Amazon WorkSpaces

(1)

Amazon WorkSpaces

Administration Guide

(2)

Amazon WorkSpaces: Administration Guide

Amazon's trademarks and trade dress may not be used in connection with any product or service that is not Amazon's, in any manner that is likely to cause confusion among customers, or in any manner that disparages or discredits Amazon. All other trademarks not owned by Amazon are the property of their respective owners, who may or may not be aﬃliated with, connected to, or sponsored by Amazon.

(3)

What is Amazon WorkSpaces?

Amazon WorkSpaces enables you to provision virtual, cloud-based Microsoft Windows or Amazon Linux desktops for your users, known as WorkSpaces. WorkSpaces eliminates the need to procure and deploy hardware or install complex software. You can quickly add or remove users as your needs change. Users can access their virtual desktops from multiple devices or web browsers.

For more information, see Amazon WorkSpaces.

Features

• Choose your operating system (Windows or Amazon Linux) and select from a range of hardware conﬁgurations, software conﬁgurations, and AWS Regions. For more information, see Amazon WorkSpaces Bundles and the section called “Create a custom image and bundle” (p. 145).

• Choose your protocol: PCoIP or WorkSpaces Streaming Protocol (WSP). For more information, see Protocols for Amazon WorkSpaces (p. 9).

• Connect to your WorkSpace and pick up from right where you left oﬀ. WorkSpaces provides a persistent desktop experience.

• WorkSpaces provides the ﬂexibility of either monthly or hourly billing for WorkSpaces. For more information, see WorkSpaces Pricing.

• Deploy and manage applications for your Windows WorkSpaces by using Amazon WorkSpaces Application Manager (Amazon WAM).

• For Windows desktops, you can bring your own licenses and applications, or purchase them from the AWS Marketplace for Desktop Apps.

• Create a standalone managed directory for your users, or connect your WorkSpaces to your on- premises directory so that your users can use their existing credentials to obtain seamless access to corporate resources. For more information, see Directories (p. 59).

• Use the same tools to manage WorkSpaces that you use to manage on-premises desktops.

• Use multi-factor authentication (MFA) for additional security.

• Use AWS Key Management Service (AWS KMS) to encrypt data at rest, disk I/O, and volume snapshots.

• Control the IP addresses from which users are allowed to access their WorkSpaces.

Architecture

For both Windows and Amazon Linux WorkSpaces, each WorkSpace is associated with a virtual private cloud (VPC), and a directory to store and manage information for your WorkSpaces and users. For more information, see the section called “VPC requirements” (p. 10). Directories are managed through the AWS Directory Service, which oﬀers the following options: Simple AD, AD Connector, or AWS Directory Service for Microsoft Active Directory, also known as AWS Managed Microsoft AD. For more information, see the AWS Directory Service Administration Guide.

WorkSpaces uses your Simple AD, AD Connector, or AWS Managed Microsoft AD directory to

authenticate users. Users access their WorkSpaces by using a client application from a supported device or, for Windows WorkSpaces, a web browser, and they log in by using their directory credentials. The login information is sent to an authentication gateway, which forwards the traﬃc to the directory for the WorkSpace. After the user is authenticated, streaming traﬃc is initiated through the streaming gateway.

(10)

Access your WorkSpace

Client applications use HTTPS over port 443 for all authentication and session-related information.

Client applications use port 4172 (PCoIP) and port 4195 (WSP) for pixel streaming to the WorkSpace and ports 4172 and 4195 for network health checks. For more information, see Ports for client applications (p. 18).

Each WorkSpace has two elastic network interfaces associated with it: a network interface for management and streaming (eth0) and a primary network interface (eth1). The primary network interface has an IP address provided by your VPC, from the same subnets used by the directory. This ensures that traﬃc from your WorkSpace can easily reach the directory. Access to resources in the VPC is controlled by the security groups assigned to the primary network interface. For more information, see Network interfaces (p. 30).

The following diagram shows the architecture of WorkSpaces.

For additional architecture diagrams, see the Best Practices for Deploying Amazon WorkSpaces whitepaper.

Access your WorkSpace

You can connect to your WorkSpaces by using the client application for a supported device or, for Windows WorkSpaces, by using a supported web browser on a supported operating system.

Note

You cannot use a web browser to connect to Amazon Linux WorkSpaces.

There are client applications for the following devices:

• Windows computers

• macOS computers

• Ubuntu Linux 18.04 computers

• Chromebooks

• iPads

• Android devices

• Fire tablets

(11)

Pricing

• Zero client devices (Teradici zero client devices are supported only with PCoIP.)

On Windows, macOS, and Linux PCs, you can use the following web browsers to connect to Windows WorkSpaces:

• Chrome 53 and later (Windows and macOS only)

• Firefox 49 and later

For more information, see WorkSpaces Clients in the Amazon WorkSpaces User Guide.

Pricing

After you sign up for AWS, you can get started with WorkSpaces for free using the WorkSpaces free tier oﬀer. For more information, see WorkSpaces Pricing.

With WorkSpaces, you pay only for what you use. You are charged based on the bundle and the number of WorkSpaces that you launch. The pricing for WorkSpaces includes the use of Simple AD and AD Connector but not the use of AWS Managed Microsoft AD.

WorkSpaces provides monthly or hourly billing for WorkSpaces. With monthly billing, you pay a ﬁxed fee for unlimited usage, which is best for users who use their WorkSpaces full time. With hourly billing, you pay a small ﬁxed monthly fee per WorkSpace, plus a low hourly rate for each hour the WorkSpace is running. For more information, see WorkSpaces Pricing.

For information about supported regions, see WorkSpaces Pricing.

How to get started

To create a WorkSpace, try one of the following tutorials:

• Get started with WorkSpaces Quick Setup (p. 4)

• Launch a WorkSpace using AWS Managed Microsoft AD (p. 74)

• Launch a WorkSpace using Simple AD (p. 77)

• Launch a WorkSpace using AD Connector (p. 80)

• Launch a WorkSpace using a trusted domain (p. 83)

You might also want to explore these resources to learn more about Amazon WorkSpaces:

• Implementation guide: Provision Desktops in the Cloud

• Amazon WorkSpaces resources — whitepapers, blog posts, webinars, re:Invent sessions, and more

• Amazon WorkSpaces FAQs

(12)

Before you begin

Get started with WorkSpaces Quick Setup

In this tutorial, you learn how to provision a virtual, cloud-based Microsoft Windows or Amazon Linux desktop, known as a WorkSpace, by using WorkSpaces and AWS Directory Service.

This tutorial uses the Quick Setup option to launch your WorkSpace. This option is available only if you have never launched a WorkSpace. Alternatively, see Launch a virtual desktop using WorkSpaces (p. 73).

