# Networking and Access for WorkSpaces Pools
<a name="managing-network"></a>

The following topics provide information about enabling users to connect to WorkSpaces Pools and enabling your WorkSpaces Pools to access network resources and the internet.

**Topics**
+ [Internet Access for WorkSpaces Pools](internet-access.md)
+ [Configure a VPC for WorkSpaces Pools](appstream-vpc.md)
+ [Configure FedRAMP authorization or DoD SRG compliance for WorkSpaces Pools](fips-encryption-pools.md)
+ [Using Amazon S3 VPC Endpoints for WorkSpaces Pools Features](managing-network-vpce-iam-policy.md)
+ [Connections to Your VPC for WorkSpaces Pools](pools-port-requirements.md)
+ [User connections to WorkSpaces Pools](user-connections-to-appstream2.md)

# Internet Access for WorkSpaces Pools
<a name="internet-access"></a>

If your WorkSpaces in WorkSpaces Pools require internet access, you can enable it in several ways. When you choose a method for enabling internet access, consider the number of users your deployment must support and your deployment goals. For example:
+ If your deployment must support more than 100 concurrent users, [configure a VPC with private subnets and a NAT gateway](managing-network-internet-NAT-gateway.md).
+ If your deployment supports fewer than 100 concurrent users, you can [configure a new or existing VPC with a public subnet](managing-network-default-internet-access.md).
+ If your deployment supports fewer than 100 concurrent users and you are new to WorkSpaces Pools and want to get started using the service, you can [use the default VPC, public subnet, and security group](managing-network-default-internet-access.md).

The following sections provide more information about each of these deployment options.
+ [Configure a VPC with Private Subnets and a NAT Gateway](managing-network-internet-NAT-gateway.md) (recommended) — With this configuration, you launch your WorkSpaces Pools builders in a private subnet and configure a NAT gateway in a public subnet in your VPC. Your streaming instances are assigned a private IP address that is not directly accessible from the internet. 

  In addition, unlike configurations that use the **Default Internet Access** option for enabling internet access, the NAT configuration is not limited to 100 WorkSpaces in WorkSpaces Pools. If your deployment must support more than 100 concurrent users, use this configuration.

  You can create and configure a new VPC to use with a NAT gateway, or add a NAT gateway to an existing VPC. 
+ [Configure a New or Existing VPC with a Public Subnet](managing-network-default-internet-access.md) — With this configuration, you launch your WorkSpaces Pools in a public subnet. When you enable this option, WorkSpaces Pools uses the internet gateway in your Amazon VPC public subnet to provide the internet connection. Your streaming instances are assigned a public IP address that is directly accessible from the internet. You can create a new VPC or configure an existing one for this purpose.
**Note**  
When you configure a new or existing VPC with a public subnet, a maximum of 100 WorkSpaces are supported in WorkSpaces Pools. If your deployment must support more than 100 concurrent users, use the [NAT gateway configuration](managing-network-internet-NAT-gateway.md) instead.
+ [Use the Default VPC, Public Subnet, and Security Group](default-vpc-with-public-subnet.md) — If you are new to WorkSpaces Pools and want to get started using the service, you can launch your WorkSpaces Pools in a default public subnet. When you enable this option, WorkSpaces Pools uses the internet gateway in your Amazon VPC public subnet to provide the internet connection. Your streaming instances are assigned a public IP address that is directly accessible from the internet.

  Default VPCs are available in Amazon Web Services accounts created after 2013-12-04. 

  The default VPC includes a default public subnet in each Availability Zone and an internet gateway that is attached to your VPC. The VPC also includes a default security group.
**Note**  
When you use the default VPC, public subnet, and security group, a maximum of 100 WorkSpaces are supported in WorkSpaces Pools. If your deployment must support more than 100 concurrent users, use the [NAT gateway configuration](managing-network-internet-NAT-gateway.md) instead.

# Configure a VPC for WorkSpaces Pools
<a name="appstream-vpc"></a>

When you set up WorkSpaces Pools, you must specify the virtual private cloud (VPC) and at least one subnet in which to launch your WorkSpaces. A VPC is a virtual network in your own logically isolated area within the Amazon Web Services Cloud. A subnet is a range of IP addresses in your VPC.

When you configure your VPC for WorkSpaces Pools, you can specify either public or private subnets, or a mix of both types of subnets. A public subnet has direct access to the internet through an internet gateway. A private subnet, which doesn't have a route to an internet gateway, requires a Network Address Translation (NAT) gateway or NAT instance to provide access to the internet.

**Topics**
+ [VPC Setup Recommendations for WorkSpaces Pools](vpc-setup-recommendations.md)
+ [Configure a VPC with Private Subnets and a NAT Gateway](managing-network-internet-NAT-gateway.md)
+ [Configure a New or Existing VPC with a Public Subnet](managing-network-default-internet-access.md)
+ [Use the Default VPC, Public Subnet, and Security Group](default-vpc-with-public-subnet.md)

# VPC Setup Recommendations for WorkSpaces Pools
<a name="vpc-setup-recommendations"></a>

When you create a WorkSpaces Pools, you specify the VPC and one or more subnets to use. You can provide additional access control to your VPC by specifying security groups. 

