster onboarding\/offboarding:<\/strong> Create or revoke desktops and access centrally without shipping devices.<\/li>\n
          • Remote work enablement:<\/strong> Users can access corporate desktops from home or while traveling.<\/li>\n
          • Data locality and governance:<\/strong> Keep sensitive data in Alibaba Cloud instead of endpoints.<\/li>\n
          • Contractor\/third-party access:<\/strong> Provide controlled desktops with least-privilege connectivity to internal systems.<\/li>\n<\/ul>\n\n\n\n

            Technical reasons<\/h3>\n\n\n\n
              \n
            • Standardized desktop environments:<\/strong> Use images to keep OS\/app versions consistent.<\/li>\n
            • Elastic capacity model:<\/strong> Add\/remove desktops as headcount changes (commercial terms may be subscription or pay-as-you-go depending on region\/edition; verify pricing model).<\/li>\n
            • Network-controlled access:<\/strong> Put desktops in private subnets; access apps\/databases over private links.<\/li>\n
            • Separation of concerns:<\/strong> Endpoint becomes a \u201cviewer,\u201d while compute and data stay centralized.<\/li>\n<\/ul>\n\n\n\n

              Operational reasons<\/h3>\n\n\n\n
                \n
              • Central patching via golden images:<\/strong> Update once, roll out many.<\/li>\n
              • Reduced endpoint troubleshooting:<\/strong> Many issues become \u201crebuild desktop\u201d or \u201creset image,\u201d depending on how you operate.<\/li>\n
              • Easier policy enforcement:<\/strong> Session and device controls can be applied uniformly (verify policy catalog).<\/li>\n<\/ul>\n\n\n\n

                Security\/compliance reasons<\/h3>\n\n\n\n
                  \n
                • Centralized access control:<\/strong> Admin operations governed by RAM; audit with ActionTrail.<\/li>\n
                • Reduced data exfiltration risk:<\/strong> With correct controls and network isolation, users can be prevented from copying data to local devices (capability varies; verify).<\/li>\n
                • Network segmentation:<\/strong> Put desktops in dedicated VPCs\/subnets, route to approved services only.<\/li>\n
                • Logging and auditability:<\/strong> Stronger audit trail than unmanaged endpoints when configured properly.<\/li>\n<\/ul>\n\n\n\n

                  Scalability\/performance reasons<\/h3>\n\n\n\n
                    \n
                  • Right-sized desktop specs:<\/strong> Pick CPU\/memory profiles per persona (task worker vs power user).<\/li>\n
                  • Regional placement:<\/strong> Put desktops close to end users to reduce latency (subject to region availability).<\/li>\n<\/ul>\n\n\n\n

                    When teams should choose it<\/h3>\n\n\n\n
                      \n
                    • You need managed desktops<\/strong> with centralized provisioning and security controls.<\/li>\n
                    • You have distributed teams<\/strong> or contractors<\/strong> and want cloud-first access patterns.<\/li>\n
                    • You operate in regulated environments<\/strong> where endpoint data storage is risky.<\/li>\n
                    • You want to standardize developer\/test desktops<\/strong> without shipping high-end laptops.<\/li>\n<\/ul>\n\n\n\n

                      When they should not choose it<\/h3>\n\n\n\n
                        \n
                      • Your users need offline-first<\/strong> desktop functionality (cloud desktops require reliable connectivity).<\/li>\n
                      • Your workloads rely heavily on specialized peripherals<\/strong> or low-latency local hardware (some peripherals may not be supported; verify).<\/li>\n
                      • You already have mature VDI tooling (Citrix\/VMware) and the migration cost outweighs benefits.<\/li>\n
                      • You need very specific OS\/app licensing<\/strong> that isn\u2019t compatible with cloud-hosted desktop licensing (verify licensing terms carefully).<\/li>\n<\/ul>\n\n\n\n
                        \n\n\n\n

                        4. Where is Alibaba Cloud Workspace used?<\/h2>\n\n\n\n

                        Industries<\/h3>\n\n\n\n
                          \n
                        • Financial services and insurance (regulated data, controlled access)<\/li>\n
                        • Healthcare (data privacy, controlled workstation access)<\/li>\n
                        • Education (lab desktops, seasonal capacity)<\/li>\n
                        • Retail and customer support (standard agent desktops)<\/li>\n
                        • Media\/design (when GPU profiles are supported\u2014verify GPU availability and performance constraints)<\/li>\n
                        • Manufacturing and logistics (contractor access, shift-based work)<\/li>\n<\/ul>\n\n\n\n

                          Team types<\/h3>\n\n\n\n
                            \n
                          • IT operations \/ workplace engineering<\/li>\n
                          • Security and compliance teams<\/li>\n
                          • Call center and customer support teams<\/li>\n
                          • Development and QA teams (standardized dev\/test machines)<\/li>\n
                          • External vendors\/contractors<\/li>\n<\/ul>\n\n\n\n

                            Workloads<\/h3>\n\n\n\n
                              \n
                            • Office productivity desktops<\/li>\n
                            • CRM\/ERP access desktops<\/li>\n
                            • Secure browser \/ bastion-style desktop access to internal apps<\/li>\n
                            • Developer toolchains (IDE, SDKs) where allowed<\/li>\n
                            • Training labs and ephemeral classroom environments<\/li>\n<\/ul>\n\n\n\n

                              Architectures and deployment contexts<\/h3>\n\n\n\n
                                \n
                              • Private VPC desktops<\/strong> accessing internal apps over VPN\/Express Connect<\/li>\n
                              • Internet-isolated desktops<\/strong> with only whitelisted outbound access via NAT\/proxy<\/li>\n
                              • Multi-OU \/ multi-department<\/strong> separation via different directories or policy groups (exact constructs vary; verify)<\/li>\n
                              • Dev\/test<\/strong>: short-lived desktops for QA and training<\/li>\n
                              • Production<\/strong>: persistent desktops for employees and customer support<\/li>\n<\/ul>\n\n\n\n
                                \n\n\n\n

                                5. Top Use Cases and Scenarios<\/h2>\n\n\n\n

                                Below are realistic scenarios you can implement with Alibaba Cloud Workspace. For each, the \u201cwhy it fits\u201d assumes standard DaaS capabilities; validate exact policy\/features in official docs for your edition\/region.<\/p>\n\n\n\n

                                1) Secure remote work desktops for employees<\/h3>\n\n\n\n
                                  \n
                                • Problem:<\/strong> Employees need full desktop access from home, but corporate data must not be stored on personal devices.<\/li>\n
                                • Why this service fits:<\/strong> Data and compute stay in Alibaba Cloud; access is controlled centrally with auditable administration.<\/li>\n
                                • Example:<\/strong> A finance team uses Workspace desktops to access internal accounting apps via VPN from any device.<\/li>\n<\/ul>\n\n\n\n

                                  2) Contractor desktops with time-bound access<\/h3>\n\n\n\n
                                    \n
                                  • Problem:<\/strong> Contractors need access to internal tools temporarily; you must revoke access quickly and prove it in audits.<\/li>\n
                                  • Why this service fits:<\/strong> Provision desktops quickly, assign to contractor accounts, and revoke by disabling accounts and\/or releasing desktops.<\/li>\n
                                  • Example:<\/strong> A vendor gets a desktop for 6 weeks, then the desktop is deprovisioned and access removed.<\/li>\n<\/ul>\n\n\n\n

                                    3) Call center \/ customer support standard desktop<\/h3>\n\n\n\n
                                      \n
                                    • Problem:<\/strong> Support agents need a consistent toolset; endpoint drift causes tickets and downtime.<\/li>\n
                                    • Why this service fits:<\/strong> Golden images and policy-based configuration keep desktops consistent.<\/li>\n
                                    • Example:<\/strong> A support team uses a standardized desktop image with a CRM client and softphone.<\/li>\n<\/ul>\n\n\n\n

                                      4) BYOD enablement without endpoint management sprawl<\/h3>\n\n\n\n
                                        \n
                                      • Problem:<\/strong> Users bring personal devices; installing management agents on every device is hard and risky.<\/li>\n
                                      • Why this service fits:<\/strong> Workspace can reduce endpoint footprint to just a connection client.<\/li>\n
                                      • Example:<\/strong> A small business allows personal laptops but requires all work to occur inside Workspace desktops.<\/li>\n<\/ul>\n\n\n\n

                                        5) Secure access \u201cjump desktop\u201d for admins (bastion pattern)<\/h3>\n\n\n\n
                                          \n
                                        • Problem:<\/strong> Admins require privileged access to internal systems; direct access from laptops is too risky.<\/li>\n
                                        • Why this service fits:<\/strong> Put admin desktops in a locked-down VPC with strict inbound\/outbound rules.<\/li>\n
                                        • Example:<\/strong> SREs connect to a Workspace desktop and from there to internal ECS instances and databases.<\/li>\n<\/ul>\n\n\n\n

                                          6) Training lab for classes and workshops<\/h3>\n\n\n\n
                                            \n
                                          • Problem:<\/strong> Training needs identical environments that can be reset after each class.<\/li>\n
                                          • Why this service fits:<\/strong> Use an image and provision many desktops for a limited time window.<\/li>\n
                                          • Example:<\/strong> A university provisions 100 desktops for a 2-day cloud course, then removes them.<\/li>\n<\/ul>\n\n\n\n

                                            7) Developer desktops close to cloud-native resources<\/h3>\n\n\n\n
                                              \n
                                            • Problem:<\/strong> Developers face slow performance when building against cloud resources over the internet.<\/li>\n
                                            • Why this service fits:<\/strong> Developers work inside the same region as their cloud resources, reducing latency.<\/li>\n
                                            • Example:<\/strong> A team builds microservices on Alibaba Cloud; developers use Workspace desktops in the same region to access internal repositories and test clusters.<\/li>\n<\/ul>\n\n\n\n

                                              8) M&A integration: fast, isolated desktop access for new users<\/h3>\n\n\n\n
                                                \n
                                              • Problem:<\/strong> After acquisition, you need to provide access without merging endpoint management immediately.<\/li>\n
                                              • Why this service fits:<\/strong> Workspace provides an isolated environment with controlled connectivity into specific apps.<\/li>\n
                                              • Example:<\/strong> New subsidiary employees receive Workspace desktops that can access only selected internal apps during integration.<\/li>\n<\/ul>\n\n\n\n

                                                9) Data-protection-first desktops for regulated documents<\/h3>\n\n\n\n
                                                  \n
                                                • Problem:<\/strong> Teams handle sensitive documents that must remain within controlled environments.<\/li>\n
                                                • Why this service fits:<\/strong> Centralize files in cloud storage\/internal systems; restrict copy\/paste and file transfer if supported.<\/li>\n
                                                • Example:<\/strong> Legal team works on contracts inside Workspace desktops; outbound access is limited to approved destinations.<\/li>\n<\/ul>\n\n\n\n

                                                  10) Seasonal workforce scaling (retail\/logistics peaks)<\/h3>\n\n\n\n
                                                    \n
                                                  • Problem:<\/strong> Headcount spikes seasonally; buying laptops for short-term staff is wasteful.<\/li>\n
                                                  • Why this service fits:<\/strong> Provision additional desktops temporarily and pay only for the period\/plan used (pricing model varies).<\/li>\n
                                                  • Example:<\/strong> A logistics company adds 300 desktops for a peak season and deprovisions after.<\/li>\n<\/ul>\n\n\n\n

                                                    11) Unified desktop platform for multiple branch offices<\/h3>\n\n\n\n
                                                      \n
                                                    • Problem:<\/strong> Branch offices have inconsistent PC hardware and limited IT support.<\/li>\n
                                                    • Why this service fits:<\/strong> Central IT manages one desktop platform; branches just need a stable network connection.<\/li>\n
                                                    • Example:<\/strong> Retail branches use low-cost thin clients to connect to desktops in the nearest Alibaba Cloud region.<\/li>\n<\/ul>\n\n\n\n

