Configure your company network - Amazon WorkLink

Configure your company network

After you create your fleet, provide the fleet with access to a VPC with on-premises connectivity. You can use an existing or new VPC to link a network. This allows your users to access your company’s internal web content.

For more information about common VPC scenarios, see the following:

To configure your company network

  1. Open the Amazon WorkLink console at

  2. On the Fleets page, select the fleet, and choose View details.

  3. Choose Company Network, Link network.

  4. Under VPC, select the VPC that you want your fleet to access. The VPC must meet the following criteria:

    • The VPC must have, or be granted, a path to the servers of origin for the websites you want to associate with Amazon WorkLink. Examples of paths include the following:

    • The VPC is highly dependent on your network architecture. Common scenarios include the following:

      • If you use one VPC in AWS for all use cases, you can choose the common VPC.

      • If you use one VPC for a single use case, you can create or use an existing unused VPC. This allows you to use VPC Flow Logs to inspect traffic within the VPC. For more information, see VPC Flow Logs.

  5. Under Subnets, select the VPC subnets that Amazon WorkLink should use to set up your VPC configuration. Subnets must meet the following criteria:

    • We recommend that you select at least two subnets in different Availability Zones for high availability.

    • Subnets can only be selected from the VPC you chose in the previous step. These subnets could already be in use. To prevent availability risks, verify that they're allocated to networking for Amazon WorkLink and have enough IP addresses to allow Amazon WorkLink to scale dynamically.

    • Subnets need to have enough available IP addresses in them to support the number of users going through the fleet. Amazon WorkLink uses an ENI to support multiple browsing sessions, and scales up and down dynamically to meet demand.

    • If your servers of origin are within AWS, identify subnets with network connectivity to reach the servers of origin. To test connectivity, you can create an Amazon Elastic Compute Cloud (Amazon EC2) instance in the given subnet and test connectivity to the servers of origin. Depending on your network topology, you might need to peer the VPC containing these subnets with the VPC with service to enable connectivity.

    • If your servers of origin are outside of AWS, identify subnets with AWS Direct Connect integration that will be used for on-premise integration with Amazon WorkLink. To test connectivity, create an Amazon EC2 instance in the given subnet, and test connectivity to the servers of origin outside of AWS.

    Amazon WorkLink uses the VPC information that you provide to set up ENIs that allow Amazon WorkLink to access VPC resources. Each ENI is assigned a private IP address from the IP address range within the subnets you specify, but is not assigned any public IP addresses. Therefore, you can configure a NAT instance inside your VPC or you can use the Amazon VPC NAT gateway. For more information, see NAT Gateways in the Amazon VPC User Guide. You can't use an internet gateway attached to your VPC, because that requires the ENI to have public IP addresses.


    Do not attach it to a public subnet or to a private subnet without internet access. Instead, attach it only to private subnets with internet access through a NAT instance or an Amazon VPC NAT gateway.

  6. Under Security groups, select at least one VPC security group that Amazon WorkLink should use to set up your VPC configuration.


    Security groups are a method of governing traffic within the subnets allocated for Amazon WorkLink. Amazon WorkLink uses the security group to apply to the ENI that is created in the customer subnet.

    All AWS accounts include a default security group. Most customers create their own security group to reflect their organization's security policies.

    To modify traffic from Amazon WorkLink, modify the outbound rules of the security group.

  7. Choose Link company network.