The following recommendations can help you configure your VPC more effectively and securely. In addition, they can help you configure an environment that supports effective WorkSpaces Pools scaling. With effective WorkSpaces Pools scaling, you can meet current and anticipated WorkSpaces user demand, while avoiding unnecessary resource usage and associated costs. 

**Overall VPC Configuration**
+ Make sure that your VPC configuration can support your WorkSpaces Pools scaling needs. 

  As you develop your plan for WorkSpaces Pools scaling, keep in mind that one user requires one WorkSpaces. Therefore, the size of your WorkSpaces Pools determines the number of users who can stream concurrently. For this reason, for each [instance type](instance-types.md) that you plan to use, make sure that the number of WorkSpaces that your VPC can support is greater than the number of anticipated concurrent users for the same instance type.
+ Make sure that your WorkSpaces Pools account quotas (also referred to as limits) are sufficient to support your anticipated demand. To request a quota increase, you can use the Service Quotas console at [https://console.aws.amazon.com/servicequotas/](https://console.aws.amazon.com/servicequotas/). For information about default WorkSpaces Pools quotas, see [Amazon WorkSpaces quotas](workspaces-limits.md). 
+ If you plan to provide your WorkSpaces in WorkSpaces Pools with access to the internet, we recommend that you configure a VPC with two private subnets for your streaming instances and a NAT gateway in a public subnet.

  The NAT gateway lets the WorkSpaces in your private subnets connect to the internet or other AWS services. However, it prevents the internet from initiating a connection with those WorkSpaces. In addition, unlike configurations that use the **Default Internet Access** option for enabling internet access, the NAT configuration supports more than 100 WorkSpaces. For more information, see [Configure a VPC with Private Subnets and a NAT Gateway](managing-network-internet-NAT-gateway.md).

**Elastic Network Interfaces**
+ WorkSpaces Pools creates as many [elastic network interfaces](https://docs.aws.amazon.com/vpc/latest/userguide/VPC_ElasticNetworkInterfaces.html) (network interfaces) as the maximum desired capacity of your WorkSpaces Pools. By default, the limit for network interfaces per Region is 5000. 

  When planning capacity for very large deployments, for example, thousands of WorkSpaces, consider the number of Amazon EC2 instances that are also used in the same Region.

**Subnets**
+ If you are configuring more than one private subnet for your VPC, configure each in a different Availability Zone. Doing so increases fault tolerance and can help prevent insufficient capacity errors. If you use two subnets in the same AZ, you might run out of IP addresses, because WorkSpaces Pools will not use the second subnet.
+ Make sure that the network resources required for your applications are accessible through both of your private subnets. 
+ Configure each of your private subnets with a subnet mask that allows for enough client IP addresses to account for the maximum number of expected concurrent users. In addition, allow for additional IP addresses to account for anticipated growth. For more information, see [VPC and Subnet Sizing for IPv4](https://docs.aws.amazon.com/vpc/latest/userguide/VPC_Subnets.html#vpc-sizing-ipv4).
+ If you are using a VPC with NAT, configure at least one public subnet with a NAT Gateway for internet access, preferably two. Configure the public subnets in the same Availability Zones where your private subnets reside. 

  To enhance fault tolerance and reduce the chance of insufficient capacity errors for large WorkSpaces Pools deployments, consider extending your VPC configuration into a third Availability Zone. Include a private subnet, public subnet, and NAT gateway in this additional Availability Zone.

**Security Groups**
+ Use security groups to provide additional access control to your VPC. 

  Security groups that belong to your VPC let you control the network traffic between WorkSpaces Pools streaming instances and network resources required by applications. These resources may include other AWS services such as Amazon RDS or Amazon FSx, license servers, database servers, file servers, and application servers.
+ Make sure that the security groups provide access to the network resources that your applications require.

   For general information about security groups, see [Control traffic to your AWS resources using security groups](https://docs.aws.amazon.com/vpc/latest/userguide/vpc-security-groups.html) in the *Amazon VPC User Guide*.

# Configure a VPC with Private Subnets and a NAT Gateway
<a name="managing-network-internet-NAT-gateway"></a>

If you plan to provide your WorkSpaces in WorkSpaces Pools with access to the internet, we recommend that you configure a VPC with two private subnets for your WorkSpaces and a NAT gateway in a public subnet. You can create and configure a new VPC to use with a NAT gateway, or add a NAT gateway to an existing VPC. For additional VPC configuration recommendations, see [VPC Setup Recommendations for WorkSpaces Pools](vpc-setup-recommendations.md).

The NAT gateway lets the WorkSpaces in your private subnets connect to the internet or other AWS services, but prevents the internet from initiating a connection with those WorkSpaces. In addition, unlike configurations that use the **Default Internet Access** option for enabling internet access for WorkSpaces, this configuration is not limited to 100 WorkSpaces.

For information about using NAT Gateways and this configuration, see [NAT Gateways](https://docs.aws.amazon.com/vpc/latest/userguide/vpc-nat-gateway.html) and [VPC with Public and Private Subnets (NAT)](https://docs.aws.amazon.com/vpc/latest/userguide/VPC_Scenario2.html) in the *Amazon VPC User Guide*.

