Amazon S3 VPC endpoint Amazon AppStream 2.0 API interface VPC endpoint Amazon AppStream 2.0 streaming interface VPC endpoint

VPC endpoints

Amazon S3 VPC endpoint

Many Amazon AppStream 2.0 deployments require user state persistence through home folders and application settings. Enable private communication to these Amazon Simple Storage Service (Amazon S3) locations, as this avoids using the public internet. You can achieve this through a VPC endpoint gateway. A VPC endpoint gateway is preferred over the AWS PrivateLink for Amazon S3 because:

It is cost optimized for AppStream 2.0 network access requirements
Amazon S3 bucket access is not required from on-premises resources
A custom policy document can be used to restrict access only from the AppStream 2.0 instances

Once you create the VPC endpoint gateway, it is a best practice to secure the privatized connection by creating a custom policy. Custom policy starts with the Amazon Resource Name (ARN) of the AppStream 2.0 service Identity and Access Management role. Explicitly specify the S3 actions required for user state persistence.

Note

The following example in the Resources section specifies the state home folder path first and the applications settings path second.



{ 
  "Version": "2012-10-17", 
  "Statement": [ 
    { 
      "Sid": "Allow-AppStream-to-access-home-folder-and-
application-settings", 
      "Effect": "Allow", 
      "Principal": { 
        "AWS": "arn:aws:sts::account-id-without-hyphens:assumed-
role/AmazonAppStreamServiceAccess/AppStream2.0" 
      }, 
      "Action": [ 
        "s3:ListBucket", 
        "s3:GetObject", 
        "s3:PutObject", 
        "s3:DeleteObject", 
        "s3:GetObjectVersion", 
        "s3:DeleteObjectVersion" 
      ], 
      "Resource": [ 
        "arn:aws:s3:::appstream2-36fb080bb8-*", 
        "arn:aws:s3:::appstream-app-settings-*" 
      ] 
    } 
  ] 
}

Amazon AppStream 2.0 API interface VPC endpoint

In design scenarios where API and CLI commands to Amazon AppStream 2.0 originate in your VPC, privatize these programmatic calls through an interface VPC endpoint.

Amazon AppStream 2.0 streaming interface VPC endpoint

While it is possible to route Amazon AppStream 2.0 streaming traffic through an interface VPC endpoint, use this configuration with caution. The default streaming behavior through the public internet is the most efficient and performant delivery method for Amazon AppStream 2.0 streaming traffic.

Diagram showing how traffic moves between Amazon AppStream 2.0 Streaming Gateways via the internet.

Amazon AppStream 2.0 streaming interface VPC endpoint

As shown in the previous figure, the public internet is the most efficient path to Amazon AppStream 2.0 Streaming Gateways. Routing through the customer-managed VPC and networking adds complexity and latency. It also adds data transfer fees over AWS Direct Connect.

Note

Only streaming is supported by the VPC endpoint, and authentication must still take place over the public internet. Prerequisite access such as SAML Single Sign-On (SSO) Identity Provider (IdP) remain a requirement that are accessible only through the public internet.

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Availability Zones

Image creation and management