                                                      12) Application compatibility containment<\/h3>\n\n\n\n
                                                        \n
                                                      • Problem:<\/strong> A legacy Windows app must remain available but is unsafe to run on unmanaged endpoints.<\/li>\n
                                                      • Why this service fits:<\/strong> Run the app inside a controlled desktop environment and limit connectivity.<\/li>\n
                                                      • Example:<\/strong> A manufacturing firm runs a legacy ERP client inside Workspace with restricted network egress.<\/li>\n<\/ul>\n\n\n\n
                                                        \n\n\n\n

                                                        6. Core Features<\/h2>\n\n\n\n

                                                        The exact feature list can differ by region, edition, and client type. The items below reflect common, practical capabilities expected from Alibaba Cloud Workspace-style DaaS offerings. Verify availability and limits in the official docs for your region.<\/strong><\/p>\n\n\n\n

                                                        1) Managed cloud desktop provisioning<\/h3>\n\n\n\n
                                                          \n
                                                        • What it does:<\/strong> Creates desktop instances with defined CPU\/memory\/storage specifications.<\/li>\n
                                                        • Why it matters:<\/strong> Standardizes and accelerates desktop rollout.<\/li>\n
                                                        • Practical benefit:<\/strong> New user desktops can be ready in minutes rather than days.<\/li>\n
                                                        • Caveats:<\/strong> Quotas and regional capacity can limit how many desktops you can create at once.<\/li>\n<\/ul>\n\n\n\n

                                                          2) Workspace directory \/ user identity boundary<\/h3>\n\n\n\n
                                                            \n
                                                          • What it does:<\/strong> Provides a place to manage end-user identities for desktop assignment and login, and organizes desktops under a directory\/workspace construct.<\/li>\n
                                                          • Why it matters:<\/strong> Separates end-user identity management from administrator IAM (RAM).<\/li>\n
                                                          • Practical benefit:<\/strong> You can manage users in a way aligned to desktop delivery rather than cloud console access.<\/li>\n
                                                          • Caveats:<\/strong> Integration with enterprise identity systems (e.g., AD) may require additional components and networking; verify supported directory types.<\/li>\n<\/ul>\n\n\n\n

                                                            3) Desktop images (golden image workflow)<\/h3>\n\n\n\n
                                                              \n
                                                            • What it does:<\/strong> Lets you define desktop templates (OS + applications + configuration).<\/li>\n
                                                            • Why it matters:<\/strong> Repeatability, compliance, and faster patch rollouts.<\/li>\n
                                                            • Practical benefit:<\/strong> Update an image and roll it out to a department.<\/li>\n
                                                            • Caveats:<\/strong> Image lifecycle processes (capture, distribute, version, rollback) vary by platform; plan for testing.<\/li>\n<\/ul>\n\n\n\n

                                                              4) Policy-based management (session + device controls)<\/h3>\n\n\n\n
                                                                \n
                                                              • What it does:<\/strong> Applies administrative controls to desktops\/users (for example, peripheral redirection, clipboard behavior, file transfer, watermarking, idle timeout\u2014verify<\/strong> which controls are supported).<\/li>\n
                                                              • Why it matters:<\/strong> Reduces data leakage and enforces consistent behavior.<\/li>\n
                                                              • Practical benefit:<\/strong> Restrict USB redirection for high-risk groups; allow it for engineering.<\/li>\n
                                                              • Caveats:<\/strong> Overly strict policies can break legitimate workflows; use tiered personas.<\/li>\n<\/ul>\n\n\n\n

                                                                5) VPC networking integration<\/h3>\n\n\n\n
                                                                  \n
                                                                • What it does:<\/strong> Places desktops into VPC subnets (vSwitches) and controls connectivity using route tables and security groups.<\/li>\n
                                                                • Why it matters:<\/strong> Networking is the foundation for secure enterprise access (private apps, on-prem integration).<\/li>\n
                                                                • Practical benefit:<\/strong> Desktops can reach internal APIs without exposing them to the internet.<\/li>\n
                                                                • Caveats:<\/strong> Misconfigured routes\/DNS are a top cause of \u201ccan\u2019t reach app\u201d tickets.<\/li>\n<\/ul>\n\n\n\n

                                                                  6) Internet access control (egress governance)<\/h3>\n\n\n\n
                                                                    \n
                                                                  • What it does:<\/strong> Controls whether desktops have direct internet access or must go through NAT\/proxy.<\/li>\n
                                                                  • Why it matters:<\/strong> Prevents unmanaged outbound access and supports compliance requirements.<\/li>\n
                                                                  • Practical benefit:<\/strong> Force all outbound web traffic through a corporate secure web gateway.<\/li>\n
                                                                  • Caveats:<\/strong> If you block internet, you must provide access to OS\/app update sources through controlled paths.<\/li>\n<\/ul>\n\n\n\n

                                                                    7) Administrative access via RAM (IAM)<\/h3>\n\n\n\n
                                                                      \n
                                                                    • What it does:<\/strong> Uses Alibaba Cloud RAM users\/roles\/policies for administrators managing Workspace resources.<\/li>\n
                                                                    • Why it matters:<\/strong> Least privilege, separation of duties, and auditable admin control.<\/li>\n
                                                                    • Practical benefit:<\/strong> Helpdesk can reset desktops without being able to change network architecture.<\/li>\n
                                                                    • Caveats:<\/strong> Poorly scoped policies lead to over-privileged admins; invest time in custom RAM policies.<\/li>\n<\/ul>\n\n\n\n

                                                                      8) Audit logging (governance)<\/h3>\n\n\n\n
                                                                        \n
                                                                      • What it does:<\/strong> Captures and records administrative API events (commonly via Alibaba Cloud ActionTrail).<\/li>\n
                                                                      • Why it matters:<\/strong> Compliance and incident response depend on knowing \u201cwho changed what.\u201d<\/li>\n
                                                                      • Practical benefit:<\/strong> Investigate desktop deletions or policy changes with traceable events.<\/li>\n
                                                                      • Caveats:<\/strong> Ensure trails are enabled in all relevant regions and delivered to immutable storage\/log archives.<\/li>\n<\/ul>\n\n\n\n

                                                                        9) Monitoring and operational visibility<\/h3>\n\n\n\n
                                                                          \n
                                                                        • What it does:<\/strong> Provides status\/health for desktops and (depending on integration) metrics and alarms.<\/li>\n
                                                                        • Why it matters:<\/strong> Workspace is user-facing; outages are immediately visible to the business.<\/li>\n
                                                                        • Practical benefit:<\/strong> Alert when many desktops disconnect (could indicate network issues).<\/li>\n
                                                                        • Caveats:<\/strong> Metrics granularity and integration points vary; verify<\/strong> CloudMonitor support and available metrics.<\/li>\n<\/ul>\n\n\n\n

                                                                          10) Lifecycle operations (start\/stop\/rebuild\/restore)<\/h3>\n\n\n\n
                                                                            \n
                                                                          • What it does:<\/strong> Operational actions to manage desktop state and recover from issues.<\/li>\n
                                                                          • Why it matters:<\/strong> Reduces MTTR by allowing quick remediation workflows.<\/li>\n
                                                                          • Practical benefit:<\/strong> Rebuild a corrupted desktop from a known-good image.<\/li>\n
                                                                          • Caveats:<\/strong> Rebuild\/reset operations can cause data loss if user data is stored on the system disk; separate user data where possible.<\/li>\n<\/ul>\n\n\n\n

                                                                            11) Multi-persona desktop sizing<\/h3>\n\n\n\n
                                                                              \n
                                                                            • What it does:<\/strong> Offers multiple desktop specifications for different user profiles.<\/li>\n
                                                                            • Why it matters:<\/strong> Avoid overpaying for all users; avoid underpowered desktops for power users.<\/li>\n
                                                                            • Practical benefit:<\/strong> Finance users get standard desktops; developers get larger memory.<\/li>\n
                                                                            • Caveats:<\/strong> Some apps require GPU or special drivers; confirm supported specs and licensing.<\/li>\n<\/ul>\n\n\n\n

                                                                              12) Client connectivity experience<\/h3>\n\n\n\n
                                                                                \n
                                                                              • What it does:<\/strong> Provides end-user client(s) and connection methods to access desktops.<\/li>\n
                                                                              • Why it matters:<\/strong> User experience drives adoption; the client must be stable and secure.<\/li>\n
                                                                              • Practical benefit:<\/strong> Users can connect from multiple devices where supported.<\/li>\n
                                                                              • Caveats:<\/strong> OS support matrix and feature parity (USB, multi-monitor, audio) differs by client; verify client documentation.<\/li>\n<\/ul>\n\n\n\n
                                                                                \n\n\n\n

                                                                                7. Architecture and How It Works<\/h2>\n\n\n\n

                                                                                High-level architecture<\/h3>\n\n\n\n

                                                                                Alibaba Cloud Workspace typically separates concerns into:<\/p>\n\n\n\n

                                                                                  \n
                                                                                • Control plane:<\/strong> Web console + APIs used by administrators to create directories, desktops, images, and policies.<\/li>\n
                                                                                • Data plane:<\/strong> The streaming\/session path between end-user client and the cloud desktop, plus the desktop\u2019s network access to apps, file shares, and the internet.<\/li>\n
                                                                                • Identity plane:<\/strong> Admin identity via RAM; end-user identity via Workspace directory and\/or enterprise identity integration (verify options).<\/li>\n
                                                                                • Networking plane:<\/strong> VPC, vSwitches, routes, security groups, NAT\/VPN\/Express Connect.<\/li>\n<\/ul>\n\n\n\n

                                                                                  Request\/data\/control flow (typical)<\/h3>\n\n\n\n
                                                                                    \n
                                                                                  1. Admin signs in to Alibaba Cloud console and configures Workspace resources (directory, VPC attachment, images, policies).<\/li>\n
                                                                                  2. Workspace provisions desktops into the configured VPC\/subnets.<\/li>\n
                                                                                  3. Admin assigns desktops to directory users.<\/li>\n
                                                                                  4. End user signs in from a Workspace client using directory credentials (or federated credentials if configured).<\/li>\n
                                                                                  5. A session is established to the assigned desktop; pixels\/inputs stream over the network.<\/li>\n
                                                                                  6. Desktop accesses internal services over VPC routes (VPN\/Express Connect) and optional internet access via NAT\/proxy.<\/li>\n<\/ol>\n\n\n\n

                                                                                    Integrations with related Alibaba Cloud services (common patterns)<\/h3>\n\n\n\n
                                                                                      \n
                                                                                    • VPC<\/strong>: required for private networking<\/li>\n
                                                                                    • NAT Gateway<\/strong>: for controlled outbound internet from private subnets<\/li>\n
                                                                                    • VPN Gateway \/ Express Connect<\/strong>: for private connectivity to on-premises<\/li>\n
                                                                                    • RAM<\/strong>: admin access control<\/li>\n
                                                                                    • ActionTrail<\/strong>: audit events for governance<\/li>\n
                                                                                    • Log Service (SLS)<\/strong>: centralized log retention and analysis (commonly used with ActionTrail deliveries)<\/li>\n
                                                                                    • CloudMonitor<\/strong>: alarms and dashboards (verify Workspace integration specifics)<\/li>\n
                                                                                    • KMS<\/strong>: encryption key management in broader architecture (usage depends on Workspace\u2019s encryption model\u2014verify)<\/li>\n<\/ul>\n\n\n\n

                                                                                      Dependency services (design-time dependencies)<\/h3>\n\n\n\n
                                                                                        \n
                                                                                      • A VPC with correctly designed IP ranges and subnets<\/li>\n
                                                                                      • DNS strategy for internal domains (especially for AD integration)<\/li>\n
                                                                                      • Egress strategy (NAT\/proxy) if desktops need updates\/internet access<\/li>\n
                                                                                      • Identity design (directory type, password policies, MFA where applicable)<\/li>\n<\/ul>\n\n\n\n

                                                                                        Security\/authentication model (conceptual)<\/h3>\n\n\n\n
                                                                                          \n
                                                                                        • Administrators:<\/strong> authenticated via Alibaba Cloud account\/RAM, authorized by RAM policies.<\/li>\n
                                                                                        • End users:<\/strong> authenticated via Workspace directory or enterprise identity integration.<\/li>\n
                                                                                        • Network access:<\/strong> controlled by VPC constructs (security groups, routes, ACLs) and any proxy\/NAT.<\/li>\n
                                                                                        • Auditing:<\/strong> admin operations recorded via ActionTrail; user session logging varies\u2014verify.<\/li>\n<\/ul>\n\n\n\n