**Topics**
+ [Create and Configure a New VPC](create-configure-new-vpc-with-private-public-subnets-nat.md)
+ [Add a NAT Gateway to an Existing VPC](add-nat-gateway-existing-vpc.md)
+ [Enable Internet Access for WorkSpaces Pools](managing-network-manual-enable-internet-access.md)

# Create and Configure a New VPC
<a name="create-configure-new-vpc-with-private-public-subnets-nat"></a>

This topic describes how to use the VPC wizard to create a VPC with a public subnet and one private subnet. As part of this process, the wizard creates an internet gateway and a NAT gateway. It also creates a custom route table associated with the public subnet and updates the main route table associated with the private subnet. The NAT gateway is automatically created in the public subnet of your VPC.

After you use the wizard to create the initial VPC configuration, you'll add a second private subnet. For more information about this configuration, see [VPC with Public and Private Subnets (NAT)](https://docs.aws.amazon.com/vpc/latest/userguide/VPC_Scenario2.html) in the *Amazon VPC User Guide*.

**Note**  
If you already have a VPC, complete the steps in [Add a NAT Gateway to an Existing VPC](add-nat-gateway-existing-vpc.md) instead.

**Topics**
+ [Step 1: Allocate an Elastic IP Address](#allocate-elastic-ip)
+ [Step 2: Create a New VPC](#vpc-with-private-and-public-subnets-nat)
+ [Step 3: Add a Second Private Subnet](#vpc-with-private-and-public-subnets-add-private-subnet-nat)
+ [Step 4: Verify and Name Your Subnet Route Tables](#verify-name-route-tables)

## Step 1: Allocate an Elastic IP Address
<a name="allocate-elastic-ip"></a>

Before you create your VPC, you must allocate an Elastic IP address in your WorkSpaces Region. You must first allocate an Elastic IP address for use in your VPC, and then associate it with your NAT gateway. For more information, see [Elastic IP Addresses](https://docs.aws.amazon.com/vpc/latest/userguide/vpc-eips.html) in the *Amazon VPC User Guide*.

**Note**  
Charges may apply to Elastic IP addresses that you use. For more information, see [Elastic IP Addresses](https://docs.aws.amazon.com/ec2/pricing/on-demand/#Elastic_IP_Addresses) on the Amazon EC2 pricing page.

Complete the following steps if you don't already have an Elastic IP address. If you want to use an existing Elastic IP address, verify that it's not currently associated with another instance or network interface.

**To allocate an Elastic IP address**

1. Open the Amazon EC2 console at [https://console.aws.amazon.com/ec2/](https://console.aws.amazon.com/ec2/).

1. In the navigation pane, under **Network & Security**, choose **Elastic IPs**.

1. Choose **Allocate New Address**, and then choose **Allocate**.

1. Note the Elastic IP address.

1. In the upper right of the **Elastic IPs** pane, click the X icon to close the pane.

## Step 2: Create a New VPC
<a name="vpc-with-private-and-public-subnets-nat"></a>

Complete the following steps to create a new VPC with a public subnet and one private subnet.

**To create a new VPC**

1. Open the Amazon VPC console at [https://console.aws.amazon.com/vpc/](https://docs.aws.amazon.com/vpc/).

1. In the navigation pane, choose **VPC Dashboard**.

1. Choose **Launch VPC Wizard**.

1. In **Step 1: Select a VPC Configuration**, choose **VPC with Public and Private Subnets**, and then choose **Select**.

1. In **Step 2: VPC with Public and Private Subnets**, configure the VPC as follows:
   + For **IPv4 CIDR block**, specify an IPv4 CIDR block for the VPC.
   + For **IPv6 CIDR block**, keep the default value, **No IPv6 CIDR Block**.
   + For **VPC name**, type a unique name for the VPC.

1. Configure the public subnet as follows:
   + For **Public subnet's IPv4 CIDR**, specify the CIDR block for the subnet.
   + For **Availability Zone**, keep the default value, **No Preference**.
   + For **Public subnet name**, type a name for the subnet; for example, `WorkSpaces Public Subnet`.

1. Configure the first private subnet as follows:
   + For **Private subnet's IPv4 CIDR**, specify the CIDR block for the subnet. Make a note of the value that you specify.
   + For **Availability Zone**, select a specific zone and make a note of the zone that you select.
   + For **Private subnet name**, type a name for the subnet; for example, `WorkSpaces Private Subnet1`.
   + For the remaining fields, where applicable, keep the default values.

1. For **Elastic IP Allocation ID**, click in the text box and select the value that corresponds to the Elastic IP address that you created. This address is assigned to the NAT gateway. If you don't have an Elastic IP address, create one by using the Amazon VPC console at [https://console.aws.amazon.com/vpc/](https://docs.aws.amazon.com/vpc/).

1. For **Service endpoints**, if an Amazon S3 endpoint is required for your environment, specify one. An S3 endpoint is required to provide users with access to [home folders](persistent-storage.md#home-folders) or to enable [application settings persistence](app-settings-persistence.md) for your users in a private network.

