Amazon AppStream 2.0
Administration Guide

Networking, Access, and Security for Amazon AppStream 2.0

The following topics provide information about enabling users to connnect to AppStream 2.0 streaming instances and enabling your AppStream 2.0 fleets and image builders to access network resources and the internet.

Network Setup Guidelines

There are some network setup guidelines to consider for fleets and image builders. If your fleets and image builders require internet access, you can use the Default Internet Access feature. You could also manually control internet access using an advanced networking configuration, such as a VPC with NAT gateways. For more information, see Enabling Internet Access Using a Public Subnet and Enabling Internet Access Using a NAT Gateway.


You can provide subnets to establish network connections from your fleet instances to your VPC. We recommend that you specify two private subnets from different Availability Zones for high availability and fault tolerance. Also, ensure that the network resources for your applications are accessible through both of the specified private subnets.

AppStream 2.0 creates as many elastic network interfaces as the maximum desired capacity of your fleet. The following guidelines will help you set up a VPC to support scaling behavior for your fleet.

  • Make sure that your AWS account has sufficient elastic network interface capacity to support the scaling requirements of your fleet. If you are planning to launch a large fleet of streaming instances, contact AWS Support and request a higher ENI limit to match the maximum number of instances that you plan to launch.

  • Specify subnets with a sufficient number of elastic IP addresses to match the maximum desired capacity of your fleet.

  • Use security groups to provide your VPC with specific security settings. For more information, see Security Groups.

Image Builders

When you launch an image builder, you choose the subnet and security groups to use. Make sure that the subnet and security groups provide access to the network resources that your applications require. Typical network resources required by applications may include licensing servers, database servers, file servers, and application servers.

Security Groups

You can provide additional access control to your VPC from streaming instances in a fleet or an image builder in Amazon AppStream 2.0 by associating them with VPC security groups. Security groups that belong to your VPC allow you to control the network traffic between AppStream 2.0 streaming instances and VPC resources such as license servers, file servers, and database servers. For more information, see Security Groups for your VPC in the Amazon VPC User Guide.

The rules that you define for your VPC security group are applied when the security group is associated with a fleet or image builder. The security group rules determine what network traffic is allowed from your streaming instances. For more information, see Security Group Rules in the Amazon VPC User Guide.

You can associate up to five security groups while launching a new image builder or while creating a new fleet. You can also associate security groups to an existing fleet or change the security groups of a fleet. For more information, see Working with Security Groups in the Amazon VPC User Guide.

If you don't select a security group, your image builder or fleet is associated with the default security group for your VPC. For more information, see Default Security Group for Your VPC in the Amazon VPC User Guide.

Use these additional considerations when using security groups with AppStream 2.0.

  • All end user data, such as internet traffic, home folder data, or application communication with VPC resources, are affected by the security groups associated with the streaming instance.

  • Streaming pixel data is not affected by security groups.

  • If you have enabled default internet access for your fleet or image builder, the rules of the associated security groups must allow internet access.

You can create or edit rules for your security groups or create new security groups using the Amazon VPC console.

You can also associate security groups to your fleets using the AWS CLI and SDKs.

For more information, see the AWS Command Line Interface User Guide and Tools for Amazon Web Services.

Using Amazon S3 VPC Endpoints for Home Folders and Application Settings Persistence

To support home folders and application settings persistence on a private network, AppStream 2.0 needs access permissions to the Amazon S3 VPC endpoint. To enable AppStream 2.0 access to your private S3 endpoint, attach a custom policy, as defined below, to your VPC endpoint for Amazon S3. For more information about private Amazon S3 endpoints, see VPC Endpoints and Endpoints for Amazon S3 in the Amazon VPC User Guide.

{ "Version": "2012-10-17", "Statement": [ { "Sid": "Allow-AppStream-to-access-home-folder-and-application-settings", "Effect": "Allow", "Principal": { "AWS": "arn:aws:sts::account-id-without-hyphens:assumed-role/AmazonAppStreamServiceAccess/AppStream2.0" }, "Action": [ "s3:ListBucket", "s3:GetObject", "s3:PutObject", "s3:DeleteObject", "s3:GetObjectVersion", "s3:DeleteObjectVersion" ], "Resource": [ "arn:aws:s3:::appstream2-36fb080bb8-*", "arn:aws:s3:::appstream-app-settings-*" ] } ] }