IP access control groups for your WorkSpaces - Amazon WorkSpaces
Create an IP access control groupAssociate an IP access control group with a directoryCopy an IP access control groupDelete an IP access control group

IP access control groups for your WorkSpaces

Amazon WorkSpaces allows you to control which IP addresses your WorkSpaces can be accessed from. By using IP address-based control groups, you can define and manage groups of trusted IP addresses, and only allow users to access their WorkSpaces when they're connected to a trusted network.

An IP access control group acts as a virtual firewall that controls the IP addresses from which users are allowed to access their WorkSpaces. To specify the CIDR address ranges, add rules to your IP access control group, and then associate the group with your directory. You can associate each IP access control group with one or more directories. You can create up to 100 IP access control groups per Region per AWS account. However, you can only associate up to 25 IP access control groups with a single directory.

A default IP access control group is associated with each directory. This default group includes a default rule that allows users to access their WorkSpaces from anywhere. You cannot modify the default IP access control group for your directory. If you don't associate an IP access control group with your directory, the default group is used. If you associate an IP access control group with a directory, the default IP access control group is disassociated.

To specify the public IP addresses and ranges of IP addresses for your trusted networks, add rules to your IP access control groups. If your users access their WorkSpaces through a NAT gateway or VPN, you must create rules that allow traffic from the public IP addresses for the NAT gateway or VPN.

Note

  • IP access control groups do not allow the use of dynamic IP addresses for NATs. If you're using a NAT, configure it to use a static IP address instead of a dynamic IP address. Make sure the NAT routes all the UDP traffic through the same static IP address for the duration of the WorkSpaces session.

  • IP access control groups control the IP addresses from which users can connect their streaming sessions to WorkSpaces. Users can still execute functionalities, such as restart, rebuild, shutdown, from any IP address using Amazon WorkSpaces public APIs.

You can use this feature with Web Access, PCoIP zero clients, and the client applications for macOS, iPad, Windows, Chromebook, and Android.

Create an IP access control group

You can create an IP access control group as follows. Each IP access control group can contain up to 10 rules.

To create an IP access control group

  1. Open the WorkSpaces console at https://console.aws.amazon.com/workspaces/.

  2. In the navigation pane, choose IP Access Controls.

  3. Choose Create IP Group.

  4. In the Create IP Group dialog box, enter a name and description for the group and choose Create.

  5. Select the group and choose Edit.

  6. For each IP address, choose Add Rule. For Source, enter the IP address or IP address range. For Description, enter a description. When you are done adding rules, choose Save.

Associate an IP access control group with a directory

You can associate an IP access control group with a directory to ensure that WorkSpaces are accessed only from trusted networks.

If you associate an IP access control group that has no rules with a directory, this blocks all access to all WorkSpaces.

To associate an IP access control group with a directory

  1. Open the WorkSpaces console at https://console.aws.amazon.com/workspaces/.

  2. In the navigation pane, choose Directories.

  3. Select the directory and choose Actions, Update Details.

  4. Expand IP Access Control Groups and select one or more IP access control groups.

  5. Choose Update and Exit.

Copy an IP access control group

You can use an existing IP access control group as a base for creating a new IP access control group.

To create an IP access control group from an existing one

  1. Open the WorkSpaces console at https://console.aws.amazon.com/workspaces/.

  2. In the navigation pane, choose IP Access Controls.

  3. Select the group and choose Actions, Copy to New.

  4. In the Copy IP Group dialog box, enter a name and description for the new group and choose Copy Group.

  5. (Optional) To modify the rules copied from the original group, select the new group and choose Edit. Add, update, or remove rules as needed. Choose Save.

Delete an IP access control group

You can delete a rule from an IP access control group at any time. If you remove a rule that was used to allow a connection to a WorkSpace, the user is disconnected from the WorkSpace.

Before you can delete an IP access control group, you must disassociate it from any directories.

To delete an IP access control group

  1. Open the WorkSpaces console at https://console.aws.amazon.com/workspaces/.

  2. In the navigation pane, choose Directories.

  3. For each directory that is associated with the IP access control group, select the directory and choose Actions, Update Details. Expand IP Access Control Groups, clear the check box for the IP access control group, and choose Update and Exit.

  4. In the navigation pane, choose IP Access Controls.

  5. Select the group and choose Actions, Delete IP Group.