   To specify an Amazon S3 endpoint, do the following:

   1. Choose **Add Endpoint**.

   1. For **Service**, select the entry in the list that ends with "s3" (the `com.amazonaws.`*region*`.s3` entry that corresponds to the Region in which the VPC is being created).

   1. For **Subnet**, choose **Private subnet**.

   1. For **Policy**, keep the default value, **Full Access**.

1. For **Enable DNS hostnames**, keep the default value, **Yes**.

1. For **Hardware tenancy**, keep the default value, **Default**.

1. Choose **Create VPC**.

1. Note that it takes several minutes to set up your VPC. After the VPC is created, choose **OK**.

## Step 3: Add a Second Private Subnet
<a name="vpc-with-private-and-public-subnets-add-private-subnet-nat"></a>

In the previous step ([Step 2: Create a New VPC](#vpc-with-private-and-public-subnets-nat)), you created a VPC with one public subnet and one private subnet. Perform the following steps to add a second private subnet. We recommend that you add a second private subnet in a different Availability Zone than your first private subnet. 

1. In the navigation pane, choose **Subnets**.

1. Select the first private subnet that you created in the previous step. On the **Description** tab, below the list of subnets, make a note of the Availability Zone for this subnet.

1. On the upper left of the subnets pane, choose **Create Subnet**.

1. For **Name tag**, type a name for the private subnet; for example, `WorkSpaces Private Subnet2`. 

1. For **VPC**, select the VPC that you created in the previous step.

1. For **Availability Zone**, select an Availability Zone other than the one you are using for your first private subnet. Selecting a different Availability Zone increases fault tolerance and helps prevent insufficient capacity errors.

1. For **IPv4 CIDR block**, specify a unique CIDR block range for the new subnet. For example, if your first private subnet has an IPv4 CIDR block range of `10.0.1.0/24`, you could specify a CIDR block range of `10.0.2.0/24` for the new private subnet.

1. Choose **Create**.

1. After your subnet is created, choose **Close**.

## Step 4: Verify and Name Your Subnet Route Tables
<a name="verify-name-route-tables"></a>

After you've created and configured your VPC, complete the following steps to specify a name for your route tables, and to verify that:
+ The route table associated with the subnet in which your NAT gateway resides includes a route that points internet traffic to an internet gateway. This ensures that your NAT gateway can access the internet.
+ The route tables associated with your private subnets are configured to point internet traffic to the NAT gateway. This enables the streaming instances in your private subnets to communicate with the internet.

1. In the navigation pane, choose **Subnets**, and select the public subnet that you created; for example, `WorkSpaces Public Subnet`.

   1. On the **Route Table** tab, choose the ID of the route table; for example, `rtb-12345678`.

   1. Select the route table. Under **Name**, choose the edit icon (the pencil), and type a name (for example, `workspaces-public-routetable`), and then select the check mark to save the name.

   1. With the public route table still selected, on the **Routes** tab, verify that there is one route for local traffic and another route that sends all other traffic to the internet gateway for the VPC. The following table describes these two routes:    
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/workspaces/latest/adminguide/create-configure-new-vpc-with-private-public-subnets-nat.html)

1. In the navigation pane, choose **Subnets**, and select the first private subnet that you created (for example, `WorkSpaces Private Subnet1`).

   1. On the **Route Table** tab, choose the ID of the route table.

   1. Select the route table. Under **Name**, choose the edit icon (the pencil), and enter a name (for example, `workspaces-private-routetable`), and then choose the check mark to save the name.

   1. On the **Routes** tab, verify that the route table includes the following routes:    
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/workspaces/latest/adminguide/create-configure-new-vpc-with-private-public-subnets-nat.html)

1. In the navigation pane, choose **Subnets**, and select the second private subnet that you created (for example, `WorkSpaces Private Subnet2`). 

1. On the **Route Table** tab, verify that the route table is the private route table (for example, `workspaces-private-routetable`). If the route table is different, choose **Edit** and select this route table.

**Next Steps**

To enable your WorkSpaces in WorkSpaces Pools to access the internet, complete the steps in [Enable Internet Access for WorkSpaces Pools](managing-network-manual-enable-internet-access.md).

# Add a NAT Gateway to an Existing VPC
<a name="add-nat-gateway-existing-vpc"></a>

If you have already configured a VPC, complete the following steps to add a NAT gateway to your VPC. If you need to create a new VPC, see [Create and Configure a New VPC](create-configure-new-vpc-with-private-public-subnets-nat.md).

**To add a NAT gateway to an existing VPC**

1. To create your NAT gateway, complete the steps in [Creating a NAT Gateway](https://docs.aws.amazon.com/vpc/latest/userguide/vpc-nat-gateway.html#nat-gateway-creating) in the *Amazon VPC User Guide*.

1. Verify that your VPC has at least one private subnet. We recommend that you specify two private subnets from different Availability Zones for high availability and fault tolerance. For information about how to create a second private subnet, see [Step 3: Add a Second Private Subnet](create-configure-new-vpc-with-private-public-subnets-nat.md#vpc-with-private-and-public-subnets-add-private-subnet-nat).