Note

Quick Setup is supported in the following AWS Regions:

• US East (N. Virginia)

• US West (Oregon)

• Europe (Ireland)

• Asia Paciﬁc (Singapore)

• Asia Paciﬁc (Sydney)

• Asia Paciﬁc (Tokyo)

To change your Region, see Choosing a Region.

Tasks

• Before you begin (p. 4)

• What Quick Setup does (p. 5)

• Step 1: Launch the WorkSpace (p. 5)

• Step 2: Connect to the WorkSpace (p. 7)

• Step 3: Clean up (Optional) (p. 7)

• Next steps (p. 8)

Before you begin

Before you begin, make sure that you meet the following requirements:

• You must have an AWS account to create or administer a WorkSpace. Users do not need an AWS account to connect to and use their WorkSpaces.

• WorkSpaces is not available in every Region. Verify the supported Regions and select a Region for your WorkSpaces. For more information about the supported Regions, see WorkSpaces Pricing by AWS Region.

It's also helpful to review and understand the following concepts before you proceed:

(13)

What Quick Setup does

• When you launch a WorkSpace, you must select a WorkSpace bundle. For more information, see Amazon WorkSpaces Bundles.

• When you launch a WorkSpace, you must select which protocol (PCoIP or WorkSpaces Streaming Protocol [WSP]) you want to use with your bundle. For more information, see Protocols for Amazon WorkSpaces (p. 9).

• When you launch a WorkSpace, you must specify proﬁle information for the user, including a user name and email address. Users complete their proﬁles by specifying a password. Information about WorkSpaces and users is stored in a directory. For more information, see Directories (p. 59).

What Quick Setup does

Quick Setup completes the following tasks on your behalf:

• Creates an IAM role to allow the WorkSpaces service to create elastic network interfaces and list your WorkSpaces directories. This role has the name workspaces_DefaultRole.

• Creates a virtual private cloud (VPC). If you want to use an existing VPC instead, make sure it meets the requirements noted in Conﬁgure a VPC for WorkSpaces (p. 10), and then follow the steps in one of the tutorials listed in Launch a virtual desktop using WorkSpaces (p. 73). Choose the tutorial that corresponds to the type of Active Directory that you want to use.

• Sets up a Simple AD directory in the VPC. This Simple AD directory is used to store user and WorkSpace information. The directory has an administrator account and it is enabled for Amazon WorkDocs.

• Creates the speciﬁed user accounts and adds them to the directory.

• Creates WorkSpaces. Each WorkSpace receives a public IP address to provide internet access.

The running mode is AlwaysOn. For more information, see Manage the WorkSpace running mode (p. 117).

• Sends invitation emails to the speciﬁed users. If your users don't receive their invitation emails, see Send an invitation email (p. 88).

Note

The ﬁrst user account created by Quick Setup is your Admin user account. You can't update this user account from the WorkSpaces Console. Don't share the information for this Admin account with anyone else. If you want to invite other users to use WorkSpaces, create new user accounts for them.

Step 1: Launch the WorkSpace

Using Quick Setup, you can launch your ﬁrst WorkSpace in minutes.

To launch a WorkSpace

1. Open the WorkSpaces console at https://console.aws.amazon.com/workspaces/.

2. Choose Get Started Now. If you don't see this button, either you have already launched a WorkSpace in this Region, or you aren't using one of the Regions that support Quick Setup (p. 4). In this case, see Launch a virtual desktop using WorkSpaces (p. 73).

3. On the Get Started with WorkSpaces page, next to Quick Setup, choose Launch.

(14)

Step 1: Launch the WorkSpace

4. For Bundles, select a bundle (hardware and software) for the user with the appropriate protocol (PCoIP or WSP). For more information about the various public bundles available for Amazon WorkSpaces, see Amazon WorkSpaces Bundles.

5. For Enter User Details, complete Username, First Name, Last Name, and Email.

Note

If this is your ﬁrst time using WorkSpaces, we recommend creating a user for yourself for testing purposes.

6. Choose Launch WorkSpaces.

7. On the conﬁrmation page, choose View the WorkSpaces Console. It takes approximately 20 minutes for your WorkSpace to be launched. To monitor the progress, go to the left navigation pane and choose Directories. You will see a directory being created with an initial status of REQUESTED and then CREATING.

After the directory has been created and has a status of ACTIVE, you can choose WorkSpaces in the left navigation pane to monitor the progress of the WorkSpace launch process. The initial

(15)

Step 2: Connect to the WorkSpace

status of the WorkSpace is PENDING. When the launch is complete, the status is AVAILABLE and an invitation is sent to the email address that you speciﬁed for each user. If your users don't receive their invitation emails, see Send an invitation email (p. 88).

Step 2: Connect to the WorkSpace

After you receive the invitation email, you can connect to the WorkSpace using the client of your choice.

After you sign in, the client displays the WorkSpace desktop.

To connect to the WorkSpace

1. If you haven't set up credentials for the user already, open the link in the invitation email and follow the directions. Remember the password that you specify as you will need it to connect to your WorkSpace.

Note

Passwords are case-sensitive and must be between 8 and 64 characters in length, inclusive.

Passwords must contain at least one character from each of the following categories:

lowercase letters (a-z), uppercase letters (A-Z), numbers (0-9), and the set ~!@#$%^&*_- +=`|\(){}[]:;"'<>,.?/.

2. Review WorkSpaces Clients in the Amazon WorkSpaces User Guide for more information about the requirements for each client, and then do one of the following:

• When prompted, download one of the client applications or launch Web Access.

• If you aren't prompted and you haven't installed a client application already, open https://

clients.amazonworkspaces.com/ and download one of the client applications or launch Web Access.

Note

You cannot use a web browser (Web Access) to connect to Amazon Linux WorkSpaces.

3. Start the client, enter the registration code from the invitation email, and choose Register.

4. When prompted to sign in, enter the user name and password, and then choose Sign In.

5. (Optional) When prompted to save your credentials, choose Yes.

For more information about using the client applications, such as setting up multiple monitors or using peripheral devices, see WorkSpaces Clients and Peripheral Device Support in the Amazon WorkSpaces User Guide.

Step 3: Clean up (Optional)

If you are ﬁnished with the WorkSpace that you created for this tutorial, you can delete it. For more information, see the section called “Delete a WorkSpace” (p. 143).

Note

Simple AD is made available to you free of charge to use with WorkSpaces. If there are no WorkSpaces being used with your Simple AD directory for 30 consecutive days, this directory will be automatically deregistered for use with Amazon WorkSpaces, and you will be charged for this directory as per the AWS Directory Service pricing terms.

