# Example use cases
<a name="examples"></a>

To better understand the application of these principles in different scenarios, let's discuss some example use cases. These use cases are based on how real-world educational institutions are adopting cloud services.
+ [Virtual computer labs](virtual-labs.md)
+ [Predicting student success](student-success.md)
+ [Identity federation and single sign-on](identity-sso.md)
+ [Cloud bursting for research computing](cloud-bursting.md)

# Virtual computer labs
<a name="virtual-labs"></a>

Despite the popularity of web-based learning tools and the abundance of user devices such as laptops, Chromebooks, and tablets, most educational institutions maintain physical computer labs for resource-intensive or legacy applications. These computer labs are often necessities for science, technology, engineering, and math (STEM), career and technical education (CTE), media and art, engineering, and similar curricula. Schools can augment or replace physical computer labs with cloud-based virtual desktops or application streaming services to ensure that all students have access to the applications they need at any time, from any place, and on any device. This improves digital equity, enables remote learning, ensures a consistent user experience, and secures remote access while lowering cost.

In primary and secondary (K12) education, many US schools use [Amazon WorkSpaces Applications](https://aws.amazon.com/appstream2/), a fully managed desktop and application streaming service, to deliver virtual computer labs to provide access to Adobe Creative Cloud, Autodesk software, STEM and CTE curricula such as Project Lead the Way (PLTW), and more. Many K12 organizations already manage student single sign-on and file storage through Google Workspace and Google Drive, which are SaaS applications. These institutions can set up single sign-on between Google Workspace and WorkSpaces Applications through SAML 2.0 federation. They can also configure native integration between WorkSpaces Applications and Google Drive so that students can use existing storage. The following diagram illustrates the WorkSpaces Applications deployment for this use case.

![\[Using Amazon WorkSpaces Applications for a virtual computer lab\]](http://docs.aws.amazon.com/prescriptive-guidance/latest/strategy-education-hybrid-multicloud/images/virtual-computer-lab.png)


This architecture follows these recommendations:
+ **Select a primary, strategic cloud provider. **This architecture uses cloud services from one primary cloud provider. Although it includes integration with SaaS applications that are not hosted on the same provider, those integrations are done through simple configurations. Cloud expertise and skill sets are necessary only to deploy and manage services from the primary cloud provider.
+ **Differentiate between SaaS applications and foundational cloud services. **Google Workspace and Google Drive are not hosted on the same cloud provider as AppStream 2.0, but that is acceptable because this deployment provides the necessary integrations. Single sign-on enables centralized identity management and is securely configured through SAML 2.0. Enabling persistent cloud storage for students requires simple configuration changes in Google Drive and WorkSpaces Applications.
+ **Establish security and governance requirements for each cloud service provider. **The services and integrations used in this architecture help meet an institution's security and governance requirements. Streaming traffic is encrypted. Federation through Google Workspace allows for centralized identity management. Network services such as [Amazon Virtual Private Cloud (Amazon VPC)](https://aws.amazon.com/vpc/) support the configuration of subnets, routing, and firewalls. You can filter content by using DNS configuration, agents, virtual appliances, or managed services such as Amazon Route 53 Resolver DNS Firewall. You can use services such as [AWS Control Tower](https://aws.amazon.com/controltower/) to help ensure that the AWS account that hosts WorkSpaces Applications adheres to standard organizational guardrails and controls.
+ **Adopt cloud-native, managed solutions wherever possible and practical.** WorkSpaces Applications is a managed service for desktop and application streaming. You can stream desktops and applications without worrying about provisioning, scaling, or maintaining servers. You install your applications, connect the appropriate identity, network, and storage solutions, and then centrally manage and stream those applications to your users. This eliminates much of the undifferentiated heavy lifting that would be required to manage your own virtual desktop streaming solution.