1. Update the route table associated with one or more of your private subnets to point internet-bound traffic to the NAT gateway. This enables the streaming instances in your private subnets to communicate with the internet. To do so, complete the steps in [Updating Your Route Table](https://docs.aws.amazon.com/vpc/latest/userguide/vpc-nat-gateway.html#nat-gateway-create-route) in the *Amazon VPC User Guide*.

**Next Steps**

To enable your WorkSpaces in WorkSpaces Pools to access the internet, complete the steps in [Enable Internet Access for WorkSpaces Pools](managing-network-manual-enable-internet-access.md).

# Enable Internet Access for WorkSpaces Pools
<a name="managing-network-manual-enable-internet-access"></a>

After your NAT gateway is available on a VPC, you can enable internet access for your WorkSpaces Pools. You can enable internet access when you [create the WorkSpaces Pool directory](https://docs.aws.amazon.com/workspaces/latest/adminguide/create-directory-pools.html). Choose the VPC with a NAT gateway when you create the directory. Then select a private subnet for **Subnet 1** and, optionally, another private subnet for **Subnet 2**. If you don't already have a private subnet in your VPC, you may need to create a second private subnet.

You can test your internet connectivity by starting your WorkSpaces Pool, and then connecting to a WorkSpace in the pool and browsing to the internet.

# Configure a New or Existing VPC with a Public Subnet
<a name="managing-network-default-internet-access"></a>

If you created your Amazon Web Services account after 2013-12-04, you have a [default VPC](default-vpc-with-public-subnet.md) in each AWS Region that includes default public subnets. However, you may want to create your own nondefault VPC or configure an existing VPC to use with your WorkSpaces Pool directory. This topic describes how to configure a nondefault VPC and public subnet to use with WorkSpaces Pools.

After you configure your VPC and public subnet, you can provide your WorkSpaces in WorkSpaces Pools with access to the internet by enabling the **Default Internet Access** option. When you enable this option, WorkSpaces Pools enables internet connectivity by associating an [Elastic IP address](https://docs.aws.amazon.com/AWSEC2/latest/WindowsGuide/elastic-ip-addresses-eip.html) to the network interface that is attached from the streaming instance to your public subnet. An Elastic IP address is a public IPv4 address that is reachable from the internet. For this reason, we recommend that you instead use a NAT gateway to provide internet access to your WorkSpaces in WorkSpaces Pools. In addition, when **Default Internet Access** is enabled, a maximum of 100 WorkSpaces are supported. If your deployment must support more than 100 concurrent users, use the [NAT gateway configuration](managing-network-internet-NAT-gateway.md) instead.

For more information, see the steps in [Configure a VPC with Private Subnets and a NAT Gateway](managing-network-internet-NAT-gateway.md). For additional VPC configuration recommendations, see [VPC Setup Recommendations for WorkSpaces Pools](vpc-setup-recommendations.md).

**Topics**
+ [Step 1: Configure a VPC with a Public Subnet](#vpc-with-public-subnet)
+ [Step 2: Enable Default Internet Access For Your WorkSpaces Pools](#managing-network-enable-default-internet-access)

## Step 1: Configure a VPC with a Public Subnet
<a name="vpc-with-public-subnet"></a>

You can configure your own non-default VPC with a public subnet by using either of the following methods:
+ [Create a New VPC with a Single Public Subnet](#new-vpc-with-public-subnet)
+ [Configure an Existing VPC](#existing-vpc-with-public-subnet)

### Create a New VPC with a Single Public Subnet
<a name="new-vpc-with-public-subnet"></a>

When you use the VPC wizard to create a new VPC, the wizard creates an internet gateway and a custom route table that is associated with the public subnet. The route table routes all traffic destined for an address outside the VPC to the internet gateway. For more information about this configuration, see [VPC with a Single Public Subnet](https://docs.aws.amazon.com/vpc/latest/userguide/VPC_Scenario1.html) in the* Amazon VPC User Guide*.

1. Complete the steps in [Step 1: Create the VPC](https://docs.aws.amazon.com/vpc/latest/userguide/getting-started-ipv4.html#getting-started-create-vpc) in the *Amazon VPC User Guide* to create your VPC.

1. To enable your WorkSpaces to access the internet, complete the steps in [Step 2: Enable Default Internet Access For Your WorkSpaces Pools](#managing-network-enable-default-internet-access).

### Configure an Existing VPC
<a name="existing-vpc-with-public-subnet"></a>

If you want to use an existing VPC that does not have a public subnet, you can add a new public subnet. In addition to a public subnet, you must also have an internet gateway attached to your VPC and a route table that routes all traffic destined for an address outside the VPC to the internet gateway. To configure these components, complete the following steps.

1. To add a public subnet, complete the steps in [Creating a Subnet in Your VPC](https://docs.aws.amazon.com/vpc/latest/userguide/working-with-vpcs.html#AddaSubnet). Use the existing VPC that you plan to use with WorkSpaces Pools.

   If your VPC is configured to support IPv6 addressing, the **IPv6 CIDR block** list displays. Select **Don't assign Ipv6**.

1. To create and attach an internet gateway to your VPC, complete the steps in [Creating and Attaching an Internet Gateway](https://docs.aws.amazon.com/vpc/latest/userguide/VPC_Internet_Gateway.html#Add_IGW_Attach_Gateway). 