To delete empty directories, see Delete the directory for your WorkSpaces (p. 69). If you delete your Simple AD directory, you can always create a new one when you want to start using WorkSpaces again.

(16)

Next steps

You can continue to customize the WorkSpace that you just created. For example, you can install software and then create a custom bundle from your WorkSpace. You can also perform various

administrative tasks for your WorkSpaces and your WorkSpaces directory. For more information, see the following documentation.

• Create a custom WorkSpaces image and bundle (p. 145)

• Administer your WorkSpaces (p. 95)

• Manage directories for WorkSpaces (p. 59)

To create additional WorkSpaces, do one of the following:

• If you want to continue using the VPC and the Simple AD directory that were created by Quick Setup, you can add WorkSpaces for additional users by following the steps in the Step 2: Create a WorkSpace (p. 79) section of the Launch a WorkSpace Using Simple AD tutorial.

• If you need to use another directory type or if you need to use an existing Active Directory, see the appropriate tutorial in Launch a virtual desktop using WorkSpaces (p. 73).

For more information about using the WorkSpaces client applications, such as setting up multiple monitors or using peripheral devices, see WorkSpaces Clients and Peripheral Device Support in the Amazon WorkSpaces User Guide.

(17)

Protocols for Amazon WorkSpaces

Networking and access for WorkSpaces

As a WorkSpace administrator, you must understand the following about WorkSpaces networking and access.

Contents

• Protocols for Amazon WorkSpaces (p. 9)

• Conﬁgure a VPC for WorkSpaces (p. 10)

• Availability Zones for Amazon WorkSpaces (p. 17)

• IP address and port requirements for WorkSpaces (p. 18)

• Amazon WorkSpaces client network requirements (p. 34)

• Restrict WorkSpaces access to trusted devices (p. 35)

• Use smart cards for authentication (p. 37)

• Provide internet access from your WorkSpace (p. 44)

• Security groups for your WorkSpaces (p. 45)

• IP access control groups for your WorkSpaces (p. 46)

• Set up PCoIP zero clients for WorkSpaces (p. 48)

• Set up Android for Chromebooks (p. 49)

• Enable and conﬁgure Amazon WorkSpaces Web Access (p. 49)

• Set up Amazon WorkSpaces for FedRAMP authorization or DoD SRG compliance (p. 52)

• Enable SSH connections for your Linux WorkSpaces (p. 53)

• Required conﬁguration and service components for WorkSpaces (p. 56)

Protocols for Amazon WorkSpaces

Amazon WorkSpaces supports two protocols: PCoIP and WorkSpaces Streaming Protocol (WSP).

The protocol that you choose depends on several factors, such as the type of devices your users will be accessing their WorkSpaces from, which operating system is on your WorkSpaces, what network conditions your users will be facing, and whether your users require bidirectional video support.

When to use PCoIP

• If you want to use the iPad, Android, or Linux clients.

• If you use Teradici zero client devices.

• If you need to use GPU-based bundles (Graphics or GraphicsPro).

• If you need to use a Linux bundle for non-smart card use cases.

• If you need to use WorkSpaces in the China (Ningxia) Region.

When to use WSP

• If you need higher loss/latency tolerance to support your end user network conditions. For example, you have users who are accessing their WorkSpaces across global distances or using unreliable networks.

• If you need your users to authenticate with smart cards or to use smart cards in-session.

• If you need webcam support capabilities in-session.

(18)

VPC requirements

• If you need to use Web Access with the Windows Server 2019-powered WorkSpaces bundle.

Note

• A directory can have a mix of PCoIP and WSP WorkSpaces in it.

• A user can have both a PCoIP and a WSP WorkSpace as long as the two WorkSpaces are located in separate directories. The same user cannot have a PCoIP and a WSP WorkSpace in the same directory. For more information about creating multiple WorkSpaces for a user, see Create multiple WorkSpaces for a user (p. 88).

• You can migrate a WorkSpace between the two protocols by using the WorkSpaces migration feature, which requires a rebuild of the WorkSpace. For more information, see Migrate a WorkSpace (p. 139).

Conﬁgure a VPC for WorkSpaces

WorkSpaces launches your WorkSpaces in a virtual private cloud (VPC). Your WorkSpaces must have access to the internet so that you can install updates to the operating system and deploy applications using Amazon WorkSpaces Application Manager (Amazon WAM).

You can create a VPC with two private subnets for your WorkSpaces and a NAT gateway in a public subnet. Alternatively, you can create a VPC with two public subnets for your WorkSpaces and associate an Elastic IP address with each WorkSpace.

Tip

For a detailed exploration of directory and virtual private cloud (VPC) design considerations for various deployment scenarios, see the Best Practices for Deploying Amazon WorkSpaces whitepaper.

Contents

• Requirements (p. 10)

• Conﬁgure a VPC with private subnets and a NAT gateway (p. 10)

• Conﬁgure a VPC with public subnets (p. 14)

Requirements

Your VPC's subnets must reside in diﬀerent Availability Zones in the Region where you're launching WorkSpaces. Availability Zones are distinct locations that are engineered to be isolated from failures in other Availability Zones. By launching instances in separate Availability Zones, you can protect your applications from the failure of a single location. Each subnet must reside entirely within one Availability Zone and cannot span zones.

Note

Amazon WorkSpaces is available in a subset of the Availability Zones in each supported Region.

To determine which Availability Zones you can use for the subnets of the VPC that you're using for WorkSpaces, see Availability Zones for Amazon WorkSpaces (p. 17).

Conﬁgure a VPC with private subnets and a NAT gateway

If you use AWS Directory Service to create an AWS Managed Microsoft or a Simple AD, we recommend that you configure the VPC with one public subnet and two private subnets. Configure your directory to launch your WorkSpaces in the private subnets. To provide internet access to WorkSpaces in a private subnet, configure a NAT gateway in the public subnet.

(19)

Conﬁgure a VPC with private subnets and a NAT gateway

Prerequisites

If you aren't already familiar with working with VPCs and subnets, we recommend reading VPC and Subnet Sizing for IPv4 in the Amazon VPC User Guide before performing the following tasks.

Tasks

• Step 1: Allocate an Elastic IP address (p. 11)

• Step 2: Create a VPC (p. 12)

• Step 3: Add a second private subnet (p. 13)

• Step 4: Verify and name the route tables (p. 13)

• Step 5: Route your WorkSpaces to the subnets (p. 14)

Note

As an alternative to the following procedure for conﬁguring a VPC with private subnets and a NAT gateway, you can follow the steps in the "Getting started project" tutorial, which details how to set up your VPC and your WorkSpaces directory. That tutorial also covers how to launch WorkSpaces, create custom images and bundles, and perform other tasks related to administering your WorkSpaces.