                                                                                          Networking model (what to plan)<\/h3>\n\n\n\n
                                                                                            \n
                                                                                          • IP planning:<\/strong> Allocate enough IPs for desktops and growth; avoid overlapping CIDRs with on-prem if using VPN\/Express Connect.<\/li>\n
                                                                                          • Subnets\/vSwitch:<\/strong> Use separate subnets for different desktop groups (e.g., production vs contractors).<\/li>\n
                                                                                          • Egress:<\/strong> Prefer private-only desktops with egress via NAT\/proxy and strict allowlists.<\/li>\n
                                                                                          • Ingress:<\/strong> Ideally no direct inbound from internet to desktops; users connect via the Workspace access mechanism.<\/li>\n
                                                                                          • Name resolution:<\/strong> If desktops must resolve internal domains, set up DNS forwarding\/resolvers accessible via VPC.<\/li>\n<\/ul>\n\n\n\n

                                                                                            Monitoring\/logging\/governance considerations<\/h3>\n\n\n\n
                                                                                              \n
                                                                                            • Turn on ActionTrail<\/strong> in each region where you run Workspace.<\/li>\n
                                                                                            • Export ActionTrail logs to a centralized log account\/project (where supported) for retention.<\/li>\n
                                                                                            • Define operational alarms around:<\/li>\n
                                                                                            • Desktop provisioning failures<\/li>\n
                                                                                            • Authentication failures (if exposed)<\/li>\n
                                                                                            • Connectivity issues between desktop subnet and required services<\/li>\n
                                                                                            • Tag Workspace-related resources for cost tracking (where tagging is supported).<\/li>\n<\/ul>\n\n\n\n