# Predicting student success
<a name="student-success"></a>

A Midwest university in the US discovered that a handful of key activities for incoming first-year students was highly predictive of success, both in the student's first semester of classes and in attaining their degree. The university wanted to implement a system that watched for these activities to be completed, and when key deadlines approached or passed, they wanted to encourage students to complete these steps.

The SaaS learning management system (LMS) data was a key input for this solution, but its data proved to be challenging to access and process with the university IT team's data warehousing tools. In addition, the messages to students had to be sent through the school's cloud-based customer relationship management (CRM) system. To build a functional solution and assess the effectiveness of prompts to students, the university had to initiate messages through the CRM and gather data from it.

The university developed and deployed a solution into a single cloud environment. The solution is a mixture of cloud-native managed services, provisioned cloud servers, and integrations with on-premises systems and cloud-based SaaS applications. As the following diagram shows, the solution ingests data from the student information system (SIS), LMS, and CRM into a data lake. It uses this data to identify students who are in jeopardy of missing key activities, initiates messages to them through the CRM, and provides a dashboard to university leadership.

![\[System for predicting student success\]](http://docs.aws.amazon.com/prescriptive-guidance/latest/strategy-education-hybrid-multicloud/images/student-success.png)


This architecture follows these recommendations:
+ **Select a primary, strategic cloud provider. **The university's strategic cloud provider houses the entire deployed solution. This enables the IT and business staff to focus on developing skills in a single, integrated set of cloud capabilities.
+ **Differentiate between SaaS applications and foundational cloud services. **The university differentiates between SaaS applications and core cloud analytics services, and uses integrations with the SaaS applications to gather data and initiate the appropriate communications.
+ **Establish security and governance requirements for each cloud service provider. **The university ensures that all components of the architecture are secure by enforcing guardrails and controls, including encryption in transit and at rest, to handle student data appropriately.
+ **Adopt cloud-native, managed solutions wherever possible and practical. **Cloud-native managed services are used for data ingestion, storage, database, and extract, transform, and load (ETL) functionality, which reduces the time to develop the end-to-end data processing workflow.

# Identity federation and single sign-on
<a name="identity-sso"></a>

Ensuring consistent identity management across core systems is key to successfully and securely adopting any technology. Educational institutions are increasingly adopting cloud-based identity and single sign-on solutions such as [AWS IAM Identity Center](https://aws.amazon.com/iam/identity-center/), Microsoft Entra ID (formerly Azure Active Directory), Okta, JumpCloud, OneLogin, Ping Identity, and CyberArk to simplify identity management, lower operational burden, and centrally enforce best practices such as multi-factor authentication and least privilege access.

Many of these institutions still maintain identity management and directory services such as Active Directory and Shibboleth for their on-premises environments. These can be integrated with cloud-based solutions to enable centralized identity management and single sign-on for your students, faculty, and staff. Cloud solution providers should have robust, easy-to-integrate identity management platforms that allow you to federate identities through cloud identity providers to your existing applications, your SaaS solutions, and cloud services. The following diagram shows an example architecture.

![\[Identity management flow from on-premises systems to AWS services via cloud identity providers.\]](http://docs.aws.amazon.com/prescriptive-guidance/latest/strategy-education-hybrid-multicloud/images/identity-sso.png)