Step 1: Allocate an Elastic IP address

Allocate an Elastic IP address for your NAT gateway as follows. Note that if you are using an alternative method of providing internet access, you can skip this step.

(20)

To allocate an Elastic IP address

1. Open the Amazon VPC console at https://console.aws.amazon.com/vpc/.

2. In the navigation pane, choose Elastic IPs.

3. Choose Allocate Elastic IP address.

4. On the Allocate Elastic IP address page, for Public iPv4 address pool, choose Amazon's pool of IPv4 addresses, Public IPv4 address that you bring to your AWS account, or Customer owned pool of IPv4 addresses, and then choose Allocate.

5. Make a note of the Elastic IP address, then choose Close.

Step 2: Create a VPC

Create a VPC with one public subnet and two private subnets as follows.

To create the VPC

2. In the navigation pane, choose VPC Dashboard in the upper-left corner.

3. Choose Launch VPC Wizard.

4. Choose VPC with Public and Private Subnets and then choose Select.

5. Conﬁgure the VPC as follows:

a. For IPv4 CIDR block, enter the CIDR block for the VPC. We recommend that you use a CIDR block from the private (non-publicly routable) IP address ranges speciﬁed in RFC 1918. For example, 10.0.0.0/16. For more information, see VPC and Subnet Sizing for IPv4 in the Amazon VPC User Guide.

b. For IPv6 CIDR Block, keep No IPv6 CIDR Block.

c. For VPC name, enter a name for the VPC.

6. Conﬁgure the public subnet as follows:

a. For IPv4 CIDR block, enter the CIDR block for the subnet. For example, 10.0.0.0/24. For more information, see VPC and Subnet Sizing for IPv4 in the Amazon VPC User Guide.

b. For Availability Zone, keep No Preference.

c. For Public subnet name, enter a name for the subnet (for example, WorkSpaces Public Subnet).

7. Conﬁgure the ﬁrst private subnet as follows:

a. For Private subnet's IPv4 CIDR, enter the CIDR block for the subnet. For example, 10.0.1.0/24.

b. To make an appropriate selection for Availability Zone, see Availability Zones for Amazon WorkSpaces (p. 17).

c. For Private subnet name, enter a name for the subnet (for example, WorkSpaces Private Subnet 1).

8. For Elastic IP Allocation ID, choose the Elastic IP address that you created. Note that if you are using an alternative method of providing internet access, you can skip this step.

9. For Service endpoints, do nothing.

10. For Enable DNS hostnames, keep Yes.

11. For Hardware tenancy, keep Default.

12. Choose Create VPC. Note that it takes several minutes to set up your VPC. After the VPC is created, choose OK.

(21)

Note

You can associate an IPv6 CIDR block with your VPC and subnets. However, if you conﬁgure your subnets to automatically assign IPv6 addresses to instances launched in the subnet, then you cannot use Graphics bundles. (You can use GraphicsPro bundles, however.) This restriction arises from a hardware limitation of previous-generation instance types that do not support IPv6.

To work around this issue, you can temporarily disable the auto-assign IPv6 addresses setting on the WorkSpaces subnets before launching Graphics bundles, and then reenable this setting (if needed) after launching Graphics bundles so that any other bundles receive the desired IP addresses.

By default, the auto-assign IPv6 addresses setting is disabled. To check this setting from the Amazon VPC console, in the navigation pane, choose Subnets. Select the subnet, and choose Actions, Modify auto-assign IP settings.

For more information about working with IPv6 addresses, see IP Addressing in Your VPC in the Amazon VPC User Guide.

Step 3: Add a second private subnet

In the previous step, you created a VPC with one public subnet and one private subnet. Use the following procedure to add a second private subnet.

To add a private subnet

1. In the navigation pane, choose Subnets.

2. Choose Create Subnet.

3. For Name tag, enter a name for the private subnet (for example, WorkSpaces Private Subnet 2).

4. For VPC, select the VPC that you created.

5. To make an appropriate selection for Availability Zone, see Availability Zones for Amazon WorkSpaces (p. 17). Make sure you select a diﬀerent Availability Zone from the one you selected for Step 7 (p. 12) earlier.

6. For IPv4 CIDR block, enter the CIDR block for the subnet. For example, 10.0.2.0/24.

7. Choose Create and Close.

Step 4: Verify and name the route tables

You can verify and name the route tables for each subnet.

To verify and name the route tables

1. In the navigation pane, choose Subnets, and select the public subnet that you created.

a. On the Route Table tab, choose the ID of the route table (for example, rtb-12345678).

b. Select the route table. Under Name, choose the edit icon (the pencil), and enter a name (for example, workspaces-public-routetable), and then choose the check mark to save the name.

c. On the Routes tab, verify that there is one route for local traﬃc and another route that sends all other traﬃc to the internet gateway for the VPC. For example, you should see entries similar to those in the following table.

Destination Target

10.0.0.0/16 local

(22)

Conﬁgure a VPC with public subnets

0.0.0.0/0 igw-12345678

2. In the navigation pane, choose Subnets, and select the ﬁrst private subnet that you created (for example, WorkSpaces Private Subnet 1).

a. On the Route Table tab, choose the ID of the route table.

b. Select the route table. Under Name, choose the edit icon (the pencil), and enter a name (for example, workspaces-private-routetable), and then choose the check mark to save the name.

c. On the Routes tab, verify that there is one route for local traﬃc and another route that sends all other traﬃc to the NAT gateway. For example, you should see entries similar to those in the following table.

10.0.0.0/16 local

0.0.0.0/0 nat-12345678

Note

To provide internet access to your WorkSpaces in the private subnets, make sure your NAT gateway is conﬁgured in the public subnet.

3. In the navigation pane, choose Subnets, and select the second private subnet that you created (for example, WorkSpaces Private Subnet 2). On the Route Table tab, verify that the route table is the private route table (for example, workspaces-private-routetable). If the route table is diﬀerent, choose Edit and select this route table.

Step 5: Route your WorkSpaces to the subnets

To route your WorkSpaces to your VPC's subnets, make sure to select your VPC and subnets during the process of setting up your WorkSpaces directory.

To set up your WorkSpaces directory, see Launch a virtual desktop using WorkSpaces (p. 73), and select the tutorial for the type of directory you'd like to use (AWS Managed Microsoft AD, Simple AD, AD Connector, or a trust relationship between your AWS Managed Microsoft AD directory and your on- premises domain).

Conﬁgure a VPC with public subnets

If you prefer, you can create a VPC with two public subnets. To provide internet access to WorkSpaces in public subnets, conﬁgure the directory to assign Elastic IP addresses automatically or manually assign an Elastic IP address to each WorkSpace.