1. To configure your subnet to route internet traffic through the internet gateway, complete the steps in [Creating a Custom Route Table](https://docs.aws.amazon.com/vpc/latest/userguide/VPC_Internet_Gateway.html#Add_IGW_Routing). In step 5, for **Destination**, use IPv4 format (`0.0.0.0/0`).

1. To enable your WorkSpaces and image builders to access the internet, complete the steps in [Step 2: Enable Default Internet Access For Your WorkSpaces Pools](#managing-network-enable-default-internet-access).

## Step 2: Enable Default Internet Access For Your WorkSpaces Pools
<a name="managing-network-enable-default-internet-access"></a>

You can enable internet access when you [create the WorkSpaces Pool directory](https://docs.aws.amazon.com/workspaces/latest/adminguide/create-directory-pools.html). Choose the VPC with a public subnet when you create the directory. Then select a public subnet for **Subnet 1** and, optionally, another public subnet for **Subnet 2**.

You can test your internet connectivity by starting your WorkSpaces Pool, and then connecting to a WorkSpace in the pool and browsing to the internet.

# Use the Default VPC, Public Subnet, and Security Group
<a name="default-vpc-with-public-subnet"></a>

Your Amazon Web Services account, if it was created after 2013-12-04, has a default VPC in each AWS Region. The default VPC includes a default public subnet in each Availability Zone and an internet gateway that is attached to your VPC. The VPC also includes a default security group. If you are new to WorkSpaces Pools and want to get started using the service, you can keep the default VPC and security group selected when you create a WorkSpaces Pool. Then, you can select at least one default subnet.

**Note**  
If your Amazon Web Services account was created before 2013-12-04, you must create a new VPC or configure an existing one to use with WorkSpaces Pools. We recommend that you manually configure a VPC with two private subnets for your WorkSpaces Pools and a NAT gateway in a public subnet. For more information, see [Configure a VPC with Private Subnets and a NAT Gateway](managing-network-internet-NAT-gateway.md). Alternatively, you can configure a non-default VPC with a public subnet. For more information, see [Configure a New or Existing VPC with a Public Subnet](managing-network-default-internet-access.md).

You can enable internet access when you [create the WorkSpaces Pool directory](https://docs.aws.amazon.com/workspaces/latest/adminguide/create-directory-pools.html).

Choose the default VPC when you create the directory. The default VPC name uses the following format: `vpc-`*vpc-id*` (No_default_value_Name)`.

Then select a default public subnet for **Subnet 1** and, optionally, another default public subnet for **Subnet 2**. The default subnet names use the following format: `subnet-`*subnet-id*` | (`*IPv4 CIDR block*`) | Default in` *availability-zone*.

You can test your internet connectivity by starting your WorkSpaces Pool, and then connecting to a WorkSpace in the pool and browsing to the internet.

# Configure FedRAMP authorization or DoD SRG compliance for WorkSpaces Pools
<a name="fips-encryption-pools"></a>

To comply with the [Federal Risk and Authorization Management Program (FedRAMP)](https://aws.amazon.com/compliance/fedramp/) or the [Department of Defense (DoD) Cloud Computing Security Requirements Guide (SRG)](https://aws.amazon.com/compliance/dod/), you must configure Amazon WorkSpaces Pools to use Federal Information Processing Standards (FIPS) endpoint encryption at the directory level. You must also use a US AWS Region that has FedRAMP authorization or is DoD SRG compliant.

The level of FedRAMP authorization (Moderate or High) or DoD SRG Impact Level (2, 4, or 5) depends on the US AWS Region in which Amazon WorkSpaces is being used. For the levels of FedRAMP authorization and DoD SRG compliance that apply to each Region, see [AWS Services in Scope by Compliance Program](https://aws.amazon.com/compliance/services-in-scope/).

**Requirements**
+ The WorkSpaces Pools directory must be configured to use **FIPS 140-2 Validated Mode** for endpoint encryption.
**Note**  
To use the **FIPS 140-2 Validated Mode** setting, ensure the following:  
The WorkSpaces Pools directory is either:  
 New and not associated with a Pool
Associated with an existing Pool that is in the STOPPED state
The Pool directory has [https://docs.aws.amazon.com/workspaces/latest/api/API_ModifyStreamingProperties.html](https://docs.aws.amazon.com/workspaces/latest/api/API_ModifyStreamingProperties.html) set to TCP.
+ You must create your WorkSpaces Pools in a [US AWS Region that has FedRAMP authorization or is DoD SRG-compliant](https://aws.amazon.com/compliance/services-in-scope/).
+ Users must access their WorkSpaces from one of the following WorkSpaces client applications:
  + macOS: 5.20.0 or later
  + Windows: 5.20.0 or later
  + Web Access

**To use FIPS endpoint encryption**

1. Open the WorkSpaces console at [https://console.aws.amazon.com/workspaces/v2/home](https://console.aws.amazon.com/workspaces/v2/home).

1. In the navigation pane, choose **Directories** then choose the directory that you want to use for FedRAMP authorization and DoD SRG compliance.