                                                                                              Simple architecture diagram (Mermaid)<\/h3>\n\n\n\n
                                                                                              flowchart LR\n  U[End User Device\\nWorkspace Client] -->|Login + Session| WS[Alibaba Cloud Workspace]\n  WS -->|Provision\/Assign| D[Cloud Desktop]\n  D --> VPC[VPC \/ vSwitch Subnet]\n  VPC --> APP[Internal Apps\\n(ECS\/RDS\/etc.)]\n  VPC -->|Optional egress| NAT[NAT\/Proxy]\n  WS --> RAM[RAM (Admin IAM)]\n  WS --> AT[ActionTrail (Audit)]\n<\/code><\/pre>\n\n\n\n
                                                                                              Production-style architecture diagram (Mermaid)<\/h3>\n\n\n\n
                                                                                              flowchart TB\n  subgraph Users\n    U1[Employees]\n    U2[Contractors]\n  end\n\n  subgraph Access\n    C[Workspace Client]\n  end\n\n  subgraph AlibabaCloudRegion[Alibaba Cloud Region]\n    subgraph ControlPlane[Control Plane]\n      WS[Alibaba Cloud Workspace\\nConsole\/API]\n      RAM[RAM\\n(Admin roles\/policies)]\n      AT[ActionTrail]\n      SLS[Log Service (SLS)\\nCentral retention]\n    end\n\n    subgraph Network[VPC]\n      subgraph Subnets\n        S1[Prod Desktop Subnet]\n        S2[Contractor Desktop Subnet]\n      end\n      SG[Security Groups]\n      RT[Route Tables]\n      NAT[NAT Gateway \/ Secure Proxy]\n      VPN[VPN Gateway \/ Express Connect]\n      DNS[DNS \/ Resolver\\n(for internal domains)]\n    end\n\n    subgraph Desktops\n      D1[Prod Cloud Desktops]\n      D2[Contractor Cloud Desktops]\n    end\n\n    subgraph Workloads\n      APP[Internal Web Apps \/ APIs]\n      DB[Databases]\n      FS[File Services]\n    end\n  end\n\n  U1 --> C --> WS\n  U2 --> C --> WS\n\n  WS --> RAM\n  WS --> AT --> SLS\n\n  WS --> D1\n  WS --> D2\n\n  D1 --> S1 --> SG --> RT\n  D2 --> S2 --> SG --> RT\n\n  RT --> VPN --> APP\n  RT --> VPN --> DB\n  RT --> VPN --> FS\n  RT --> NAT\n  S1 --> DNS\n  S2 --> DNS\n<\/code><\/pre>\n\n\n\n
                                                                                              \n\n\n\n
                                                                                              8. Prerequisites<\/h2>\n\n\n\n
                                                                                              Account and billing<\/h3>\n\n\n\n
                                                                                                \n
                                                                                              • An active Alibaba Cloud account<\/strong> with billing enabled.<\/li>\n
                                                                                              • A payment method or credit arrangement that can purchase Workspace resources (subscription and\/or pay-as-you-go depending on region\/edition\u2014verify).<\/li>\n<\/ul>\n\n\n\n
                                                                                                Permissions \/ IAM (RAM)<\/h3>\n\n\n\n
                                                                                                You need permissions to:\n– Create\/manage Workspace resources (directories, desktops, images, policies)\n– Create\/manage VPC resources (VPC, vSwitch, security groups, NAT\/VPN if used)\n– View billing and usage<\/p>\n\n\n\n
                                                                                                If your organization uses least privilege, prepare:\n– A RAM admin role for Workspace administration\n– A separate network admin role for VPC\/NAT\/VPN\n– A read-only auditor role for monitoring and ActionTrail review<\/p>\n\n\n\n
                                                                                                \n
                                                                                                Exact RAM actions for Alibaba Cloud Workspace are service-specific; generate policies using the Alibaba Cloud console policy editor or reference the Workspace authorization docs (verify in official docs).<\/p>\n<\/blockquote>\n\n\n\n
                                                                                                Tools<\/h3>\n\n\n\n
                                                                                                  \n
                                                                                                • Web browser for Alibaba Cloud console<\/li>\n
                                                                                                • Workspace client for your end-user OS (download link and OS support matrix: verify in official docs<\/strong>)<\/li>\n
                                                                                                • Optional: Alibaba Cloud CLI (aliyun<\/code>) for general account\/network tasks (Workspace CLI coverage varies; verify)<\/li>\n<\/ul>\n\n\n\n
                                                                                                  Region availability<\/h3>\n\n\n\n
                                                                                                    \n
                                                                                                  • Select a region where Alibaba Cloud Workspace<\/strong> is available.<\/li>\n
                                                                                                  • Ensure your users are reasonably close (latency-sensitive).<\/li>\n
                                                                                                  • Verify<\/strong> supported regions and editions in the official product page\/docs.<\/li>\n<\/ul>\n\n\n\n
                                                                                                    Quotas\/limits<\/h3>\n\n\n\n
                                                                                                      \n
                                                                                                    • Desktop count quota<\/li>\n
                                                                                                    • Directory\/user quota<\/li>\n
                                                                                                    • VPC limits (vSwitch IP capacity)<\/li>\n
                                                                                                    • Any image\/template limits<\/li>\n<\/ul>\n\n\n\n
                                                                                                      Check Alibaba Cloud Quotas<\/strong> and the Workspace console quota pages (if available). If you\u2019re running a pilot, request quota increases early.<\/p>\n\n\n\n
                                                                                                      Prerequisite services<\/h3>\n\n\n\n
                                                                                                        \n
                                                                                                      • VPC<\/strong> (almost always required)<\/li>\n
                                                                                                      • Optional for enterprise connectivity:<\/li>\n
                                                                                                      • NAT Gateway (controlled egress)<\/li>\n
                                                                                                      • VPN Gateway \/ Express Connect (private on-prem connectivity)<\/li>\n
                                                                                                      • DNS\/resolver strategy for internal domains<\/li>\n<\/ul>\n\n\n\n
                                                                                                        \n\n\n\n
                                                                                                        9. Pricing \/ Cost<\/h2>\n\n\n\n
                                                                                                        Alibaba Cloud Workspace pricing is region- and edition-dependent<\/strong> and often varies by:\n– Desktop specification (CPU, memory)\n– Storage (system disk, data disk type and size)\n– Billing model (subscription vs pay-as-you-go, where available)\n– Optional bundles (network, security, management features)\n– Optional GPU profiles (if offered)\n– Bandwidth\/egress and internet access components\n– Additional supporting services (NAT, VPN, logs, storage, backups)<\/p>\n\n\n\n
                                                                                                        Because exact SKUs and rates change by region and contract terms, do not rely on fixed numbers<\/strong>. Use official pricing sources:<\/p>\n\n\n\n
                                                                                                          \n
                                                                                                        • Product page: https:\/\/www.alibabacloud.com\/product\/workspace  <\/li>\n
                                                                                                        • Pricing page (verify current URL and SKUs): https:\/\/www.alibabacloud.com\/product\/workspace\/pricing  <\/li>\n
                                                                                                        • Alibaba Cloud pricing calculator (if used in your org): https:\/\/www.alibabacloud.com\/pricing<\/li>\n<\/ul>\n\n\n\n
                                                                                                          Pricing dimensions (what you typically pay for)<\/h3>\n\n\n\n
                                                                                                          \n\n\n\n\n\n\n\n\n\n
                                                                                                          Cost Dimension<\/th>\nWhat It Means<\/th>\nPractical Notes<\/th>\n<\/tr>\n<\/thead>\n
                                                                                                          Desktop compute<\/td>\nThe desktop\u2019s CPU\/RAM profile<\/td>\nUsually the main cost driver<\/td>\n<\/tr>\n
                                                                                                          Storage<\/td>\nSystem disk + optional data disk<\/td>\nHigher performance disks cost more<\/td>\n<\/tr>\n
                                                                                                          Internet bandwidth\/egress<\/td>\nPublic internet usage from desktops<\/td>\nOften overlooked; can spike with downloads\/updates<\/td>\n<\/tr>\n
                                                                                                          Network services<\/td>\nNAT Gateway, VPN Gateway, Express Connect<\/td>\nThese can exceed desktop costs in some architectures<\/td>\n<\/tr>\n
                                                                                                          Logging<\/td>\nSLS ingestion\/storage if you centralize audit logs<\/td>\nUseful for compliance; plan retention<\/td>\n<\/tr>\n
                                                                                                          Support<\/td>\nAlibaba Cloud support plan<\/td>\nSome orgs require enterprise support<\/td>\n<\/tr>\n<\/tbody>\n<\/table><\/figure>\n\n\n\n
                                                                                                          Free tier<\/h3>\n\n\n\n
                                                                                                          A permanent free tier is not guaranteed<\/strong> for DaaS offerings. Alibaba Cloud sometimes provides trials\/promotions. Verify<\/strong> current trial availability on the product page or the console.<\/p>\n\n\n\n
                                                                                                          Major cost drivers (what usually makes bills high)<\/h3>\n\n\n\n
                                                                                                            \n
                                                                                                          1. Over-provisioned desktops<\/strong> (too much CPU\/RAM for standard users)<\/li>\n
                                                                                                          2. Always-on desktops<\/strong> (no shutdown schedule; paying for idle capacity depending on billing model)<\/li>\n
                                                                                                          3. Large or high-performance disks<\/strong> for every user<\/li>\n
                                                                                                          4. Uncontrolled internet egress<\/strong> (updates, downloads, streaming)<\/li>\n
                                                                                                          5. Enterprise connectivity<\/strong> (VPN\/Express Connect, NAT)<\/li>\n
                                                                                                          6. Image sprawl<\/strong> (multiple images increases operational overhead; may also affect storage cost depending on how images are stored)<\/li>\n<\/ol>\n\n\n\n
                                                                                                            Hidden\/indirect costs<\/h3>\n\n\n\n
                                                                                                              \n
                                                                                                            • Identity integration:<\/strong> AD integration may require domain controllers, DNS, or connectors in VPC.<\/li>\n
                                                                                                            • Operations time:<\/strong> Image maintenance and patching is real work\u2014plan staffing.<\/li>\n
                                                                                                            • Security tooling:<\/strong> Web gateways, EDR, vulnerability scanning, compliance logging (may require additional products).<\/li>\n<\/ul>\n\n\n\n
                                                                                                              Network and data transfer implications<\/h3>\n\n\n\n
                                                                                                                \n
                                                                                                              • If desktops are in private subnets:<\/li>\n
                                                                                                              • Outbound internet often requires NAT Gateway<\/strong> or a proxy.<\/li>\n
                                                                                                              • If users download large files or run frequent updates, egress costs can be material.<\/li>\n
                                                                                                              • If desktops access on-prem apps:<\/li>\n
                                                                                                              • VPN\/Express Connect bandwidth and availability become part of your desktop UX.<\/li>\n<\/ul>\n\n\n\n
                                                                                                                How to optimize cost (practical tactics)<\/h3>\n\n\n\n
                                                                                                                  \n
                                                                                                                • Persona-based sizing:<\/strong> Define 3\u20135 desktop profiles and map users.<\/li>\n
                                                                                                                • Right-size storage:<\/strong> Keep system disks lean; put user data on separate disks if supported and needed.<\/li>\n
                                                                                                                • Shutdown schedules:<\/strong> Use policies\/automation to stop desktops after hours (depends on billing and feature availability\u2014verify).<\/li>\n
                                                                                                                • Control egress:<\/strong> Route outbound traffic through a proxy with allowlists.<\/li>\n
                                                                                                                • Use a single golden image per persona:<\/strong> Reduce drift and rebuild time.<\/li>\n
                                                                                                                • Pilot with a small group:<\/strong> Validate user experience before scaling.<\/li>\n<\/ul>\n\n\n\n
                                                                                                                  Example low-cost starter estimate (no fabricated numbers)<\/h3>\n\n\n\n
                                                                                                                  A realistic pilot estimate should include:\n– 2\u20135 standard desktops in one region\n– Minimal disk sizes required for OS + office tools\n– No GPU\n– Limited internet egress\n– Logging via ActionTrail (basic)<\/p>\n\n\n\n
                                                                                                                  To estimate:\n1. Open the Workspace pricing page for your region.\n2. Select a standard desktop SKU\/spec.\n3. Add storage and expected usage term.\n4. Add NAT\/VPN only if required.\n5. Add expected log retention costs if centralizing logs.<\/p>\n\n\n\n
                                                                                                                  Example production cost considerations<\/h3>\n\n\n\n
                                                                                                                  For a production rollout (e.g., 300\u20132000 users), budget not only for desktops, but also:\n– At least two network paths (VPN\/Express Connect redundancy)\n– Centralized log retention (ActionTrail \u2192 SLS)\n– Image build pipeline (test desktops, staging OU\/group)\n– Helpdesk operations and incident management\n– Support plan appropriate for a user-facing platform<\/p>\n\n\n\n
                                                                                                                  \n\n\n\n
                                                                                                                  10. Step-by-Step Hands-On Tutorial<\/h2>\n\n\n\n
                                                                                                                  This lab is designed to be small, realistic, and low-risk<\/strong>. It focuses on the most common first milestone: provision one cloud desktop and connect to it<\/strong>.<\/p>\n\n\n\n
                                                                                                                  Because Alibaba Cloud Workspace options vary by region\/edition (directory type names, client types, policies), the steps use console-driven choices<\/strong> and tell you what to select when multiple options exist. Always follow the on-screen instructions and cross-check with the official \u201cGetting Started\u201d guide for your region.<\/p>\n\n\n\n
                                                                                                                  Objective<\/h3>\n\n\n\n
                                                                                                                  Provision a basic Alibaba Cloud Workspace environment:\n– Create\/select a VPC and subnet for desktops\n– Create a Workspace directory (simple directory if available)\n– Create one cloud desktop from a standard image\/spec\n– Assign it to a user\n– Connect using the Workspace client\n– Validate network access\n– Clean up resources to avoid ongoing cost<\/p>\n\n\n\n
                                                                                                                  Lab Overview<\/h3>\n\n\n\n
                                                                                                                  You will create:<\/p>\n\n\n\n
                                                                                                                    \n
                                                                                                                  1. VPC + vSwitch<\/strong> for desktop placement  <\/li>\n
                                                                                                                  2. Directory\/Workspace<\/strong> to manage users  <\/li>\n
                                                                                                                  3. Desktop<\/strong> assigned to a test user  <\/li>\n
                                                                                                                  4. Optional: NAT Gateway<\/strong> only if your desktop requires outbound internet (keep it off for minimal cost unless you need updates\/downloads)<\/li>\n<\/ol>\n\n\n\n
                                                                                                                    Expected time: 45\u201390 minutes (depending on region availability and provisioning time)<\/p>\n\n\n\n
                                                                                                                    \n\n\n\n
                                                                                                                    Step 1: Choose a region and confirm service availability<\/h3>\n\n\n\n
                                                                                                                      \n
                                                                                                                    1. Sign in to the Alibaba Cloud console.<\/li>\n
                                                                                                                    2. Use the region selector to pick a region close to you.<\/li>\n
                                                                                                                    3. Navigate to Alibaba Cloud Workspace<\/strong> in the console.<\/li>\n
                                                                                                                    4. Confirm you can access the product and create resources in this region.<\/li>\n<\/ol>\n\n\n\n
                                                                                                                      Expected outcome:<\/strong> You can open the Workspace console and see options to create a directory\/workspace and desktops.<\/p>\n\n\n\n
                                                                                                                      If you cannot find Workspace:<\/strong>\n– Check the official product page and supported regions.\n– Verify you\u2019re using the correct Alibaba Cloud international\/China portal for your account.<\/p>\n\n\n\n
                                                                                                                      \n\n\n\n
                                                                                                                      Step 2: Create a dedicated VPC for the lab<\/h3>\n\n\n\n
                                                                                                                      If you already have a suitable VPC, you can reuse it. For a clean lab, create a new one.<\/p>\n\n\n\n
                                                                                                                        \n
                                                                                                                      1. Go to VPC<\/strong> console.<\/li>\n
                                                                                                                      2. Create a VPC, for example:\n   – VPC CIDR: 10.10.0.0\/16<\/code> (choose any non-overlapping range)<\/li>\n
                                                                                                                      3. Create a vSwitch<\/strong> (subnet) in one zone in the same region, for example:\n   – vSwitch CIDR: 10.10.1.0\/24<\/code><\/li>\n<\/ol>\n\n\n\n
                                                                                                                        Expected outcome:<\/strong> You have a VPC and vSwitch ready for desktop placement.<\/p>\n\n\n\n
                                                                                                                        Verification:<\/strong>\n– In the VPC console, confirm the vSwitch status is Available<\/em> and is in the intended zone.<\/p>\n\n\n\n