Prerequisites

If you aren't already familiar with working with VPCs and subnets, we recommend reading VPC and Subnet Sizing for IPv4 in the Amazon VPC User Guide before performing the following tasks.

Tasks

• Step 1: Create a VPC (p. 15)

• Step 2: Add a second public subnet (p. 15)

• Step 3: Assign the Elastic IP address (p. 16)

(23)

• Step 4: Route your WorkSpaces to the subnets (p. 17)

Step 1: Create a VPC

Create a VPC with one public subnet as follows.

To create the VPC

2. In the navigation pane, choose VPC Dashboard in the upper-left corner.

3. Choose Launch VPC Wizard.

4. Choose VPC with a Single Public Subnet and then choose Select.

5. For IPv4 CIDR block, enter the CIDR block for the VPC. We recommend that you use a CIDR block from the private (non-publicly routable) IP address ranges speciﬁed in RFC 1918. For example, 10.0.0.0/16. For more information, see VPC and Subnet Sizing for IPv4 in the Amazon VPC User Guide.

6. For IPv6 CIDR block, keep No IPv6 CIDR Block.

7. For VPC name, enter a name for the VPC.

8. For Public subnet's IPv4 CIDR, enter the CIDR block for the subnet. For example, 10.0.0.0/24. For more information, see VPC and Subnet Sizing for IPv4 in the Amazon VPC User Guide.

9. To make an appropriate selection for Availability Zone, see Availability Zones for Amazon WorkSpaces (p. 17).

10. (Optional) For Subnet name, enter a name for the subnet.

11. For Service endpoints, do nothing.

12. For Enable DNS hostnames, keep Yes.

13. For Hardware tenancy, keep Default.

14. Choose Create VPC. After the VPC is created, choose OK.

Note

You can associate an IPv6 CIDR block with your VPC and subnets. However, if you conﬁgure your subnets to automatically assign IPv6 addresses to instances launched in the subnet, then you cannot use Graphics bundles. (You can use GraphicsPro bundles, however.) This restriction arises from a hardware limitation of previous-generation instance types that do not support IPv6.

To work around this issue, you can temporarily disable the auto-assign IPv6 addresses setting on the WorkSpaces subnets before launching Graphics bundles, and then reenable this setting (if needed) after launching Graphics bundles so that any other bundles receive the desired IP addresses.

By default, the auto-assign IPv6 addresses setting is disabled. To check this setting from the Amazon VPC console, in the navigation pane, choose Subnets. Select the subnet, and choose Actions, Modify auto-assign IP settings.

For more information about working with IPv6 addresses, see IP Addressing in Your VPC in the Amazon VPC User Guide.

Step 2: Add a second public subnet

In the previous step, you created a VPC with one public subnet. Use the following procedure to add a second public subnet and associate it with the route table for the ﬁrst public subnet, which has a route to the internet gateway for the VPC.

To add a public subnet

1. In the navigation pane, choose Subnets.

(24)

2. Choose Create Subnet.

3. For Name tag, enter a name for the subnet.

4. For VPC, select the VPC that you created.

5. To make an appropriate selection for Availability Zone, see Availability Zones for Amazon WorkSpaces (p. 17). Make sure you select a diﬀerent Availability Zone from the one you selected for Step 9 (p. 15) earlier.

6. For IPv4 CIDR block, enter the CIDR block for the subnet. For example, 10.0.1.0/24.

7. Choose Create. After the subnet is created, choose Close.

8. Associate the new public subnet with the route table created for the ﬁrst subnet as follows:

a. In the navigation pane, choose Subnets.

b. Select the ﬁrst subnet.

c. On the Route Table tab, choose the ID of the route table.

d. On the Subnet Associations tab, choose Edit subnet associations.

e. Select the check box for the second subnet (the public subnet you just created) and choose Save.

Step 3: Assign the Elastic IP address

You can assign Elastic IP addresses (static public IP addresses) to your WorkSpaces automatically or manually. To use automatic assignment, see Conﬁgure automatic IP addresses (p. 62). To assign Elastic IP addresses manually, use the following procedure.

Warning

We recommend that you not modify the elastic network interface of the WorkSpace after it is launched. If you have enabled automatic assignment of Elastic IP addresses at the directory level, an Elastic IP address (from the Amazon-provided pool) is assigned to your WorkSpace when it is launched. However, if you associate an Elastic IP address that you own to a WorkSpace, and then you later disassociate that Elastic IP address from the WorkSpace, the WorkSpace loses its public IP address, and it doesn't automatically get a new one from the Amazon-provided pool.

To associate a new public IP address from the Amazon-provided pool with the WorkSpace, you must rebuild the WorkSpace (p. 131). If you don't want to rebuild the WorkSpace, you must associate another Elastic IP address that you own to the WorkSpace.

To assign an Elastic IP address to a WorkSpace manually

For a video tutorial about how to assign an Elastic IP address to a WorkSpace, see the AWS Knowledge Center video How do I associate an Elastic IP Address with a WorkSpace?.

1. Open the WorkSpaces console at https://console.aws.amazon.com/workspaces/.

2. In the navigation pane, choose WorkSpaces.

3. Expand the row (choose the arrow icon) for the WorkSpace and note the value of WorkSpace IP. This is the primary private IP address of the WorkSpace.

4. Open the Amazon EC2 console at https://console.aws.amazon.com/ec2/.

5. In the navigation pane, choose Elastic IPs. If you do not have an available Elastic IP address, choose Allocate Elastic IP address and choose Amazon's pool of IPv4 addresses or Customer owned pool of IPv4 addresses, and then choose Allocate. Make note of the new IP address.

6. In the navigation pane, choose Network Interfaces.

7. Select the network interface for your WorkSpace. To ﬁnd the network interface for your WorkSpace, enter the WorkSpace IP value (which you noted earlier in Step 3 (p. 16)) in the search box, and then press Enter. The WorkSpace IP value matches the value in the network interface's Primary

(25)

Availability Zones for WorkSpaces

private IPv4 IP column. Note that the network interface's VPC ID value matches the ID of your WorkSpaces VPC.

8. Choose Actions, Manage IP Addresses. Choose Assign new IP, and then choose Yes, Update. Make note of the new IP address.

9. Choose Actions, Associate Address.

10. On the Associate Elastic IP Address page, choose an Elastic IP address from Address. For Associate to private IP address, specify the new private IP address, and then choose Associate Address.

Step 4: Route your WorkSpaces to the subnets

To route your WorkSpaces to your VPC's subnets, make sure to select your VPC and subnets during the process of setting up your WorkSpaces directory.