This architecture follows these recommendations:
+ **Select a primary, strategic cloud provider. **This architecture uses AWS as the primary cloud provider. By integrating with a cloud identity provider and existing identity management and directory services on premises, this architecture supports automated provisioning and management of access both to the primary cloud provider's services and to other applications and SaaS solutions. This ensures that security and governance requirements are met in a consistent, easy to manage way as more applications and services are added to the institution's technology portfolio.
+ **Differentiate between SaaS applications and foundational cloud services. **This architecture integrates multiple types of cloud-based, SaaS, and on-premises identity systems to provide access to AWS Cloud services and other applications. Many cloud-based identity provider and single sign-on solutions are also SaaS applications, and they can use native integrations and standard protocols such as SAML to work across environments.
+ **Establish security and governance requirements for each cloud service provider. **This architecture adheres to guidance on identity and access management issued by numerous security frameworks, including National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF), NIST 800-171, and NIST 800-53. Integrations with [AWS Organizations](https://aws.amazon.com/organizations/), [AWS Identity and Access Management (IAM)](https://aws.amazon.com/iam/), and other [AWS security, identity, and compliance services](https://aws.amazon.com/products/security/) help provide secure, granular access controls based on group permissions.
+ **Adopt cloud-native, managed services wherever possible and practical. **This architecture uses cloud-based, managed services for identity management and single sign-on. This decreases the time and energy spent on infrastructure management and makes it easier to maintain these critical systems.
+ **Implement hybrid architectures when existing, on-premises investments incentivize continued use. **This architecture integrates existing, on-premises investments in infrastructure for hosting Active Directory, Lightweight Directory Access Control (LDAP), and Shibboleth workloads, and provides a path to eventually move core identity services into cloud-based infrastructure. Additionally, if your on-premises workloads need certificate-based access to AWS resources, you can use [AWS Identity and Access Management Roles Anywhere](https://docs.aws.amazon.com/rolesanywhere/latest/userguide/introduction.html).

# Cloud bursting for research computing
<a name="cloud-bursting"></a>

The research computing group at an R1 (Doctoral Universities – Very High Research Activity) research institution in the US had been running on-premises high performance computing (HPC) clusters with the Slurm scheduler for many years. Except for a few weeks of scheduled maintenance, the clusters were running at 80-95 percent utilization rate with most of their queues full.

The increasing number of research activities at the institution introduced capacity and capability challenges. A few high-profile researchers were always performing long-running simulations on certain queues, which increased the wait time for other users. Newly hired faculty needed to run large numbers of weather simulations to build a novel artificial intelligence and machine learning (AI/ML) model for weather forecasting, but they required more capacity than was available. The research computing group was also getting more requests for the latest graphics processing units (GPUs) to train machine learning models. Even with funding for new GPUs, the team would need to wait months to get approval for expanding rack space in the data center.

Many researchers were unwilling to delete old data, so local storage capacity was also a challenge. A more scalable, long-term storage option was needed to free up valuable, high-performance storage on premises.

The cloud addresses these challenges with hybrid compute and storage solutions that let you *burst* research computing into the cloud when on-premises capacity isn't enough. The following architecture diagram illustrates a few compute and storage bursting approaches, using tools such as [AWS ParallelCluster](https://aws.amazon.com/hpc/parallelcluster/) and [AWS Storage Gateway](https://aws.amazon.com/storagegateway/).

![\[Architecture for cloud bursting for research computing\]](http://docs.aws.amazon.com/prescriptive-guidance/latest/strategy-education-hybrid-multicloud/images/cloud-bursting.png)


This architecture follows these recommendations:
+ **Select a primary, strategic cloud provider. **This architecture uses one primary cloud provider to avoid being restricted by the least common denominator approach. This way, the institution can take advantage of the innovation and native compute and storage services that the primary cloud provider offers. The research computing team can focus on optimizing workloads in the environment provided by the primary cloud provider, not how to work in different cloud environments.
+ **Establish security and governance requirements for each cloud service provider. **Each service and tool used in this architecture can be configured to meet the research computing team's security and governance requirements, including private connectivity, data encryption in transit and at rest, activity logging, and more.
+ **Adopt cloud-native, managed services wherever possible and practical. **This architecture provides the ability to use managed storage and compute services as well as tools to simplify cluster management. This way, the research computing team doesn't have to worry about managing clusters or underlying infrastructure on their own, which can be complex and time-consuming.
+ **Implement hybrid architectures when existing, on-premises investments incentivize continued use. **This architecture allows the institution to continue using its on-premises resources and take advantage of the cloud to increase capacity and expand computing power on demand. With the cloud, the institution can right-size the compute type to maximize price-performance and access the latest technology to promote innovation without a large upfront investment in additional on-premises hardware.