                                                                                                                        \n\n\n\n
                                                                                                                        Step 3: Create or select a security group strategy<\/h3>\n\n\n\n
                                                                                                                        Alibaba Cloud Workspace may manage security groups automatically or let you choose one, depending on edition.<\/p>\n\n\n\n
                                                                                                                          \n
                                                                                                                        1. In ECS \/ Security Groups<\/strong> (or within Workspace networking settings), create a security group such as sg-workspace-lab<\/code>.<\/li>\n
                                                                                                                        2. Keep inbound rules minimal. In many DaaS models, user connections do not require you to open inbound ports directly to the desktop.<\/li>\n
                                                                                                                        3. Allow outbound traffic as required (default outbound allow is common). If your security baseline requires restriction, plan an outbound proxy.<\/li>\n<\/ol>\n\n\n\n
                                                                                                                          Expected outcome:<\/strong> A security group exists for desktop NICs (if the console asks you to select one).<\/p>\n\n\n\n
                                                                                                                          Caution:<\/strong> Do not expose RDP\/SSH to the public internet unless you have a controlled, temporary reason and strong controls. Most Workspace deployments should avoid direct inbound exposure.<\/p>\n\n\n\n
                                                                                                                          \n\n\n\n
                                                                                                                          Step 4: Create a Workspace directory (identity container)<\/h3>\n\n\n\n
                                                                                                                            \n
                                                                                                                          1. In the Alibaba Cloud Workspace<\/strong> console, find Directories \/ Workspaces<\/strong> (exact label varies).<\/li>\n
                                                                                                                          2. Click Create Directory<\/strong> (or equivalent).<\/li>\n
                                                                                                                          3. Choose a directory type:\n   – If you see Simple Directory<\/strong> (or similar), choose it for this lab (lowest operational overhead).\n   – If you only see AD integration options, stop here and follow the official AD integration guide (requires DNS, connectivity, and potentially domain controllers).<\/li>\n
                                                                                                                          4. Select the VPC<\/strong> and vSwitch<\/strong> created earlier.<\/li>\n
                                                                                                                          5. Configure directory details:\n   – Name: workspace-lab-dir<\/code>\n   – DNS settings: use defaults unless the guide requires otherwise<\/li>\n<\/ol>\n\n\n\n
                                                                                                                            Expected outcome:<\/strong> A directory\/workspace is created and in a Running\/Available<\/em> state.<\/p>\n\n\n\n
                                                                                                                            Verification:<\/strong>\n– Directory status shows healthy\/available.\n– The directory is associated with your VPC\/vSwitch.<\/p>\n\n\n\n
                                                                                                                            Common error and fix:<\/strong>\n– Error:<\/strong> \u201cInsufficient IP addresses in vSwitch.\u201d\nFix:<\/strong> Use a larger vSwitch CIDR (e.g., \/23) or create a new vSwitch.<\/p>\n\n\n\n
                                                                                                                            \n\n\n\n
                                                                                                                            Step 5: Create a test end user<\/h3>\n\n\n\n
                                                                                                                              \n
                                                                                                                            1. In the Workspace console, locate Users<\/strong> under the directory.<\/li>\n
                                                                                                                            2. Create a user, for example:\n   – Username: labuser1<\/code>\n   – Display name: Lab User 1<\/code>\n   – Email\/phone: as required by the console\n   – Password: set a strong initial password<\/li>\n<\/ol>\n\n\n\n
                                                                                                                              Expected outcome:<\/strong> labuser1<\/code> exists in the directory.<\/p>\n\n\n\n
                                                                                                                              Verification:<\/strong>\n– User appears in the user list and is enabled.<\/p>\n\n\n\n
                                                                                                                              Tip:<\/strong> If your organization requires MFA or password complexity, follow those policies. MFA availability depends on edition\/region\u2014verify.<\/p>\n\n\n\n
                                                                                                                              \n\n\n\n
                                                                                                                              Step 6: Create a cloud desktop<\/h3>\n\n\n\n
                                                                                                                                \n
                                                                                                                              1. In Workspace console, go to Desktops<\/strong> \u2192 Create Desktop<\/strong> (wording varies).<\/li>\n
                                                                                                                              2. Select:\n   – Directory: workspace-lab-dir<\/code>\n   – Network: VPC\/vSwitch from earlier<\/li>\n
                                                                                                                              3. Choose an image:\n   – Pick a standard, vendor-provided OS image (Windows or Linux) that is clearly marked as supported.<\/li>\n
                                                                                                                              4. Choose a desktop specification:\n   – Start with a small\/standard profile suitable for office tasks.<\/li>\n
                                                                                                                              5. Choose storage:\n   – Minimum system disk supported by the image\n   – Optional data disk only if needed for the lab<\/li>\n
                                                                                                                              6. Assign the desktop to user:\n   – labuser1<\/code><\/li>\n
                                                                                                                              7. Confirm and create.<\/li>\n<\/ol>\n\n\n\n
                                                                                                                                Expected outcome:<\/strong> Desktop provisioning begins; status shows Creating\/Provisioning<\/em> and later Running\/Available<\/em>.<\/p>\n\n\n\n
                                                                                                                                Verification:<\/strong>\n– Desktop appears with an ID and assigned user.\n– Status becomes available\/ready.<\/p>\n\n\n\n
                                                                                                                                Common error and fix:<\/strong>\n– Error:<\/strong> \u201cInsufficient quota.\u201d\nFix:<\/strong> Request quota increase in the Quotas console or reduce requested desktop count\/spec.<\/p>\n\n\n\n
                                                                                                                                \n\n\n\n
                                                                                                                                Step 7: Obtain the client and connection information<\/h3>\n\n\n\n
                                                                                                                                  \n
                                                                                                                                1. In Workspace console, find Client Download<\/strong> or User Access<\/strong> instructions.<\/li>\n
                                                                                                                                2. Download the Workspace client for your OS.<\/li>\n
                                                                                                                                3. Collect required info:\n   – Login endpoint\/tenant code (if required)\n   – Username and directory name (if required)<\/li>\n<\/ol>\n\n\n\n
                                                                                                                                  Expected outcome:<\/strong> You have a client installed and know how to log in.<\/p>\n\n\n\n
                                                                                                                                  Verification:<\/strong>\n– Client launches successfully.<\/p>\n\n\n\n
                                                                                                                                  \n\n\n\n
                                                                                                                                  Step 8: Connect as the end user<\/h3>\n\n\n\n
                                                                                                                                    \n
                                                                                                                                  1. Open the Workspace client.<\/li>\n
                                                                                                                                  2. Enter the directory\/tenant info if prompted.<\/li>\n
                                                                                                                                  3. Sign in as:\n   – Username: labuser1<\/code>\n   – Password: the one you set<\/li>\n
                                                                                                                                  4. Select the assigned desktop and connect.<\/li>\n<\/ol>\n\n\n\n
                                                                                                                                    Expected outcome:<\/strong> You see the cloud desktop session and can interact with the OS.<\/p>\n\n\n\n
                                                                                                                                    Verification inside the desktop:<\/strong>\n– Check OS version and confirm basic responsiveness.\n– Open a browser or terminal (depending on OS) to confirm the environment is functional.<\/p>\n\n\n\n
                                                                                                                                    \n\n\n\n
                                                                                                                                    Step 9: Validate network access (basic)<\/h3>\n\n\n\n
                                                                                                                                    Inside the desktop session:<\/p>\n\n\n\n
                                                                                                                                      \n
                                                                                                                                    1. Confirm private IP address is from your VPC CIDR (e.g., 10.10.1.x<\/code>).<\/li>\n
                                                                                                                                    2. If you need internet for the lab:\n   – Try visiting a simple site.\n   – If it fails and you expected it to work, you likely need NAT\/proxy configuration.<\/li>\n<\/ol>\n\n\n\n
                                                                                                                                      Expected outcome:<\/strong>\n– Private IP matches VPC subnet.\n– Internet access works only if you designed egress for it.<\/p>\n\n\n\n
                                                                                                                                      Notes on egress design:<\/strong>\n– In many secure setups, desktops do not<\/strong> have direct internet access.\n– If you require controlled internet access, implement NAT Gateway or a corporate proxy and route accordingly.<\/p>\n\n\n\n
                                                                                                                                      \n\n\n\n
                                                                                                                                      Step 10 (Optional): Add controlled internet egress using NAT Gateway<\/h3>\n\n\n\n
                                                                                                                                      Only do this if you need outbound internet (updates, downloads, web browsing for the lab). NAT Gateway adds cost.<\/p>\n\n\n\n
                                                                                                                                      High-level steps (exact steps vary; verify in NAT Gateway docs):\n1. Create a NAT Gateway<\/strong> in the same VPC.\n2. Purchase\/attach an EIP<\/strong> (Elastic IP Address) to the NAT Gateway.\n3. Configure SNAT<\/strong> for the desktop subnet (10.10.1.0\/24<\/code>).\n4. Ensure route tables for the subnet allow traffic to NAT.<\/p>\n\n\n\n
                                                                                                                                      Expected outcome:<\/strong> Desktop can reach the internet via NAT.<\/p>\n\n\n\n
                                                                                                                                      Verification:<\/strong>\n– From desktop, browse to a website.\n– If you have a proxy, verify DNS and proxy rules.<\/p>\n\n\n\n
                                                                                                                                      \n\n\n\n
                                                                                                                                      Validation<\/h3>\n\n\n\n
                                                                                                                                      Use this checklist to validate the lab end-to-end:<\/p>\n\n\n\n
                                                                                                                                        \n
                                                                                                                                      • [ ] Directory is Available<\/em><\/li>\n
                                                                                                                                      • [ ] labuser1<\/code> exists and is enabled<\/li>\n
                                                                                                                                      • [ ] Desktop is Available\/Running<\/em> and assigned to labuser1<\/code><\/li>\n
                                                                                                                                      • [ ] End-user client can log in successfully<\/li>\n
                                                                                                                                      • [ ] Desktop session opens<\/li>\n
                                                                                                                                      • [ ] Private IP matches VPC subnet<\/li>\n
                                                                                                                                      • [ ] Optional: internet access works only via NAT\/proxy design<\/li>\n<\/ul>\n\n\n\n
                                                                                                                                        \n\n\n\n
                                                                                                                                        Troubleshooting<\/h3>\n\n\n\n
                                                                                                                                        Issue: Client login fails<\/h4>\n\n\n\n
                                                                                                                                        Symptoms:<\/strong> Incorrect credentials, tenant code mismatch, or authentication error.\nFixes:<\/strong>\n– Reset labuser1<\/code> password in Workspace console.\n– Verify you are using the correct directory\/tenant identifier.\n– Confirm the directory is healthy\/available.\n– Check whether account lockout policies apply.<\/p>\n\n\n\n
                                                                                                                                        Issue: Desktop stuck in \u201cCreating\u201d<\/h4>\n\n\n\n
                                                                                                                                        Symptoms:<\/strong> Provisioning never completes.\nFixes:<\/strong>\n– Check quotas and regional capacity.\n– Try a different zone\/vSwitch if the product supports multi-zone.\n– Reduce spec or use a more standard image.\n– Review event\/error details in the Workspace console.<\/p>\n\n\n\n
                                                                                                                                        Issue: Desktop connects but cannot reach internal apps<\/h4>\n\n\n\n
                                                                                                                                        Symptoms:<\/strong> App timeouts, DNS failures.\nFixes:<\/strong>\n– Check VPC routes to on-prem (VPN\/Express Connect).\n– Verify DNS resolution for internal domains.\n– Confirm security group egress rules and any NACL rules.<\/p>\n\n\n\n
                                                                                                                                        Issue: No internet access<\/h4>\n\n\n\n
                                                                                                                                        Symptoms:<\/strong> Web browsing fails.\nFixes:<\/strong>\n– Confirm whether desktops are intended to have internet.\n– If yes, configure NAT Gateway SNAT (or proxy) for the subnet.\n– Verify route tables and DNS.<\/p>\n\n\n\n
                                                                                                                                        Issue: Poor performance \/ lag<\/h4>\n\n\n\n
                                                                                                                                        Symptoms:<\/strong> High latency in session.\nFixes:<\/strong>\n– Choose a closer region.\n– Validate user\u2019s local network stability.\n– Increase desktop spec if CPU\/memory is pegged.\n– Check if multi-monitor\/high-res settings exceed network capacity.<\/p>\n\n\n\n
                                                                                                                                        \n\n\n\n
                                                                                                                                        Cleanup<\/h3>\n\n\n\n
                                                                                                                                        To avoid ongoing charges, delete what you created:<\/p>\n\n\n\n
                                                                                                                                          \n
                                                                                                                                        1. In Workspace console:\n   – Disconnect sessions.\n   – Delete\/release the desktop (ensure you understand data loss implications).\n   – Delete the test user and directory (if no longer needed).<\/li>\n
                                                                                                                                        2. In VPC console:\n   – Delete NAT Gateway and release EIP (if created).\n   – Delete vSwitch.\n   – Delete VPC.<\/li>\n
                                                                                                                                        3. In logging\/governance:\n   – Keep ActionTrail enabled if required by org policy; otherwise, stop any extra log deliveries you enabled for the lab.<\/li>\n<\/ol>\n\n\n\n
                                                                                                                                          Expected outcome:<\/strong> No active desktops, no NAT\/EIP, and no lab VPC resources remain.<\/p>\n\n\n\n
                                                                                                                                          \n\n\n\n
                                                                                                                                          11. Best Practices<\/h2>\n\n\n\n
                                                                                                                                          Architecture best practices<\/h3>\n\n\n\n
                                                                                                                                            \n
                                                                                                                                          • Design for personas:<\/strong> Define desktop profiles by job function (task\/knowledge\/power\/GPU\u2014if offered).<\/li>\n
                                                                                                                                          • Separate concerns by subnet:<\/strong> Production employees, contractors, and admin\/jump desktops should live in separate subnets and often separate directories\/policies.<\/li>\n
                                                                                                                                          • Keep desktops private:<\/strong> Avoid direct inbound exposure; rely on Workspace connection mechanisms.<\/li>\n
                                                                                                                                          • Plan IP capacity:<\/strong> Each desktop consumes an IP; plan for peak + growth + maintenance buffers.<\/li>\n
                                                                                                                                          • Standardize images:<\/strong> Use a small set of golden images; version them and test before rollout.<\/li>\n<\/ul>\n\n\n\n
                                                                                                                                            IAM\/security best practices<\/h3>\n\n\n\n
                                                                                                                                              \n