To set up your WorkSpaces directory, see Launch a virtual desktop using WorkSpaces (p. 73), and select the tutorial for the type of directory you'd like to use (AWS Managed Microsoft AD, Simple AD, AD Connector, or a trust relationship between your AWS Managed Microsoft AD directory and your on- premises domain).

Availability Zones for Amazon WorkSpaces

When you are creating a virtual private cloud (VPC) for use with Amazon WorkSpaces, your VPC's subnets must reside in diﬀerent Availability Zones in the Region where you're launching WorkSpaces. Availability Zones are distinct locations that are engineered to be isolated from failures in other Availability Zones.

By launching instances in separate Availability Zones, you can protect your applications from the failure of a single location. Each subnet must reside entirely within one Availability Zone and cannot span zones.

An Availability Zone is represented by a Region code followed by a letter identiﬁer; for example, us-east-1a. To ensure that resources are distributed across the Availability Zones for a Region, we independently map Availability Zones to names for each AWS account. For example, the Availability Zone us-east-1a for your AWS account might not be the same location as us-east-1a for another AWS account.

To coordinate Availability Zones across accounts, you must use the AZ ID, which is a unique and consistent identiﬁer for an Availability Zone. For example, use1-az2 is an AZ ID for the us-east-1 Region and it has the same location in every AWS account.

Viewing AZ IDs enables you to determine the location of resources in one account relative to the resources in another account. For example, if you share a subnet in the Availability Zone with the AZ ID use1-az2 with another account, this subnet is available to that account in the Availability Zone whose AZ ID is also use1-az2. The AZ ID for each VPC and subnet is displayed in the Amazon VPC console.

Amazon WorkSpaces is available in a subset of the Availability Zones for each supported Region. The following table lists the AZ IDs that you can use for each Region. To see the mapping of AZ IDs to Availability Zones in your account, see AZ IDs for Your Resources in the AWS RAM User Guide.

Region name Region code Supported AZ IDs

US East (N. Virginia) us-east-1 use1-az2, use1-az4, use1-

az6

US West (Oregon) us-west-2 usw2-az1, usw2-az2, usw2-

az3

(26)

IP address and port requirements

Region name Region code Supported AZ IDs

Asia Paciﬁc (Mumbai) ap-south-1 aps1-az1, aps1-az2, aps1-

az3

Asia Paciﬁc (Seoul) ap-northeast-2 apne2-az1, apne2-az3

Asia Paciﬁc (Singapore) ap-southeast-1 apse1-az1, apse1-az2

Asia Paciﬁc (Sydney) ap-southeast-2 apse2-az1, apse2-az3

Asia Paciﬁc (Tokyo) ap-northeast-1 apne1-az1, apne1-az4

Canada (Central) ca-central-1 cac1-az1, cac1-az2

Europe (Frankfurt) eu-central-1 euc1-az2, euc1-az3

Europe (Ireland) eu-west-1 euw1-az1, euw1-az2, euw1-

az3

Europe (London) eu-west-2 euw2-az2, euw2-az3

South America (São Paulo) sa-east-1 sae1-az1, sae1-az3

For more information about Availability Zones and AZ IDs, see Regions, Availability Zones, and Local Zones in the Amazon EC2 User Guide for Linux Instances.

IP address and port requirements for WorkSpaces

To connect to your WorkSpaces, the network that your WorkSpaces clients are connected to must have certain ports open to the IP address ranges for the various AWS services (grouped in subsets). These address ranges vary by AWS Region. These same ports must also be open on any ﬁrewall running on the client. For more information about the AWS IP address ranges for diﬀerent Regions, see AWS IP Address Ranges in the Amazon Web Services General Reference.

For an architecture diagram, see WorkSpaces Architecture. For additional architecture diagrams, see the Best Practices for Deploying Amazon WorkSpaces whitepaper.

Ports for client applications

The WorkSpaces client application requires outbound access on the following ports:

Port 443 (TCP)

This port is used for client application updates, registration, and authentication. The desktop client applications support the use of a proxy server for port 443 (HTTPS) traﬃc. To enable the use of a proxy server, open the client application, choose Advanced Settings, select Use Proxy Server, specify the address and port of the proxy server, and choose Save.

This port must be open to the following IP address ranges:

• The AMAZON subset in the GLOBAL Region.

• The AMAZON subset in the Region that the WorkSpace is in.

• The AMAZON subset in the us-east-1 Region.

• The AMAZON subset in the us-west-2 Region.

• The S3 subset in the us-west-2 Region.

(27)

Ports for Web Access

Port 4172 and 4195 (UDP and TCP)

These ports are used for streaming the WorkSpace desktop and health checks. The desktop client applications do not support the use of a proxy server for port 4172 and 4195 traﬃc; they require a direct connection to ports 4172 and 4195. These ports must be open to the PCoIP Gateway and WorkSpaces Streaming Protocol (WSP) Gateway IP address ranges, and to the health check servers in the Region that the WorkSpace is in. For more information, see Health check servers (p. 26), PCoIP gateway servers (p. 28), and WSP gateway servers (p. 30).

Note

If your firewall uses stateful filtering, ephemeral ports (also known as dynamic ports) are automatically opened to allow return communication. If your firewall uses stateless filtering, you must open ephemeral ports explicitly to allow return communication. The required ephemeral port range that you must open will vary depending on your configuration.

Ports for Web Access

WorkSpaces Web Access requires outbound access for the following ports:

Port 53 (UDP)

This port is used to access DNS servers. It must be open to your DNS server IP addresses so that the client can resolve public domain names. This port requirement is optional if you are not using DNS servers for domain name resolution.

Port 80 (UDP and TCP)

This port is used for initial connections to https://clients.amazonworkspaces.com, which then switch to HTTPS. It must be open to all IP address ranges in the EC2 subset in the Region that the WorkSpace is in.

This port is used for registration and authentication using HTTPS. It must be open to all IP address ranges in the EC2 subset in the Region that the WorkSpace is in.

For WorkSpaces that are conﬁgured for WorkSpaces Streaming Protocol (WSP), this port is used for streaming the WorkSpaces desktop. Web access does not support the use of a proxy server for port 4195 traﬃc. Direct connections are required. This port must be open to the WSP Gateway IP address ranges. For more information, see WSP gateway servers (p. 30).

Note

If your firewall uses stateful filtering, ephemeral ports (also known as dynamic ports) are automatically opened to allow return communication. If your firewall uses stateless filtering, you must open ephemeral ports explicitly to allow return communication. The required ephemeral port range that you must open varies depending on your configuration.

Typically, the web browser randomly selects a source port in the high range to use for streaming traﬃc.

WorkSpaces Web Access does not have control over the port that the browser selects. You must ensure that return traﬃc to this port is allowed.

