Menu
Amazon AppStream 2.0
Developer Guide

Port Requirements for Amazon AppStream 2.0 Connections to Network Resources and the Internet

To enable AppStream 2.0 connectivity to network resources and the internet, configure your streaming instances as follows.

Network Interfaces

Each AppStream 2.0 streaming instance has the following network interfaces:

  • The customer network interface provides connectivity to the resources within your VPC, as well as the internet, and is used to join the streaming instance to your directory.

  • The management network interface is connected to a secure AppStream 2.0 management network. It is used for interactive streaming of the streaming instance to a user's device, and to allow AppStream 2.0 to manage the streaming instance.

AppStream 2.0 selects the IP address for the management network interface from the following private IP address range: 198.19.0.0/16. Do not use this range for your VPC CIDR or peer your VPC with another VPC with this range, as this might create a conflict and cause streaming instances to be unreachable. Also, do not modify or delete any of the network interfaces attached to a streaming instance, as this might also cause the streaming instance to become unreachable.

Management Network Interface IP Address Range and Ports

The management network interface IP address range is 198.19.0.0/16. The following ports must be open on the management network interface of all streaming instances:

  • Inbound TCP on port 8300. This is used for establishment of the streaming connection.

  • Inbound TCP on port 8443. This is used for management of the streaming instance by AppStream 2.0.

Limit the inbound range on the management network interface to 198.19.0.0/16.

Under normal circumstances, AppStream 2.0 correctly configures these ports for your streaming instances. If any security or firewall software is installed on a streaming instance that blocks any of these ports, the streaming instance may not function correctly or may be unreachable.

Customer Network Interface Ports

  • For internet connectivity, the following ports must be open to all destinations. If you are using a modified or custom security group, you need to add the required rules manually. For more information, see Security Group Rules in the Amazon VPC User Guide.

    • TCP 80 (HTTP)

    • TCP 443 (HTTPS)

  • If you join your streaming instances to a directory, the following ports must be open between your AppStream 2.0 VPC and your directory controllers.

    • TCP/UDP 53 - DNS

    • TCP/UDP 88 - Kerberos authentication

    • UDP 123 - NTP

    • TCP 135 - RPC

    • UDP 137-138 - Netlogon

    • TCP 139 - Netlogon

    • TCP/UDP 389 - LDAP

    • TCP/UDP 445 - SMB

    • TCP 1024-65535 - Dynamic ports for RPC

    For a complete list of ports, see Active Directory and Active Directory Domain Services Port Requirements in the Microsoft documentation.

  • All streaming instances require that port 80 (HTTP) be open to IP address 169.254.169.254 to allow access to the EC2 metadata service. Any HTTP proxy assigned to your streaming instances must exclude 169.254.169.254.