                                                                                                                                            • Least privilege RAM roles:<\/strong> Separate Workspace admin from network admin and billing admin.<\/li>\n
                                                                                                                                            • Use MFA for administrators:<\/strong> Enforce MFA for Alibaba Cloud console\/RAM users.<\/li>\n
                                                                                                                                            • Audit everything:<\/strong> Enable ActionTrail and centralize logs to a secure log archive account\/project.<\/li>\n
                                                                                                                                            • Segregate duties:<\/strong> Helpdesk role can do resets but cannot change networking or policies.<\/li>\n<\/ul>\n\n\n\n
                                                                                                                                              Cost best practices<\/h3>\n\n\n\n
                                                                                                                                                \n
                                                                                                                                              • Right-size early:<\/strong> Measure CPU\/RAM usage before scaling.<\/li>\n
                                                                                                                                              • Avoid idle spend:<\/strong> If billing model charges for running time, implement shutdown schedules (where supported).<\/li>\n
                                                                                                                                              • Control egress:<\/strong> NAT\/proxy + allowlists reduce surprise data transfer costs.<\/li>\n
                                                                                                                                              • Avoid per-user overbuild:<\/strong> Don\u2019t give every user a large data disk \u201cjust in case.\u201d<\/li>\n<\/ul>\n\n\n\n
                                                                                                                                                Performance best practices<\/h3>\n\n\n\n
                                                                                                                                                  \n
                                                                                                                                                • Pick the right region:<\/strong> User experience is highly latency-sensitive.<\/li>\n
                                                                                                                                                • Test with real workflows:<\/strong> Multi-monitor, video calls, and large IDE builds change requirements.<\/li>\n
                                                                                                                                                • Use appropriate storage performance:<\/strong> If your workload is disk-heavy (compilers, indexing), storage performance matters.<\/li>\n<\/ul>\n\n\n\n
                                                                                                                                                  Reliability best practices<\/h3>\n\n\n\n
                                                                                                                                                    \n
                                                                                                                                                  • Document restore\/rebuild flows:<\/strong> Know how to recover a broken desktop quickly.<\/li>\n
                                                                                                                                                  • Keep images updated:<\/strong> Patch regularly; avoid long-lived unpatched images.<\/li>\n
                                                                                                                                                  • Plan network redundancy:<\/strong> For on-prem connectivity, design redundant VPN\/Express Connect if Workspace is mission-critical.<\/li>\n<\/ul>\n\n\n\n
                                                                                                                                                    Operations best practices<\/h3>\n\n\n\n
                                                                                                                                                      \n
                                                                                                                                                    • Define a desktop lifecycle:<\/strong> request \u2192 approve \u2192 provision \u2192 operate \u2192 offboard.<\/li>\n
                                                                                                                                                    • Automate onboarding:<\/strong> If APIs exist and are stable, integrate with ITSM (verify API support).<\/li>\n
                                                                                                                                                    • Centralize logs:<\/strong> ActionTrail + SLS for audit; keep retention aligned with compliance.<\/li>\n
                                                                                                                                                    • Run periodic access reviews:<\/strong> Ensure only active users have desktops.<\/li>\n<\/ul>\n\n\n\n
                                                                                                                                                      Governance\/tagging\/naming best practices<\/h3>\n\n\n\n
                                                                                                                                                        \n
                                                                                                                                                      • Tag resources:<\/strong> Department, cost center, environment, owner.<\/li>\n
                                                                                                                                                      • Naming standards:<\/strong> Include region, environment, and persona in names (e.g., cn-hz-prod-hr-standard-001<\/code>).<\/li>\n
                                                                                                                                                      • Document policy intent:<\/strong> A policy named \u201cNo USB\u201d should have a short description and a change record.<\/li>\n<\/ul>\n\n\n\n
                                                                                                                                                        \n\n\n\n
                                                                                                                                                        12. Security Considerations<\/h2>\n\n\n\n
                                                                                                                                                        Identity and access model<\/h3>\n\n\n\n
                                                                                                                                                          \n
                                                                                                                                                        • Admin access:<\/strong> Use Alibaba Cloud RAM with least privilege. Create separate roles for:<\/li>\n
                                                                                                                                                        • Workspace provisioning<\/li>\n
                                                                                                                                                        • Helpdesk operations<\/li>\n
                                                                                                                                                        • Security\/audit read-only<\/li>\n
                                                                                                                                                        • End-user access:<\/strong> Use the Workspace directory mechanism. If integrating enterprise identity (e.g., AD), ensure:<\/li>\n
                                                                                                                                                        • Secure network path between desktops and identity infrastructure<\/li>\n
                                                                                                                                                        • Strong password policies and lockout policies<\/li>\n
                                                                                                                                                        • MFA where supported (verify)<\/li>\n<\/ul>\n\n\n\n
                                                                                                                                                          Encryption<\/h3>\n\n\n\n
                                                                                                                                                            \n
                                                                                                                                                          • In transit:<\/strong> Desktop session traffic should be encrypted by the Workspace protocol (verify in official docs).<\/li>\n
                                                                                                                                                          • At rest:<\/strong> Desktop disks are typically encrypted at the storage layer in modern clouds, but encryption controls (default vs optional, customer-managed keys) vary by product and region. Verify Workspace disk encryption options<\/strong> and whether KMS CMKs are supported.<\/li>\n<\/ul>\n\n\n\n
                                                                                                                                                            Network exposure<\/h3>\n\n\n\n
                                                                                                                                                              \n
                                                                                                                                                            • Keep desktops in private subnets<\/strong>.<\/li>\n
                                                                                                                                                            • Avoid assigning public IPs to desktop NICs.<\/li>\n
                                                                                                                                                            • Use NAT\/proxy for outbound internet; restrict with allowlists.<\/li>\n
                                                                                                                                                            • For internal apps, use private connectivity (VPN\/Express Connect) and restrict routes.<\/li>\n<\/ul>\n\n\n\n
                                                                                                                                                              Secrets handling<\/h3>\n\n\n\n
                                                                                                                                                                \n
                                                                                                                                                              • Do not hardcode credentials in images.<\/li>\n
                                                                                                                                                              • Use enterprise secrets management for app credentials where possible (outside the desktop image).<\/li>\n
                                                                                                                                                              • Rotate passwords for service accounts used in images.<\/li>\n<\/ul>\n\n\n\n
                                                                                                                                                                Audit\/logging<\/h3>\n\n\n\n
                                                                                                                                                                  \n
                                                                                                                                                                • Enable ActionTrail<\/strong> for administrative auditing.<\/li>\n
                                                                                                                                                                • Centralize logs in Log Service (SLS)<\/strong> with restricted access.<\/li>\n
                                                                                                                                                                • For compliance, ensure log retention meets regulatory requirements.<\/li>\n<\/ul>\n\n\n\n
                                                                                                                                                                  Compliance considerations<\/h3>\n\n\n\n
                                                                                                                                                                    \n
                                                                                                                                                                  • Validate where data is stored:<\/li>\n
                                                                                                                                                                  • Desktop disks in-region<\/li>\n
                                                                                                                                                                  • Logs in-region or centralized<\/li>\n
                                                                                                                                                                  • Confirm whether the service supports compliance needs (ISO, SOC, etc.) via Alibaba Cloud compliance documentation (verify current compliance status).<\/li>\n<\/ul>\n\n\n\n
                                                                                                                                                                    Common security mistakes<\/h3>\n\n\n\n
                                                                                                                                                                      \n
                                                                                                                                                                    • Over-permissive RAM policies (\u201cAdministratorAccess\u201d for everyone)<\/li>\n
                                                                                                                                                                    • Allowing desktops direct inbound access from the internet<\/li>\n
                                                                                                                                                                    • Unrestricted outbound internet without inspection<\/li>\n
                                                                                                                                                                    • Using one shared end-user account for multiple people<\/li>\n
                                                                                                                                                                    • Storing sensitive data on the system disk and then rebuilding desktops (data loss + uncontrolled copies)<\/li>\n<\/ul>\n\n\n\n
                                                                                                                                                                      Secure deployment recommendations<\/h3>\n\n\n\n
                                                                                                                                                                        \n
                                                                                                                                                                      • Build a zero-trust-ish<\/strong> pattern:<\/li>\n
                                                                                                                                                                      • Private desktops<\/li>\n
                                                                                                                                                                      • Private app endpoints<\/li>\n
                                                                                                                                                                      • Strong identity + MFA<\/li>\n
                                                                                                                                                                      • Auditing and centralized logging<\/li>\n
                                                                                                                                                                      • Use separate directories\/subnets for contractors.<\/li>\n
                                                                                                                                                                      • Implement periodic access review and automated offboarding.<\/li>\n<\/ul>\n\n\n\n
                                                                                                                                                                        \n\n\n\n
                                                                                                                                                                        13. Limitations and Gotchas<\/h2>\n\n\n\n
                                                                                                                                                                        Because exact limits depend on region\/edition, treat these as common \u201cgotchas\u201d and confirm specifics in official documentation.<\/p>\n\n\n\n
                                                                                                                                                                          \n
                                                                                                                                                                        • Region availability:<\/strong> Workspace may not be available in every Alibaba Cloud region.<\/li>\n
                                                                                                                                                                        • Quota constraints:<\/strong> Desktop count and directory limits can block pilots; request quota increases early.<\/li>\n
                                                                                                                                                                        • Latency sensitivity:<\/strong> User experience degrades quickly with higher latency or jitter.<\/li>\n
                                                                                                                                                                        • Peripheral compatibility:<\/strong> USB redirection, printers, scanners, smart cards, and audio\/video can have limitations depending on client and policies\u2014verify support matrix.<\/li>\n
                                                                                                                                                                        • Image management overhead:<\/strong> Golden images require patching, testing, and controlled rollout.<\/li>\n
                                                                                                                                                                        • Egress surprises:<\/strong> If desktops have internet access, bandwidth\/egress can become a cost and security risk.<\/li>\n
                                                                                                                                                                        • Identity integration complexity:<\/strong> AD integration requires DNS correctness and reliable connectivity; misconfiguration causes login failures.<\/li>\n
                                                                                                                                                                        • Licensing nuance:<\/strong> OS and application licensing in virtual desktop environments can be complex\u2014validate licensing terms.<\/li>\n
                                                                                                                                                                        • Data persistence model:<\/strong> If you rebuild\/reset desktops, you may lose data unless it\u2019s stored on persistent disks or external storage\u2014design user profile\/data strategy intentionally.<\/li>\n<\/ul>\n\n\n\n
                                                                                                                                                                          \n\n\n\n
                                                                                                                                                                          14. Comparison with Alternatives<\/h2>\n\n\n\n
                                                                                                                                                                          Alibaba Cloud Workspace is one option in the End User Computing space. The right choice depends on your cloud strategy, identity\/networking requirements, and operational maturity.<\/p>\n\n\n\n
                                                                                                                                                                          Alternatives within Alibaba Cloud (or self-managed on Alibaba Cloud)<\/h3>\n\n\n\n
                                                                                                                                                                            \n
                                                                                                                                                                          • Self-managed VDI on ECS:<\/strong> Maximum control, but you manage brokering, images, scaling, and security tooling yourself.<\/li>\n
                                                                                                                                                                          • Bastion\/jump servers on ECS:<\/strong> Cheaper for admin access use cases, but not a full desktop delivery platform.<\/li>\n<\/ul>\n\n\n\n
                                                                                                                                                                            Alternatives in other clouds<\/h3>\n\n\n\n
                                                                                                                                                                              \n
                                                                                                                                                                            • AWS WorkSpaces \/ WorkSpaces Web:<\/strong> Mature DaaS options integrated with AWS ecosystem.<\/li>\n
                                                                                                                                                                            • Azure Virtual Desktop (AVD):<\/strong> Strong Microsoft ecosystem integration, but requires careful management of host pools and licensing.<\/li>\n