1. On the **Directory Details** page, choose the directory that you want to configure for FIPS encryption mode.

1. In the **Endpoint encryption** section, choose **Edit** and then select **FIPS 140-2 Validated Mode**.

1. Choose **Save**.

# Using Amazon S3 VPC Endpoints for WorkSpaces Pools Features
<a name="managing-network-vpce-iam-policy"></a>

When you enable Application Settings Persistence for a WorkSpaces Pool or Home folders for a WorkSpaces Pool directory, WorkSpaces uses the VPC you specify for your directory to provide access to Amazon Simple Storage Service (Amazon S3) buckets. To enable WorkSpaces Pools access to your private S3 endpoint, attach the following custom policy to your VPC endpoint for Amazon S3. For more information about private Amazon S3 endpoints, see [VPC Endpoints](https://docs.aws.amazon.com/vpc/latest/userguide/vpc-endpoints.html) and [Endpoints for Amazon S3](https://docs.aws.amazon.com/vpc/latest/userguide/vpc-endpoints-s3.html) in the *Amazon VPC User Guide*.

------
#### [ Commercial AWS Regions ]

Use the following policy for resources in the commercial AWS Regions.

------
#### [ AWS GovCloud (US) Regions ]

Use the following policy for resources in the commercial AWS GovCloud (US) Regions.

------

# Connections to Your VPC for WorkSpaces Pools
<a name="pools-port-requirements"></a>

To enable WorkSpaces Pools connectivity to network resources and the internet, configure your WorkSpaces as follows.

## Network Interfaces
<a name="pools-network-interfaces"></a>

Each WorkSpaces in WorkSpaces Pools has the following network interfaces:
+ The customer network interface provides connectivity to the resources within your VPC, as well as the internet, and is used to join the WorkSpaces to your directory.
+ The management network interface is connected to a secure WorkSpaces Pools management network. It is used for interactive streaming of the WorkSpace to a user's device, and to allow WorkSpaces Pools to manage the WorkSpace.

WorkSpaces Pools selects the IP address for the management network interface from the following private IP address range: 198.19.0.0/16. Do not use this range for your VPC CIDR or peer your VPC with another VPC with this range, as this might create a conflict and cause WorkSpaces to be unreachable. Also, do not modify or delete any of the network interfaces attached to a WorkSpace, as this might also cause the WorkSpace to become unreachable.

## Management Network Interface IP Address Range and Ports
<a name="pools-management_ports"></a>

The management network interface IP address range is 198.19.0.0/16. The following ports must be open on the management network interface of all WorkSpaces:
+ Inbound TCP on port 8300. This is used for establishment of the streaming connection.
+ Outbound TCP on port 3128. This is used for management of WorkSpaces.
+ Inbound TCP on ports 8000 and 8443. These are used for management of the WorkSpaces.
+ Inbound UDP on port 8300. This is used for establishment of the streaming connection over UDP.

Limit the inbound range on the management network interface to 198.19.0.0/16.

**Note**  
For Amazon DCV BYOL Windows WorkSpaces Pools, the 10.0.0.0/8 IP address ranges are used in all AWS Regions. These IP ranges are in addition to the /16 CIDR block that you choose for management traffic in your BYOL WorkSpaces Pools.

Under normal circumstances, WorkSpaces Pools correctly configures these ports for your WorkSpaces. If any security or firewall software is installed on a WorkSpace that blocks any of these ports, the WorkSpaces might not function correctly or might be unreachable.

Do not disable IPv6. If you disable IPv6, WorkSpaces Pools will not function correctly. For information about configuring IPv6 for Windows, see [Guidance for configuring IPv6 in Windows for advanced users](https://support.microsoft.com/en-us/help/929852/guidance-for-configuring-ipv6-in-windows-for-advanced-users).

**Note**  
WorkSpaces Pools relies on the DNS servers within your VPC to return a non-existent domain (NXDOMAIN) response for local domain names that don’t exist. This enables the WorkSpaces Pools-managed network interface to communicate with the management servers.   
When you create a directory with Simple AD, AWS Directory Service creates two domain controllers that also function as DNS servers on your behalf. Because the domain controllers don't provide the NXDOMAIN response, they can't be used with WorkSpaces Pools.

## Customer Network Interface Ports
<a name="primary_ports"></a>
+ For internet connectivity, the following ports must be open to all destinations. If you are using a modified or custom security group, you need to add the required rules manually. For more information, see [Security Group Rules](https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html#SecurityGroupRules) in the *Amazon VPC User Guide*. 
  + TCP 80 (HTTP)
  + TCP 443 (HTTPS)
  + UDP 4195
+ If you join your WorkSpaces to a directory, the following ports must be open between your WorkSpaces Pools VPC and your directory controllers. 
  + TCP/UDP 53 - DNS
  + TCP/UDP 88 - Kerberos authentication
  + UDP 123 - NTP
  + TCP 135 - RPC
  + UDP 137-138 - Netlogon
  + TCP 139 - Netlogon
  + TCP/UDP 389 - LDAP
  + TCP/UDP 445 - SMB
  + TCP 1024-65535 - Dynamic ports for RPC

  For a complete list of ports, see [Active Directory and Active Directory Domain Services Port Requirements](https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd772723(v=ws.10)) in the Microsoft documentation.
+ All WorkSpaces require that port 80 (HTTP) be open to IP address `169.254.169.254` to allow access to the EC2 metadata service. The IP address range `169.254.0.0/16` is reserved for WorkSpaces Pools service usage for management traffic. Failure to exclude this range might result in streaming issues.

