VPC endpoints
Amazon S3 VPC endpoint
Many Amazon AppStream 2.0 deployments require user state
persistence through home folders and application settings.
Enable private communication to these
Amazon Simple
Storage Service
-
It is cost optimized for AppStream 2.0 network access requirements
-
Amazon S3 bucket access is not required from on-premises resources
-
A custom policy document can be used to restrict access only from the AppStream 2.0 instances
Once you create the VPC endpoint gateway, it is a best practice to secure the privatized connection by creating a custom policy. Custom policy starts with the Amazon Resource Name (ARN) of the AppStream 2.0 service Identity and Access Management role. Explicitly specify the S3 actions required for user state persistence.
Note
The following example in the Resources
section specifies the state home folder path first and the
applications settings path second.
{ "Version": "2012-10-17", "Statement": [ { "Sid": "Allow-AppStream-to-access-home-folder-and- application-settings", "Effect": "Allow", "Principal": { "AWS": "arn:aws:sts::account-id-without-hyphens:assumed- role/AmazonAppStreamServiceAccess/AppStream2.0" }, "Action": [ "s3:ListBucket", "s3:GetObject", "s3:PutObject", "s3:DeleteObject", "s3:GetObjectVersion", "s3:DeleteObjectVersion" ], "Resource": [ "arn:aws:s3:::appstream2-36fb080bb8-*", "arn:aws:s3:::appstream-app-settings-*" ] } ] }
Amazon AppStream 2.0 API interface VPC endpoint
In design scenarios where API and CLI commands to Amazon AppStream 2.0 originate in your VPC, privatize these programmatic calls through an interface VPC endpoint.
Amazon AppStream 2.0 streaming interface VPC endpoint
While it is possible to route Amazon AppStream 2.0 streaming traffic through an interface VPC endpoint, use this configuration with caution. The default streaming behavior through the public internet is the most efficient and performant delivery method for Amazon AppStream 2.0 streaming traffic.
![Diagram showing how traffic moves between Amazon AppStream 2.0 Streaming Gateways via the internet.](/images/whitepapers/latest/best-practices-for-deploying-amazon-appstream-2/images/appstream-streaming-interface.png)
Amazon AppStream 2.0 streaming interface VPC endpoint
As shown in the previous figure, the public internet is the most efficient path to Amazon AppStream 2.0 Streaming Gateways. Routing through the customer-managed VPC and networking adds complexity and latency. It also adds data transfer fees over AWS Direct Connect.
Note
Only streaming is supported by the VPC endpoint, and authentication must still take place over the public internet. Prerequisite access such as SAML Single Sign-On (SSO) Identity Provider (IdP) remain a requirement that are accessible only through the public internet.