                                                                                                                                                                            • Google \/ partners:<\/strong> Google\u2019s native offerings differ (often developer-focused workstations); third-party VDI partners fill gaps.<\/li>\n<\/ul>\n\n\n\n
                                                                                                                                                                              Open-source \/ self-managed<\/h3>\n\n\n\n
                                                                                                                                                                                \n
                                                                                                                                                                              • Apache Guacamole + RDP\/SSH<\/strong> to ECS desktops: low-cost remote access, but you manage everything.<\/li>\n
                                                                                                                                                                              • Citrix \/ VMware Horizon<\/strong> on cloud infrastructure: enterprise-grade but complex and often expensive.<\/li>\n<\/ul>\n\n\n\n
                                                                                                                                                                                Comparison table<\/h4>\n\n\n\n
                                                                                                                                                                                \n\n\n\n\n\n\n\n\n\n
                                                                                                                                                                                Option<\/th>\nBest For<\/th>\nStrengths<\/th>\nWeaknesses<\/th>\nWhen to Choose<\/th>\n<\/tr>\n<\/thead>\n
                                                                                                                                                                                Alibaba Cloud Workspace<\/strong><\/td>\nAlibaba Cloud-first DaaS for managed desktops<\/td>\nIntegrated with Alibaba Cloud VPC\/RAM; centralized desktop management<\/td>\nFeature set varies by region\/edition; latency-sensitive<\/td>\nYou want managed desktops in Alibaba Cloud with centralized control<\/td>\n<\/tr>\n
                                                                                                                                                                                Self-managed VDI on ECS (Alibaba Cloud)<\/td>\nFull customization<\/td>\nMaximum control; flexible images and tooling<\/td>\nHigh ops burden; you build\/operate brokering and scaling<\/td>\nYou need custom protocols\/features not offered by Workspace<\/td>\n<\/tr>\n
                                                                                                                                                                                Jump desktop on ECS (no DaaS)<\/td>\nAdmin\/bastion access<\/td>\nSimple and cheap<\/td>\nNot scalable as EUC platform; weak user lifecycle tooling<\/td>\nSmall admin-only use case, not full workforce<\/td>\n<\/tr>\n
                                                                                                                                                                                AWS WorkSpaces<\/td>\nMulti-region DaaS in AWS<\/td>\nMature ecosystem; many integrations<\/td>\nTied to AWS; cost model differs<\/td>\nYour infra is primarily on AWS<\/td>\n<\/tr>\n
                                                                                                                                                                                Azure Virtual Desktop<\/td>\nMicrosoft-centric enterprises<\/td>\nStrong Windows integration; M365 alignment<\/td>\nCan be complex; licensing nuance<\/td>\nYou are all-in on Microsoft identity and Windows workloads<\/td>\n<\/tr>\n
                                                                                                                                                                                Citrix\/VMware Horizon (partner)<\/td>\nLarge enterprises needing advanced EUC<\/td>\nRich features, mature tooling<\/td>\nExpensive; complex<\/td>\nYou need advanced EUC controls and already have licensing\/skills<\/td>\n<\/tr>\n<\/tbody>\n<\/table><\/figure>\n\n\n\n
                                                                                                                                                                                \n\n\n\n
                                                                                                                                                                                15. Real-World Example<\/h2>\n\n\n\n
                                                                                                                                                                                Enterprise example: Regulated financial services remote work<\/h3>\n\n\n\n
                                                                                                                                                                                  \n
                                                                                                                                                                                • Problem:<\/strong> A bank needs remote access for 2,000 users with strict audit requirements and minimal data leakage risk.<\/li>\n
                                                                                                                                                                                • Proposed architecture:<\/strong><\/li>\n
                                                                                                                                                                                • Alibaba Cloud Workspace desktops in two dedicated subnets (employees vs contractors)<\/li>\n
                                                                                                                                                                                • Private connectivity to on-prem core systems via redundant Express Connect\/VPN<\/li>\n
                                                                                                                                                                                • Outbound internet blocked by default; exceptions via secure proxy with allowlists<\/li>\n
                                                                                                                                                                                • Centralized audit: ActionTrail delivered to SLS with long retention and restricted access<\/li>\n
                                                                                                                                                                                • RAM roles: separate provisioning, helpdesk, network admin, auditor<\/li>\n
                                                                                                                                                                                • Why this service was chosen:<\/strong> Managed DaaS reduces endpoint data risk and accelerates onboarding while keeping desktops close to cloud-hosted apps.<\/li>\n
                                                                                                                                                                                • Expected outcomes:<\/strong><\/li>\n
                                                                                                                                                                                • Faster user provisioning<\/li>\n
                                                                                                                                                                                • Improved audit readiness (who changed what, when)<\/li>\n
                                                                                                                                                                                • Reduced data leakage from unmanaged endpoints<\/li>\n<\/ul>\n\n\n\n
                                                                                                                                                                                  Startup\/small-team example: BYOD with secure access to production systems<\/h3>\n\n\n\n
                                                                                                                                                                                    \n
                                                                                                                                                                                  • Problem:<\/strong> A 25-person startup has contractors and BYOD laptops. They need secure access to production dashboards and internal admin tools.<\/li>\n
                                                                                                                                                                                  • Proposed architecture:<\/strong><\/li>\n
                                                                                                                                                                                  • One Alibaba Cloud Workspace directory<\/li>\n
                                                                                                                                                                                  • Two desktop personas: standard + power user<\/li>\n
                                                                                                                                                                                  • Private VPC access to internal tools; no public inbound exposure<\/li>\n
                                                                                                                                                                                  • NAT Gateway for limited outbound access (package repositories and updates only)<\/li>\n
                                                                                                                                                                                  • Why this service was chosen:<\/strong> Centralizes security without building a full endpoint management program.<\/li>\n
                                                                                                                                                                                  • Expected outcomes:<\/strong><\/li>\n
                                                                                                                                                                                  • Contractors can work securely without receiving corporate laptops<\/li>\n
                                                                                                                                                                                  • Lower operational overhead than self-managed VDI<\/li>\n
                                                                                                                                                                                  • Better security posture for production access<\/li>\n<\/ul>\n\n\n\n
                                                                                                                                                                                    \n\n\n\n
                                                                                                                                                                                    16. FAQ<\/h2>\n\n\n\n
                                                                                                                                                                                    1) Is Alibaba Cloud Workspace the same as a VPN?<\/strong>\nNo. A VPN provides network connectivity. Alibaba Cloud Workspace provides managed cloud desktops. You may still use VPN\/Express Connect for desktops to reach on-prem apps.<\/p>\n\n\n\n
                                                                                                                                                                                    2) Do users need Alibaba Cloud accounts to use Workspace desktops?<\/strong>\nTypically no. End users usually authenticate via the Workspace directory mechanism rather than Alibaba Cloud RAM. Verify user identity model in official docs.<\/p>\n\n\n\n
                                                                                                                                                                                    3) Can I integrate Workspace with Active Directory?<\/strong>\nOften yes in DaaS platforms, but integration method and support vary by region\/edition. Verify the supported directory types and prerequisites (DNS, connectivity, domain controllers).<\/p>\n\n\n\n
                                                                                                                                                                                    4) Can desktops be placed in a private subnet without internet access?<\/strong>\nCommonly yes, and it\u2019s a recommended security posture. If you need updates, use controlled egress via NAT\/proxy or private update sources.<\/p>\n\n\n\n
                                                                                                                                                                                    5) How do I prevent copy\/paste or USB file transfer?<\/strong>\nMany EUC platforms provide policy controls for clipboard and peripheral redirection. Confirm Workspace policy catalog and client support in official docs.<\/p>\n\n\n\n
                                                                                                                                                                                    6) What happens if a desktop is corrupted?<\/strong>\nYou generally use lifecycle operations like rebuild\/restore (names vary) or replace the desktop with a new one from an image. Ensure user data is stored in a persistent way.<\/p>\n\n\n\n
                                                                                                                                                                                    7) Where should user data live\u2014on the system disk or elsewhere?<\/strong>\nAvoid storing important user data only on the system disk if you plan to rebuild. Prefer a persistent data disk or external storage approach aligned with your org (verify best-supported method for Workspace).<\/p>\n\n\n\n
                                                                                                                                                                                    8) Can I use custom images with preinstalled software?<\/strong>\nTypically yes via image creation\/capture workflows. Validate image creation steps and supported OS versions.<\/p>\n\n\n\n
                                                                                                                                                                                    9) How do I size desktops correctly?<\/strong>\nStart with a pilot, monitor CPU\/RAM\/disk usage, and define personas. Overprovisioning is the most common cost mistake.<\/p>\n\n\n\n
                                                                                                                                                                                    10) Is performance good enough for video calls?<\/strong>\nIt depends on region latency, network quality, desktop spec, and client capabilities. Test with real conditions; consider local media optimizations if supported (verify).<\/p>\n\n\n\n
                                                                                                                                                                                    11) Can I restrict desktops to only access internal apps?<\/strong>\nYes through VPC routing and security groups, plus proxy allowlists for any required outbound traffic.<\/p>\n\n\n\n
                                                                                                                                                                                    12) How do I audit administrative actions?<\/strong>\nUse Alibaba Cloud ActionTrail to record Workspace-related API operations and deliver logs to SLS for retention.<\/p>\n\n\n\n
                                                                                                                                                                                    13) Does Workspace support multi-region failover?<\/strong>\nCloud desktops are typically region-bound. Cross-region DR is usually a design pattern (images + automation + identity strategy) rather than an automatic failover. Verify official guidance.<\/p>\n\n\n\n
                                                                                                                                                                                    14) Can I automate provisioning with APIs?<\/strong>\nMany Alibaba Cloud services offer APIs. Confirm Workspace API availability, SDK support, and best practices in official docs before building automation.<\/p>\n\n\n\n
                                                                                                                                                                                    15) What are the first three things to do before a production rollout?<\/strong>\n(1) Validate region latency and user experience, (2) design VPC connectivity + DNS + egress controls, (3) define images\/personas\/policies and an operating model (helpdesk + patch cadence).<\/p>\n\n\n\n
                                                                                                                                                                                    \n\n\n\n
                                                                                                                                                                                    17. Top Online Resources to Learn Alibaba Cloud Workspace<\/h2>\n\n\n\n
                                                                                                                                                                                    Official URLs and exact page names can change. If a link redirects, navigate from the product page to the latest docs.<\/p>\n\n\n\n
                                                                                                                                                                                    \n\n\n\n\n\n\n\n\n\n\n\n\n
                                                                                                                                                                                    Resource Type<\/th>\nName<\/th>\nWhy It Is Useful<\/th>\n<\/tr>\n<\/thead>\n
                                                                                                                                                                                    Official product page<\/td>\nAlibaba Cloud Workspace<\/td>\nHigh-level overview, region availability entry point: https:\/\/www.alibabacloud.com\/product\/workspace<\/td>\n<\/tr>\n
                                                                                                                                                                                    Official documentation<\/td>\nAlibaba Cloud Workspace Documentation<\/td>\nCanonical setup\/config guides (verify latest): https:\/\/www.alibabacloud.com\/help\/<\/td>\n<\/tr>\n
                                                                                                                                                                                    Official pricing page<\/td>\nWorkspace Pricing<\/td>\nRegion\/SKU-based pricing details (verify URL): https:\/\/www.alibabacloud.com\/product\/workspace\/pricing<\/td>\n<\/tr>\n
                                                                                                                                                                                    Pricing calculator<\/td>\nAlibaba Cloud Pricing Calculator<\/td>\nEstimate total costs across services: https:\/\/www.alibabacloud.com\/pricing<\/td>\n<\/tr>\n
                                                                                                                                                                                    Governance\/audit<\/td>\nActionTrail Documentation<\/td>\nHow to audit Workspace admin actions: https:\/\/www.alibabacloud.com\/help\/en\/actiontrail<\/td>\n<\/tr>\n
                                                                                                                                                                                    Networking<\/td>\nVPC Documentation<\/td>\nVPC\/subnet\/routing design used by desktops: https:\/\/www.alibabacloud.com\/help\/en\/vpc<\/td>\n<\/tr>\n
                                                                                                                                                                                    Logging<\/td>\nLog Service (SLS) Documentation<\/td>\nCentral log retention and analysis: https:\/\/www.alibabacloud.com\/help\/en\/sls<\/td>\n<\/tr>\n
                                                                                                                                                                                    Architecture center<\/td>\nAlibaba Cloud Architecture Center<\/td>\nReference architectures and patterns: https:\/\/www.alibabacloud.com\/architecture<\/td>\n<\/tr>\n
                                                                                                                                                                                    Video learning<\/td>\nAlibaba Cloud YouTube Channel<\/td>\nProduct overviews and webinars (search \u201cWorkspace\u201d): https:\/\/www.youtube.com\/@AlibabaCloud<\/td>\n<\/tr>\n<\/tbody>\n<\/table><\/figure>\n\n\n\n
                                                                                                                                                                                    \n\n\n\n
                                                                                                                                                                                    18. Training and Certification Providers<\/h2>\n\n\n\n
                                                                                                                                                                                    The providers below are listed as external training options. Always verify current course outlines, instructor credentials, and schedules on their websites.<\/p>\n\n\n\n
                                                                                                                                                                                      \n
                                                                                                                                                                                    1. \n
                                                                                                                                                                                      DevOpsSchool.com<\/strong>\n   – Suitable audience: Cloud engineers, DevOps\/SRE, platform teams, beginners to intermediate\n   – Likely learning focus: Cloud fundamentals, DevOps practices, hands-on labs (verify Workspace coverage)\n   – Mode: Check website\n   – Website: https:\/\/www.devopsschool.com\/<\/p>\n<\/li>\n
                                                                                                                                                                                    2. \n
                                                                                                                                                                                      ScmGalaxy.com<\/strong>\n   – Suitable audience: Beginners to intermediate in DevOps\/SCM and tooling\n   – Likely learning focus: SCM\/DevOps foundations and operational practices (verify cloud EUC topics)\n   – Mode: Check website\n   – Website: https:\/\/www.scmgalaxy.com\/<\/p>\n<\/li>\n
                                                                                                                                                                                    3. \n
                                                                                                                                                                                      CLoudOpsNow.in<\/strong>\n   – Suitable audience: Cloud operations teams, cloud administrators\n   – Likely learning focus: Cloud ops, monitoring, cost basics (verify Alibaba Cloud coverage)\n   – Mode: Check website\n   – Website: https:\/\/www.cloudopsnow.in\/<\/p>\n<\/li>\n