# User connections to WorkSpaces Pools
<a name="user-connections-to-appstream2"></a>

Users can connect to WorkSpaces in WorkSpaces Pools through the default public internet endpoint. 

By default, WorkSpaces Pools is configured to route streaming connections over the public internet. Internet connectivity is required to authenticate users and deliver the web assets that WorkSpaces Pools requires to function. To allow this traffic, you must allow the domains listed in [Allowed Domains](allowed-domains.md).

**Note**  
For user authentication, WorkSpaces Pools supports Security Assertion Markup Language 2.0 (SAML 2.0). For more information, see [Configure SAML 2.0 and create a WorkSpaces Pools directory](create-directory-pools.md).

The following topics provide information about how to enable user connections to WorkSpaces Pools.

**Topics**
+ [Bandwidth Recommendations](bandwidth-recommendations-user-connections.md)
+ [IP Address and Port Requirements for WorkSpaces Pools User Devices](pools-client-application-ports.md)
+ [Allowed Domains](allowed-domains.md)

# Bandwidth Recommendations
<a name="bandwidth-recommendations-user-connections"></a>

To optimize the performance of WorkSpaces Pools, make sure that your network bandwidth and latency can sustain your users' needs. 

WorkSpaces Pools uses NICE Desktop Cloud Visualization (DCV) to enable your users to securely access and stream your applications over varying network conditions. To help reduce bandwidth consumption, NICE DCV uses H.264-based video compression and encoding. During streaming sessions, the visual output of applications is compressed and streamed to your users as an AES-256 encrypted pixel stream over HTTPS. After the stream is received, it is decrypted and output to your users’ local screen. When your users interact with their streaming applications, the NICE DCV protocol captures their input and sends it back to their streaming applications over HTTPS. 

Network conditions are constantly measured during this process and information is sent back to WorkSpaces Pools. WorkSpaces Pools dynamically responds to changing network conditions by changing the video and audio encoding in real time to produce a high-quality stream for a wide variety of applications and network conditions.

The recommended bandwidth and latency for WorkSpaces Pools streaming sessions depends on the workload. For example, a user who works with graphic-intensive applications to perform computer-aided design tasks will require more bandwidth and lower latency than a user who works with business productivity applications to write documents. 

The following table provides guidance on the recommended network bandwidth and latency for WorkSpaces Pools streaming sessions based on common workloads.

For each workload, the bandwidth recommendation is based on what an individual user might require at a specific point in time. The recommendation does not reflect the bandwidth required for sustained throughput. When only a few pixels change on the screen during a streaming session, the sustained throughput is much lower. Although users who have less bandwidth available can still stream their applications, the frame rate or image quality may not be optimal.


| Workload | Description | Bandwidth recommended per user | Recommended maximum roundtrip latency | 
| --- | --- | --- | --- | 
| Line of business applications | Document writing applications, database analysis utilities | 2 Mbps | < 150 ms | 
| Graphics applications | Computer-aided design and modeling applications, photo and video editing | 5 Mbps | < 100 ms | 
| High fidelity | High-fidelity datasets or maps across multiple monitors | 10 Mbps | < 50 ms | 

# IP Address and Port Requirements for WorkSpaces Pools User Devices
<a name="pools-client-application-ports"></a>

WorkSpaces Pools users' devices require outbound access on port 443 (TCP) and port 4195 (UDP) when using the internet endpoints, and if you are using DNS servers for domain name resolution, port 53 (UDP).
+ Port 443 is used for HTTPS communication between WorkSpaces Pools users' devices and WorkSpaces when using the internet endpoints. Typically, when end users browse the web during streaming sessions, the web browser randomly selects a source port in the high range for streaming traffic. You must ensure that return traffic to this port is allowed.
+ Port 4195 is used for UDP HTTPS communication between WorkSpaces Pools users' devices and WorkSpaces when using the internet endpoints. This is currently only supported in the Windows native client. UDP is not supported if you are using VPC endpoints.
+ Port 53 is used for communication between WorkSpaces Pools users' devices and your DNS servers. The port must be open to the IP addresses for your DNS servers so that public domain names can be resolved. This port is optional if you are not using DNS servers for domain name resolution. 

# Allowed Domains
<a name="allowed-domains"></a>

For WorkSpaces Pools users to access WorkSpaces, you must allow various domains on the network from which users initiate access to the WorkSpaces. For more information, see [IP address and port requirements for WorkSpaces Personal](workspaces-port-requirements.md). Note that the page specifies that it applies to WorkSpaces Personal but it also applies to WorkSpaces Pools.

**Note**  
If your S3 bucket has a “.” character in the name, the domain used is `https://s3.<aws-region>.amazonaws.com`. If your S3 bucket does not have a “.” character in the name, the domain used is `https://<bucket-name>.s3.<aws-region>.amazonaws.com`.