Domains and IP addresses to add to your allow list

For the WorkSpaces client application to be able to access the WorkSpaces service, you must add the following domains and IP addresses to the allow list on the network from which the client is trying to access the service.

(28)

Domains and IP addresses to add to your allow list

Category Domain or IP address

CAPTCHA https://opfcaptcha-prod.s3.amazonaws.com/

Client Auto-update • https://d2td7dqidlhjx7.cloudfront.net/

• In the AWS GovCloud (US-West) Region:

https://s3.amazonaws.com/workspaces- client-updates/prod/pdt/windows/

WorkSpacesAppCast.xml

Connectivity Check https://connectivity.amazonworkspaces.com/

Device Metrics (for 1.0+ and 2.0+ WorkSpaces

client applications) https://device-metrics-us-2.amazon.com/

Client Metrics (for 3.0+ WorkSpaces client

applications) Domains:

• https://skylight-client-ds.us- east-1.amazonaws.com

• https://skylight-client-ds.us- west-2.amazonaws.com

• https://skylight-client-ds.ap- south-1.amazonaws.com

• https://skylight-client-ds.ap- northeast-2.amazonaws.com

• https://skylight-client-ds.ap- southeast-1.amazonaws.com

• https://skylight-client-ds.ap- southeast-2.amazonaws.com

• https://skylight-client-ds.ap- northeast-1.amazonaws.com

• https://skylight-client-ds.ca- central-1.amazonaws.com

• https://skylight-client-ds.eu- central-1.amazonaws.com

• https://skylight-client-ds.eu- west-1.amazonaws.com

• https://skylight-client-ds.eu- west-2.amazonaws.com

• https://skylight-client-ds.sa- east-1.amazonaws.com

• In the AWS GovCloud (US-West) Region:

https://skylight-client-ds.us-gov- west-1.amazonaws.com

Dynamic Messaging Service (for 3.0+ WorkSpaces

client applications) Domains:

• https://ws-client-service.us- east-1.amazonaws.com

• https://ws-client-service.us- west-2.amazonaws.com

(29)

• https://ws-client-service.ap- south-1.amazonaws.com

• https://ws-client-service.ap- northeast-2.amazonaws.com

• https://ws-client-service.ap- southeast-1.amazonaws.com

• https://ws-client-service.ap- southeast-2.amazonaws.com

• https://ws-client-service.ap- northeast-1.amazonaws.com

• https://ws-client-service.ca- central-1.amazonaws.com

• https://ws-client-service.eu- central-1.amazonaws.com

• https://ws-client-service.eu- west-1.amazonaws.com

• https://ws-client-service.eu- west-2.amazonaws.com

• https://ws-client-service.sa- east-1.amazonaws.com

(30)

Directory Settings Authentication from the client to the customer directory before login to the WorkSpace:

• https://d32i4gd7pg4909.cloudfront.net/prod/

Connections from macOS clients:

• https://d32i4gd7pg4909.cloudfront.net/

Customer directory settings:

• https://d21ui22avrxoh6.cloudfront.net/prod/

Login page graphics for customer directory level co-branding:

• https://d1cbg795sa4g1u.cloudfront.net/prod/

CSS ﬁle to style the login pages:

• https://d3s98kk2h6f4oh.cloudfront.net/

• https://dyqsoz7pkju4e.cloudfront.net/

JavaScript ﬁle for the login pages:

• US East (N. Virginia) — https://

d32i4gd7pg4909.cloudfront.net/

• US West (Oregon) — https://

d18af777lco7lp.cloudfront.net/

• Asia Paciﬁc (Mumbai) — https://

d78hovzzqqtsb.cloudfront.net/

• Asia Paciﬁc (Seoul) — https://

dtyv4uwoh7ynt.cloudfront.net/

• Asia Paciﬁc (Singapore) — https://

d3qzmd7y07pz0i.cloudfront.net/

• Asia Paciﬁc (Sydney) — https://

dwcpoxuuza83q.cloudfront.net/

• Asia Paciﬁc (Tokyo) — https://

d2c2t8mxjhq5z1.cloudfront.net/

• Canada (Central) — https://

d2wfbsypmqjmog.cloudfront.net/

• Europe (Frankfurt) — https://

d1whcm49570jjw.cloudfront.net/

• Europe (Ireland) — https://

d3pgﬀbf39h4k4.cloudfront.net/

• Europe (London) — https://

d16q6638mh01s7.cloudfront.net/

(31)

• South America (São Paulo) — https://

d2lh2qc5bdoq4b.cloudfront.net/

In the AWS GovCloud (US-West) Region:

• Customer directory settings:

https://s3.amazonaws.com/workspaces-client- properties/prod/pdt/<directory ID>

• Login page graphics for customer directory level co-branding:

https://s3.amazonaws.com/workspaces-client- assets/prod/pdt/<directory ID>

• CSS ﬁle to style the login pages:

https://s3.amazonaws.com/workspaces-clients- css/workspaces_v2.css

• JavaScript ﬁle for the login pages:

Not applicable

Forrester Log Service https://ﬂs-na.amazon.com/

Health Check (DRP) Servers Health check servers (p. 26) Registration Dependency (for Web Access and

Teradici PCoIP Zero Clients) https://s3.amazonaws.com

User Login Pages https://<directory id>.awsapps.com/ (where

<directory id> is the customer's domain) In the AWS GovCloud (US-West) Region:

https://login.us-gov-home.awsapps.com/

directory/<directory id>/ (where <directory id> is the customer's domain)

(32)

WS Broker Domains:

• https://ws-broker-service.us- east-1.amazonaws.com

• https://ws-broker-service-ﬁps.us- east-1.amazonaws.com

• https://ws-broker-service.us- west-2.amazonaws.com

• https://ws-broker-service-ﬁps.us- west-2.amazonaws.com

• https://ws-broker-service.ap- south-1.amazonaws.com

• https://ws-broker-service.ap- northeast-2.amazonaws.com

• https://ws-broker-service.ap- southeast-1.amazonaws.com

• https://ws-broker-service.ap- southeast-2.amazonaws.com

• https://ws-broker-service.ap- northeast-1.amazonaws.com

• https://ws-broker-service.ca- central-1.amazonaws.com

• https://ws-broker-service.eu- central-1.amazonaws.com

• https://ws-broker-service.eu- west-1.amazonaws.com

• https://ws-broker-service.eu- west-2.amazonaws.com

• https://ws-broker-service.sa- east-1.amazonaws.com

• https://ws-broker-service.us-gov- west-1.amazonaws.com

• https://ws-broker-service-ﬁps.us-gov- west-1.amazonaws.com

(33)

WorkSpaces API Endpoints Domains:

• https://workspaces.us-east-1.amazonaws.com

• https://workspaces-ﬁps.us- east-1.amazonaws.com

• https://workspaces.us-west-2.amazonaws.com

• https://workspaces-ﬁps.us- west-2.amazonaws.com

• https://workspaces.ap-south-1.amazonaws.com

• https://workspaces.ap- northeast-2.amazonaws.com

• https://workspaces.ap- southeast-1.amazonaws.com

• https://workspaces.ap- southeast-2.amazonaws.com

• https://workspaces.ap- northeast-1.amazonaws.com

• https://workspaces.ca- central-1.amazonaws.com

• https://workspaces.eu- central-1.amazonaws.com

• https://workspaces.eu-west-1.amazonaws.com

• https://workspaces.eu-west-2.amazonaws.com

• https://workspaces.sa-east-1.amazonaws.com

• https://workspaces.us-gov- west-1.amazonaws.com

• https://workspaces-ﬁps.us-gov- west-1.amazonaws.com

Domains and IP addresses to add to your allow list for PCoIP

PCoIP Session Gateway (PSG) PCoIP gateway servers (p. 28)

Session Broker (PCM) Domains:

• https://skylight-cm.us-east-1.amazonaws.com

• https://skylight-cm-ﬁps.us- east-1.amazonaws.com

• https://skylight-cm.us-west-2.amazonaws.com

• https://skylight-cm-ﬁps.us- west-2.amazonaws.com

• https://skylight-cm.ap-south-1.amazonaws.com

• https://skylight-cm.ap- northeast-2.amazonaws.com

• https://skylight-cm.ap- southeast-1.amazonaws.com

(34)

Health check servers

• https://skylight-cm.ap- southeast-2.amazonaws.com

• https://skylight-cm.ap- northeast-1.amazonaws.com

• https://skylight-cm.ca- central-1.amazonaws.com

• https://skylight-cm.eu- central-1.amazonaws.com

• https://skylight-cm.eu-west-1.amazonaws.com

• https://skylight-cm.eu-west-2.amazonaws.com

• https://skylight-cm.sa-east-1.amazonaws.com

• https://skylight-cm.us-gov- west-1.amazonaws.com

• https://skylight-cm-ﬁps.us-gov- west-1.amazonaws.com

Web Access TURN Servers for PCoIP Servers:

• turn:*.us-east-1.rdn.amazonaws.com

• turn:*.us-west-2.rdn.amazonaws.com

• Web Access isn't currently available in the Asia Paciﬁc (Mumbai) Region.

• turn:*.ap-northeast-2.rdn.amazonaws.com

• turn:*.ap-southeast-1.rdn.amazonaws.com

• turn:*.ap-southeast-2.rdn.amazonaws.com

• turn:*.ap-northeast-1.rdn.amazonaws.com

• turn:*.ca-central-1.rdn.amazonaws.com

• turn:*.eu-central-1.rdn.amazonaws.com

• turn:*.eu-west-1.rdn.amazonaws.com

• turn:*.eu-west-2.rdn.amazonaws.com

• turn:*.sa-east-1.rdn.amazonaws.com

Domains and IP addresses to add to your allow list for WorkSpaces Streaming Protocol (WSP)

WSP Session Gateway (WSG) WSP gateway servers (p. 30) Web Access TURN Servers for WSP WSP gateway servers (p. 30)

Health check servers

The WorkSpaces client applications perform health checks over ports 4172 and 4195. These checks validate whether TCP or UDP traffic streams from the WorkSpaces servers to the client applications. For these checks to finish successfully, your firewall policies must allow outbound traffic to the IP addresses of the following Regional health check servers.

(35)

Health check servers

Region Health check hostname IP addresses

US East (N. Virginia) drp-iad.amazonworkspaces.com 3.209.215.252 3.212.50.30 3.225.55.35 3.226.24.234 34.200.29.95 52.200.219.150 US West (Oregon) drp-pdx.amazonworkspaces.com 34.217.248.177

52.34.160.80 54.68.150.54 54.185.4.125 54.188.171.18 54.244.158.140 Asia Paciﬁc (Mumbai) drp-

bom.amazonworkspaces.com 13.127.57.82 13.234.250.73 Asia Paciﬁc (Seoul) drp-icn.amazonworkspaces.com 13.124.44.166 13.124.203.105 52.78.44.253 52.79.54.102 Asia Paciﬁc (Singapore) drp-sin.amazonworkspaces.com 3.0.212.144

18.138.99.116 18.140.252.123 52.74.175.118 Asia Paciﬁc (Sydney) drp-syd.amazonworkspaces.com 3.24.11.127

13.237.232.125 Asia Paciﬁc (Tokyo) drp-nrt.amazonworkspaces.com 18.178.102.247 54.64.174.128 Canada (Central) drp-yul.amazonworkspaces.com 52.60.69.16

52.60.80.237 52.60.173.117 52.60.201.0

Amazon WorkSpaces

Amazon WorkSpaces

Administration Guide

Amazon WorkSpaces: Administration Guide

Table of Contents

What is Amazon WorkSpaces?

Features

Architecture

Access your WorkSpace

Note

Pricing

How to get started

Get started with WorkSpaces Quick Setup

Note

Before you begin

What Quick Setup does

Note

Step 1: Launch the WorkSpace

To launch a WorkSpace

Note

Step 2: Connect to the WorkSpace

To connect to the WorkSpace

Note

Note

Step 3: Clean up (Optional)

Note

Next steps

Networking and access for WorkSpaces

Protocols for Amazon WorkSpaces

When to use PCoIP

When to use WSP

Note

Conﬁgure a VPC for WorkSpaces

Tip

Requirements

Note

Conﬁgure a VPC with private subnets and a NAT gateway

Note

Step 1: Allocate an Elastic IP address

To allocate an Elastic IP address

Step 2: Create a VPC

To create the VPC

Note

Step 3: Add a second private subnet

To add a private subnet

Step 4: Verify and name the route tables

To verify and name the route tables

Note

Step 5: Route your WorkSpaces to the subnets

Conﬁgure a VPC with public subnets

Step 1: Create a VPC

To create the VPC

Note

Step 2: Add a second public subnet

To add a public subnet

Step 3: Assign the Elastic IP address

Warning

To assign an Elastic IP address to a WorkSpace manually

Step 4: Route your WorkSpaces to the subnets

Availability Zones for Amazon WorkSpaces

IP address and port requirements for WorkSpaces

Ports for client applications

Note

Ports for Web Access

Note

Domains and IP addresses to add to your allow list

Domains and IP addresses to add to your allow list

Domains and IP addresses to add to your allow list for PCoIP

Domains and IP addresses to add to your allow list for WorkSpaces Streaming Protocol (WSP)

Health check servers