Menu
Amazon AppStream 2.0
Developer Guide

Network Settings for Fleet and Image Builder Instances

The following sections contain information about configuring your AppStream 2.0 fleets and image builders to access network resources and the Internet.

When creating an AppStream 2.0 fleet or image builder, you can provide Amazon VPC subnets. AppStream 2.0 sets up elastic network interfaces (ENI) to the subnets provided. This is so that AppStream 2.0 instances have access to your network resources or have access to public Internet through your VPC. For more information, see VPC and Subnet Basics.

Network Setup Guidelines

There are some network setup guidelines to consider for fleets and image builders. If your fleets and image builders require Internet access, you can use the Default Internet Access feature. You could also manually control Internet access using an advanced networking configuration, such as a VPC with NAT gateways. For more information, see Enabling Internet Access Using a Public Subnet and Enabling Internet Access Using a NAT Gateway.

Fleets

You can provide subnets to establish network connections from your fleet instances to your VPC. We recommend that you specify two private subnets from different Availability Zones for high availability and fault tolerance. Also, ensure that the network resources for your applications are accessible through both of the specified private subnets.

AppStream 2.0 creates as many elastic network interfaces as the maximum desired capacity of your fleet. The following guidelines will help you set up a VPC to support scaling behavior for your fleet.

  • Make sure that your AWS account has sufficient elastic network interface capacity to support the scaling requirements of your fleet. If you are planning to launch a large fleet of streaming instances, contact AWS Support and request a higher ENI limit to match the maximum number of instances that you plan to launch.

  • Specify subnets with a sufficient number of elastic IP addresses to match the maximum desired capacity of your fleet.

  • Use security groups to provide your VPC with specific security settings. For more information, see VPC Security Groups.

Image Builders

You can choose one subnet while launching an image builder. Ensure the subnet accessibility of the network resources, with which your applications may interact. The typical resources required for the successful execution of your apps may include licensing servers, database servers, file servers, and so on.

VPC Security Groups

You can provide additional access control to your VPC from streaming instances in a fleet or an image builder in Amazon AppStream 2.0 by associating them with VPC security groups. Security groups that belong to your VPC allow you to control the network traffic between AppStream 2.0 streaming instances and VPC resources such as license servers, file servers, and database servers. For more information, see Security Groups for your VPC in the Amazon VPC User Guide.

The rules that you define for your VPC security group are applied when the security group is associated with a fleet or image builder. The security group rules determine what network traffic is allowed from your streaming instances. For more information, see Security Group Rules in the Amazon VPC User Guide.

You can associate up to five security groups while launching a new image builder or while creating a new fleet. You can also associate security groups to an existing fleet or change the security groups of a fleet. For more information, see Working with Security Groups in the Amazon VPC User Guide.

If you don’t select a security group, your image builder or fleet is associated with the default security group for your VPC. For more information, see Default Security Group for Your VPC in the Amazon VPC User Guide.

Use these additional considerations when using security groups with AppStream 2.0.

  • All end user data, such as Internet traffic, Home folder data, or application communication with VPC resources, are affected by the security groups associated with the streaming instance.

  • Streaming pixel data is not affected by security groups.

  • If you have enabled Default Internet Access for your fleet or image builder, the rules of the associated security groups must allow Internet access.

You can create or edit rules for your security groups or create new security groups using the Amazon VPC console.

  • To associate security groups with an image builder — Follow the instructions at Step 1: Create an Image Builder.

  • To associate security groups with a fleet

    • While creating the fleet — Follow the instructions at Set Up a Fleet.

    • For an existing fleet — Edit the fleet settings using the AWS Management Console. For more information, see Fleets.

You can also associate security groups to your fleets using the AWS CLI and SDKs.

For more information, see the AWS Command Line Interface User Guide and Tools for Amazon Web Services.

Home Folders and VPC Endpoints

To support Home Folders on a private network, AppStream 2.0 needs access permissions to the VPC endpoint. To enable AppStream 2.0 access to your private Amazon S3 endpoint, attach a custom policy, as defined below, to your VPC endpoint for Amazon S3. For more information about private Amazon S3 endpoints, see VPC Endpoints and Endpoints for Amazon S3 in the Amazon VPC User Guide.

Copy
{ "Version": "2012-10-17", "Statement": [ { "Sid": "Allow-AppStream-to-access-specific-bucket", "Effect": "Allow", "Principal": { "Service": "appstream.amazonaws.com" }, "Action": [ "s3:CreateBucket", "s3:ListBucket", "s3:GetObject", "s3:PutObject", "s3:DeleteObject", "s3:GetObjectVersion", "s3:DeleteObjectVersion", "s3:PutBucketPolicy" ], "Resource": "arn:aws:s3:::appstream2-36fb080bb8-*" } ] }