                                                                                                                                                                                    4. \n
                                                                                                                                                                                      SreSchool.com<\/strong>\n   – Suitable audience: SREs, reliability\/operations engineers\n   – Likely learning focus: Reliability engineering, monitoring\/incident response (verify EUC relevance)\n   – Mode: Check website\n   – Website: https:\/\/www.sreschool.com\/<\/p>\n<\/li>\n
                                                                                                                                                                                    5. \n
                                                                                                                                                                                      AiOpsSchool.com<\/strong>\n   – Suitable audience: Operations teams exploring AIOps\n   – Likely learning focus: AIOps concepts, automation, observability (verify Workspace applicability)\n   – Mode: Check website\n   – Website: https:\/\/www.aiopsschool.com\/<\/p>\n<\/li>\n<\/ol>\n\n\n\n
                                                                                                                                                                                      \n\n\n\n
                                                                                                                                                                                      19. Top Trainers<\/h2>\n\n\n\n
                                                                                                                                                                                      These are trainer-related sites\/platforms to explore. Verify course relevance to Alibaba Cloud Workspace before enrolling.<\/p>\n\n\n\n
                                                                                                                                                                                        \n
                                                                                                                                                                                      1. \n
                                                                                                                                                                                        RajeshKumar.xyz<\/strong>\n   – Likely specialization: DevOps\/cloud training (verify specifics)\n   – Suitable audience: Engineers seeking guided training\n   – Website: https:\/\/rajeshkumar.xyz\/<\/p>\n<\/li>\n
                                                                                                                                                                                      2. \n
                                                                                                                                                                                        devopstrainer.in<\/strong>\n   – Likely specialization: DevOps tooling and cloud operations (verify specifics)\n   – Suitable audience: Beginners to intermediate DevOps learners\n   – Website: https:\/\/www.devopstrainer.in\/<\/p>\n<\/li>\n
                                                                                                                                                                                      3. \n
                                                                                                                                                                                        devopsfreelancer.com<\/strong>\n   – Likely specialization: Freelance DevOps\/cloud consulting and training resources (verify specifics)\n   – Suitable audience: Teams\/individuals needing short-term expertise\n   – Website: https:\/\/www.devopsfreelancer.com\/<\/p>\n<\/li>\n
                                                                                                                                                                                      4. \n
                                                                                                                                                                                        devopssupport.in<\/strong>\n   – Likely specialization: DevOps support and training (verify specifics)\n   – Suitable audience: Teams needing operational guidance\n   – Website: https:\/\/www.devopssupport.in\/<\/p>\n<\/li>\n<\/ol>\n\n\n\n
                                                                                                                                                                                        \n\n\n\n
                                                                                                                                                                                        20. Top Consulting Companies<\/h2>\n\n\n\n
                                                                                                                                                                                        These organizations may help with assessment, design, migration, security review, and operational readiness. Confirm service scope and references directly with the vendor.<\/p>\n\n\n\n
                                                                                                                                                                                          \n
                                                                                                                                                                                        1. \n
                                                                                                                                                                                          cotocus.com<\/strong>\n   – Likely service area: Cloud\/DevOps consulting (verify service catalog)\n   – Where they may help: Architecture reviews, implementation support, operational practices\n   – Consulting use case examples: EUC readiness assessment, VPC connectivity design, governance baseline\n   – Website: https:\/\/www.cotocus.com\/<\/p>\n<\/li>\n
                                                                                                                                                                                        2. \n
                                                                                                                                                                                          DevOpsSchool.com<\/strong>\n   – Likely service area: DevOps and cloud consulting\/training (verify service catalog)\n   – Where they may help: Platform rollout planning, IaC\/automation, team enablement\n   – Consulting use case examples: Pilot-to-production plan for Workspace, cost optimization workshop, operations runbooks\n   – Website: https:\/\/www.devopsschool.com\/<\/p>\n<\/li>\n
                                                                                                                                                                                        3. \n
                                                                                                                                                                                          DEVOPSCONSULTING.IN<\/strong>\n   – Likely service area: DevOps consulting services (verify service catalog)\n   – Where they may help: Cloud operations, automation, security posture improvements\n   – Consulting use case examples: Logging\/audit pipeline design, least-privilege IAM, network segmentation strategy\n   – Website: https:\/\/www.devopsconsulting.in\/<\/p>\n<\/li>\n<\/ol>\n\n\n\n
                                                                                                                                                                                          \n\n\n\n
                                                                                                                                                                                          21. Career and Learning Roadmap<\/h2>\n\n\n\n
                                                                                                                                                                                          What to learn before Alibaba Cloud Workspace<\/h3>\n\n\n\n
                                                                                                                                                                                            \n
                                                                                                                                                                                          • Alibaba Cloud basics:<\/strong> regions, zones, billing, RAM<\/li>\n
                                                                                                                                                                                          • Networking fundamentals:<\/strong> VPC, subnets (vSwitch), route tables, security groups<\/li>\n
                                                                                                                                                                                          • Identity fundamentals:<\/strong> least privilege, MFA, audit concepts<\/li>\n
                                                                                                                                                                                          • Windows\/Linux administration basics:<\/strong> images, patching, domain join concepts (if using AD)<\/li>\n<\/ul>\n\n\n\n
                                                                                                                                                                                            What to learn after<\/h3>\n\n\n\n
                                                                                                                                                                                              \n
                                                                                                                                                                                            • Enterprise connectivity:<\/strong> VPN Gateway, Express Connect, DNS integration patterns<\/li>\n
                                                                                                                                                                                            • Centralized logging:<\/strong> ActionTrail \u2192 SLS, retention and alerting<\/li>\n
                                                                                                                                                                                            • Endpoint\/security controls:<\/strong> proxy patterns, egress allowlisting, DLP concepts (if your org requires)<\/li>\n
                                                                                                                                                                                            • Automation:<\/strong> Infrastructure as Code for VPC and supporting services; Workspace APIs if available and supported<\/li>\n
                                                                                                                                                                                            • Cost management:<\/strong> tagging strategy, budget alerts, usage reviews<\/li>\n<\/ul>\n\n\n\n
                                                                                                                                                                                              Job roles that use it<\/h3>\n\n\n\n
                                                                                                                                                                                                \n
                                                                                                                                                                                              • Cloud solutions architect<\/li>\n
                                                                                                                                                                                              • Cloud platform engineer<\/li>\n
                                                                                                                                                                                              • DevOps\/SRE (for secure admin environments and operational tooling)<\/li>\n
                                                                                                                                                                                              • Workplace\/End-user computing engineer<\/li>\n
                                                                                                                                                                                              • Security engineer (access control, audit, network segmentation)<\/li>\n
                                                                                                                                                                                              • IT operations\/helpdesk (desktop lifecycle operations)<\/li>\n<\/ul>\n\n\n\n
                                                                                                                                                                                                Certification path (if available)<\/h3>\n\n\n\n
                                                                                                                                                                                                Alibaba Cloud certifications evolve and may not be product-specific to Workspace. Use Alibaba Cloud certification learning paths for:\n– Cloud computing fundamentals\n– Security specialty\n– Networking specialty<\/p>\n\n\n\n
                                                                                                                                                                                                Verify<\/strong> current certification offerings on Alibaba Cloud\u2019s official certification portal.<\/p>\n\n\n\n
                                                                                                                                                                                                Project ideas for practice<\/h3>\n\n\n\n
                                                                                                                                                                                                  \n
                                                                                                                                                                                                • Build a persona-based desktop catalog (3 sizes) and document assignment rules.<\/li>\n
                                                                                                                                                                                                • Implement a private-only desktop environment with NAT\/proxy allowlists.<\/li>\n
                                                                                                                                                                                                • Create an image update pipeline (monthly patch cadence) with test\/stage\/prod rollout.<\/li>\n
                                                                                                                                                                                                • Build an audit dashboard from ActionTrail logs in SLS (who created\/deleted desktops).<\/li>\n
                                                                                                                                                                                                • Run a cost review: right-size 20 pilot users based on observed resource usage.<\/li>\n<\/ul>\n\n\n\n
                                                                                                                                                                                                  \n\n\n\n
                                                                                                                                                                                                  22. Glossary<\/h2>\n\n\n\n
                                                                                                                                                                                                    \n
                                                                                                                                                                                                  • End User Computing (EUC):<\/strong> Technologies that deliver desktops\/apps to end users with centralized management.<\/li>\n
                                                                                                                                                                                                  • DaaS (Desktop-as-a-Service):<\/strong> Cloud-hosted, managed virtual desktops delivered over the network.<\/li>\n
                                                                                                                                                                                                  • VPC (Virtual Private Cloud):<\/strong> A logically isolated network in Alibaba Cloud for private IP addressing and routing.<\/li>\n
                                                                                                                                                                                                  • vSwitch:<\/strong> A subnet within a VPC in Alibaba Cloud.<\/li>\n
                                                                                                                                                                                                  • Security Group:<\/strong> Virtual firewall controlling inbound\/outbound traffic for attached resources.<\/li>\n
                                                                                                                                                                                                  • RAM (Resource Access Management):<\/strong> Alibaba Cloud IAM service for users, roles, and policies.<\/li>\n
                                                                                                                                                                                                  • ActionTrail:<\/strong> Alibaba Cloud service for auditing API calls and console actions.<\/li>\n
                                                                                                                                                                                                  • SLS (Log Service):<\/strong> Alibaba Cloud logging platform for log ingestion, storage, search, and analysis.<\/li>\n
                                                                                                                                                                                                  • NAT Gateway:<\/strong> Provides outbound internet access for private subnets and can implement SNAT.<\/li>\n
                                                                                                                                                                                                  • SNAT:<\/strong> Source Network Address Translation\u2014private IPs share a public IP for outbound connections.<\/li>\n
                                                                                                                                                                                                  • Express Connect:<\/strong> Dedicated private connectivity between on-premises and Alibaba Cloud (verify product naming and options).<\/li>\n
                                                                                                                                                                                                  • Golden Image:<\/strong> A standardized OS image with patches and applications used to provision multiple desktops.<\/li>\n
                                                                                                                                                                                                  • Persona:<\/strong> A user category (task worker, knowledge worker, developer) used to standardize desktop sizing and policies.<\/li>\n
                                                                                                                                                                                                  • Least Privilege:<\/strong> Granting only the minimum permissions necessary to perform tasks.<\/li>\n
                                                                                                                                                                                                  • Egress:<\/strong> Outbound network traffic leaving your VPC to the internet or other networks.<\/li>\n<\/ul>\n\n\n\n
                                                                                                                                                                                                    \n\n\n\n
                                                                                                                                                                                                    23. Summary<\/h2>\n\n\n\n
                                                                                                                                                                                                    Alibaba Cloud Workspace is Alibaba Cloud\u2019s End User Computing service for delivering managed cloud desktops with centralized provisioning, policy control, and VPC-based network isolation. It matters because it helps organizations reduce endpoint risk, accelerate onboarding, and standardize desktop environments while keeping data closer to cloud workloads.<\/p>\n\n\n\n
                                                                                                                                                                                                    Cost and security success depends on fundamentals: right-size desktop personas, control egress (NAT\/proxy), enforce least-privilege RAM roles, and enable auditing with ActionTrail (and optionally centralize logs in SLS). Choose Alibaba Cloud Workspace when you want a managed DaaS platform in Alibaba Cloud; avoid it for offline-first needs or highly specialized peripheral workflows without verifying compatibility.<\/p>\n\n\n\n
                                                                                                                                                                                                    Next step: follow the official Alibaba Cloud Workspace getting started documentation for your region, then expand your pilot with identity integration, image lifecycle management, and production-grade networking (VPN\/Express Connect) once the user experience is validated.<\/p>\n","protected":false},"excerpt":{"rendered":"
                                                                                                                                                                                                    End User Computing<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[2,15],"tags":[],"class_list":["post-98","post","type-post","status-publish","format-standard","hentry","category-alibaba-cloud","category-end-user-computing"],"_links":{"self":[{"href":"https:\/\/www.devopsschool.com\/tutorials\/wp-json\/wp\/v2\/posts\/98","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.devopsschool.com\/tutorials\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.devopsschool.com\/tutorials\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.devopsschool.com\/tutorials\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.devopsschool.com\/tutorials\/wp-json\/wp\/v2\/comments?post=98"}],"version-history":[{"count":0,"href":"https:\/\/www.devopsschool.com\/tutorials\/wp-json\/wp\/v2\/posts\/98\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.devopsschool.com\/tutorials\/wp-json\/wp\/v2\/media?parent=98"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.devopsschool.com\/tutorials\/wp-json\/wp\/v2\/categories?post=98"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.devopsschool.com\/tutorials\/wp-json\/wp\/v2\/tags?post=98"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}