# Deployment Environments
The standard procedure to install the WorkSpaces Manager Appliance is as one AMI with all elements deployed via CloudFormation from the AWS Marketplace. This will deploy one EC2 instance containing all the required services for WSM to connect to AD and WorkSpace, including IIS, MS SQL Express and the .NET application.
WorkSpaces Manager requires access to an existing Active Directory Forest/Domain and can operate in Multi-Domain and Multi-Forest environments. Below are alternative deployment scenarios:
1. **Internal Network Load Balancer (NLB) for Presentation and SSL Offloading**
* This configuration uses a DNS name (e.g., `wsm.example.com`) to present the portal to users and admins.
* The DNS record must be resolved internally, and the service is not accessible via the Internet.
2. **External Network Load Balancer (NLB) for Presentation and SSL Offloading**
* This setup also uses a DNS name (e.g., `wsm.example.com`) to present the portal to users and admins.
* The DNS record must be resolved externally, and the service is accessible via the Internet (not recommended without a proper security analysis).
3. **Combination of Internal and External Network Load Balancers**
* Different DNS resolvers or DNS names can be used (e.g., `wsm.example.com` for external access and `wsm.internal.example.com` for internal access).
4. **Independent MS SQL Database**
* This database can be domain-joined or not and must be reachable from the WorkSpaces Manager Appliance.
* MS SQL Express is recommended for estates of sub 1000 WorkSpaces, WorkSpaces Manager also supports other Microsoft SQL Database Server versions and RDS.
* The database can run in different scenarios, such as a single availability zone or with read-only replicas in another availability zone.
5. **Combination of the Above Scenarios**
* For example, the three tiers (application, database, and load balancing) can be split into separate services, such as EC2, RDS, and a Load Balancer.
**Presentation Tier Division with Network Load Balancer (NLB) and SSL Certificate Offload**
If we divide the Presentation tier by incorporating a Network Load Balancer (NLB) with SSL Certificate offloading, the architecture will look as follows:
* **Network Load Balancer**
* The NLB can be deployed in either private or public subnets, depending on the specific requirements.
* **Recommendation**: We recommend placing the NLB within the private subnet for enhanced security.
This setup is the most common implementation we observe within our clients
**Decoupling the Three Tiers: Separating the Data Tier**
Thirdly, to fully decouple all three tiers, we can separate the data tier by using an RDS database backend. In this setup:
* The **EC2 instance** would host only the .NET application.
* The **Database** would be managed separately on RDS.
Additionally, the database can be deployed in different configurations, such as with read-only replicas for scalability and fault tolerance. Below is an example of a single RDS deployment.
{% hint style="success" %}
WorkSpaces Manager can also work with the Enterprise version of RDS for greater redundancy and reporting.
{% endhint %}
---
# Agent Instructions: Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter:
```
GET https://docs.nuvens.cloud/architecture/resilence/deployment-environments.md?ask=
```
The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.