Menu
Amazon WorkSpaces
Administration Guide (Version 1.0)

Step 1: Create and Configure Your VPC

The following sections demonstrate how to create and configure a VPC for use with a Simple AD directory.

Create a VPC

This tutorial uses one of the VPC creation wizards to create the following:

  • The VPC

  • The public subnet

  • One of the private subnets

  • The Internet gateway

  • The NAT gateway

To create your VPC using the VPC wizard

  1. Open the Amazon VPC console at https://console.aws.amazon.com/vpc/.

  2. In the navigation pane, choose VPC Dashboard, Start VPC Wizard. If you do not already have any VPC resources, locate the Your Virtual Private Cloud area of the dashboard and choose Get started creating a VPC.

  3. Choose VPC with Public and Private Subnets, Select.

  4. Enter the following information into the wizard and choose Create VPC.

    VPC wizard fields

    IP CIDR block

    10.0.0.0/16

    VPC name

    WorkSpaces VPC

    Public subnet

    10.0.0.0/24

    Availability Zone

    No Preference

    Public subnet name

    NAT subnet

    Private subnet

    10.0.1.0/24

    Availability Zone

    No Preference

    Private subnet name

    WorkSpaces subnet 1

    Elastic IP Allocation ID

    Select an available Elastic IP address to assign to the NAT gateway

    Enable DNS hostnames

    Leave default selection

    Hardware tenancy

    Default

  5. It takes several minutes for the VPC to be created. After the VPC is created, proceed to the following section.

    Note

    If you prefer to launch a NAT instance instead, choose Use a NAT instance instead in the wizard, and select an instance type and key pair.

Add a Second Private Subnet

Create the second private subnet by perform the following steps:

  1. Open the Amazon VPC console at https://console.aws.amazon.com/vpc/.

  2. In the navigation pane, choose Subnets, select the subnet with the name WorkSpaces subnet 1, and choose the Summary tab at the bottom of the page. Make a note of the Availability Zone of this subnet.

  3. Choose Create Subnet, enter the following information in the Create Subnet dialog box, and choose Yes, Create.

    Subnet 2 Settings

    Name tag

    WorkSpaces subnet 2

    VPC

    Select your VPC. This is the VPC with the name WorkSpaces VPC.

    Availability Zone

    Select any Availability Zone other than the one noted in step 2. The two subnets used by Amazon WorkSpaces must reside in different Availability Zones.

    CIDR Block

    10.0.2.0/24

Modify the Route Tables

Modify the route tables for your subnets by performing the following steps:

  1. Open the Amazon VPC console at https://console.aws.amazon.com/vpc/.

  2. In the navigation pane, choose Subnets and select the subnet with the name NAT subnet. At the bottom of the page, choose the Route Table tab and make a note of the Route Table identifier for the subnet. The route table identifier will be similar to rtb-xxxxxxxx.

  3. In the navigation pane, choose Route Tables, select the route table identified in the previous step, and change the name to NAT route table.

  4. At the bottom of the page, choose the Routes tab and verify that the following entries are in the route table for NAT route table. Modify the route table if needed by choosing Edit.

    NAT Subnet Route Table

    Destination Target
    10.0.0.0/16 local
    0.0.0.0/0 igw-xxxxxxxx

    This routes all traffic destined for the VPC locally, and traffic destined to all other IP addresses to the Internet gateway that was created with the Amazon VPC wizard. igw-xxxxxxxx identifies the Internet

  5. In the navigation pane, choose Subnets and select the subnet with the name WorkSpaces subnet 1. At the bottom of the page, choose the Route Table tab and make a note of the Route Table identifier for the subnet. The route table identifier will be similar to rtb-xxxxxxxx.

  6. Select the subnet with the name WorkSpaces subnet 2 and choose the Route Table tab at the bottom of the page. The route table identifier should be the same for WorkSpaces subnet 1 and WorkSpaces subnet 2. If the route table for WorkSpaces subnet 2 is different, change the route table for WorkSpaces subnet 2 to the same as that for WorkSpaces subnet 1.

  7. In the navigation pane, choose Route Tables, select the WorkSpaces route table identified previously, and change the name to WorkSpaces route table.

  8. At the bottom of the page, choose the Routes tab and verify that the following entries are in the route table for WorkSpaces route table. Modify the route table if needed by choosing Edit.

    WorkSpaces Subnets Route Table

    Destination Target
    10.0.0.0/16 local
    0.0.0.0/0 nat-xxxxxxxx

    This routes all traffic destined for the VPC locally, and traffic destined to all other IP addresses to the NAT gateway nat-xxxxxxxx.

    Note

    If you launched a NAT instance instead, the route points to eni-xxxxxxxx/i-xxxxxxxx for the NAT instance.

(Optional) Configure NAT Instance Options

If you launched a NAT instance instead of a NAT gateway, modify the security group associated with the NAT instance to contain the following inbound rules:

NAT Security Group Inbound Rules

Type Protocol Port Range Source
HTTP TCP 80 10.0.1.0/24
HTTP TCP 80 10.0.2.0/24
HTTPS TCP 443 10.0.1.0/24
HTTPS TCP 443 10.0.2.0/24

This allows inbound traffic on ports 80 (HTTP) and 443 (HTTPS) to the NAT from the two private subnets.

Modify the security group associated with the NAT instance to contain the following outbound rules:

NAT Security Group Outbound Rules

Type Protocol Port Range Destination
HTTP TCP 80 0.0.0.0/0
HTTPS TCP 443 0.0.0.0/0

This allows outbound traffic on ports 80 (HTTP) and 443 (HTTPS) to any destination.

For the NAT instance to operate correctly, the Source/Destination Check attribute must be disabled. Although the Amazon VPC wizard does this for you, these instructions are included so you can do this yourself if needed. You can also use this procedure to verify that the Source/Destination Check attribute has been disabled.

To verify that the source/destination check attribute is disabled

  1. Open the Amazon EC2 console at https://console.aws.amazon.com/ec2/.

  2. In the navigation pane, choose Instances and find the NAT instance that is in your VPC. The NAT instance will have a private IP address in the address range 10.0.0.0/24. Change the name of the NAT instance to WorkSpaces NAT instance.

  3. With the NAT instance selected, choose Actions, Change Source/Dest. Check. If Status is Disabled, the attribute is already disabled. If Status is Enabled, choose Yes, Disable.