Create and configure a new VPC - Amazon WorkSpaces Secure Browser
Step 1: Allocate an Elastic IP addressStep 2: Create a new VPCStep 3: Add a second private subnetStep 4: Verify and name your subnet route tables

Create and configure a new VPC

This section describes how to use the VPC wizard to create a VPC with one public subnet and one private subnet. As part of this process, the wizard creates an internet gateway and a NAT gateway. It also creates a custom route table associated with the public subnet. It then updates the main route table associated with the private subnet. The NAT gateway is automatically created in your VPC's public subnet.

After you use the wizard to create a VPC configuration, you'll add a second private subnet. For more information about this configuration, see VPC with public and private subnets (NAT).

Step 1: Allocate an Elastic IP address

Before you create your VPC, you must allocate an Elastic IP address in your WorkSpaces Secure Browser Region. Once allocated, you can associate the Elastic IP address with your NAT gateway. With an Elastic IP address, you can mask a failure of your streaming instance by rapidly remapping the address to another streaming instance in your VPC. For more information, see Elastic IP addresses.

Note

Charges might apply to Elastic IP addresses that you use. For more information, see the Elastic IP addresses pricing page.

If you don't already have an Elastic IP address, complete the following steps. If you want to use an existing Elastic IP address, you must first verify that it isn't currently associated with another instance or network interface.

To allocate an Elastic IP address

  1. Open the Amazon EC2 console at https://console.aws.amazon.com/ec2/.

  2. In the navigation pane, under Network & Security, choose Elastic IPs.

  3. Choose Allocate New Address, and then choose Allocate.

  4. Note the Elastic IP address shown on the console.

  5. In the upper-right corner of the Elastic IPs pane, click the × icon to close the pane.

Step 2: Create a new VPC

Complete the following steps to create a new VPC with one public subnet and one private subnet.

To create a new VPC

  1. Open the Amazon VPC Console at https://console.aws.amazon.com/vpc/.

  2. In the navigation pane, choose VPC Dashboard.

  3. Choose Launch VPC Wizard.

  4. In Step 1: Select a VPC Configuration, choose VPC with Public and Private Subnets, and then choose Select.

  5. In Step 2: VPC with Public and Private Subnets, configure the VPC as follows:

    • For IPv4 CIDR block, specify an IPv4 CIDR block for the VPC.

    • For IPv6 CIDR block, keep the default value, No IPv6 CIDR Block.

    • For VPC name, enter a unique name for the VPC.

    • Configure the public subnet as follows:

      • For Public subnet's IPv4 CIDR, specify the CIDR block for the subnet.

      • For Availability Zone, keep the default value, No Preference.

      • For Public subnet name, enter a name for the subnet. For example, WorkSpaces Secure Browser Public Subnet.

    • Configure the first private subnet as follows:

      • For Private subnet's IPv4 CIDR, specify the CIDR block for the subnet. Make a note of the value that you specify.

      • For Availability Zone, select a specific zone and make a note of the zone that you select.

      • For Private subnet name, enter a name for the subnet. For example, WorkSpaces Secure Browser Private Subnet1.

    • For the remaining fields, keep the default values where applicable.

    • For Elastic IP Allocation ID, enter the value that corresponds to the Elastic IP address that you created. This address is then assigned to the NAT gateway. If you don't have an Elastic IP address, create one by using the Amazon VPC Console at https://console.aws.amazon.com/vpc/.

    • For Service endpoints, if an Amazon S3 endpoint is required for your environment, specify one.

      To specify an Amazon S3 endpoint, do the following:

      1. Choose Add Endpoint.

      2. For Service, select the com.amazonaws.Region.s3 entry, where Region is the AWS Region you're creating your VPC in.

      3. For Subnet, choose Private subnet.

      4. For Policy, keep the default value, Full Access.

    • For Enable DNS hostnames, keep the default value, Yes.

    • For Hardware tenancy, keep the default value, Default.

    • Choose Create VPC.

    • It takes several minutes to set up your VPC. After the VPC is created, choose OK.

Step 3: Add a second private subnet

In the previous step, you created a VPC with one public subnet and one private subnet. Complete the following steps to add a second private subnet to your VPC. We recommend that you add a second private subnet in a different Availability Zone than your first private subnet.

To add a second private subnet

  1. In the navigation pane, choose Subnets.

  2. Select the first private subnet that you created in the previous step. On the Description tab, below the list of subnets, make a note of the Availability Zone for this subnet.

  3. On the upper left of the subnets pane, choose Create Subnet.

  4. For Name tag, enter a name for the private subnet. For example, WorkSpaces Secure Browser Private Subnet2.

  5. For VPC, select the VPC that you created in the previous step.

  6. For Availability Zone, select an Availability Zone other than the one you're using for your first private subnet. Selecting a different Availability Zone increases fault tolerance and helps prevent insufficient capacity errors.

  7. For IPv4 CIDR block, specify a unique CIDR block range for the new subnet. For example, if your first private subnet has an IPv4 CIDR block range of 10.0.1.0/24, you could specify a CIDR block range of 10.0.2.0/24 for the second private subnet.

  8. Choose Create.

  9. After your subnet is created, choose Close.

Step 4: Verify and name your subnet route tables

After you've created and configured your VPC, complete the following steps to specify a name for your route tables. You'll need to verify that the following details are correct for your route table:

  • The route table associated with the subnet that your NAT gateway resides in must include a route that points internet traffic to an internet gateway. This ensures that your NAT gateway can access the internet.

  • The route tables associated with your private subnets must be configured to point internet traffic to the NAT gateway. This enables the streaming instances in your private subnets to communicate with the internet.

To verify and name your subnet route tables

  1. In the navigation pane, choose Subnets, and then select the public subnet that you created. For example, WorkSpaces Secure Browser 2.0 Public Subnet.

  2. On the Route Table tab, choose the ID of the route table. For example, rtb-12345678.

  3. Select the route table. Under Name, choose the edit (pencil) icon, and enter a name for the table. For example, enter the name workspacesweb-public-routetable. Then select the check mark to save the name.

  4. With the public route table still selected, on the Routes tab, verify that there are two routes: one for local traffic, and one that sends all other traffic through the VPC's internet gateway. The following table describes these two routes:

    Destination Target Description
    Public subnet IPv4 CIDR block (for example, 10.0.0/20) Local All traffic from the resources destined for IPv4 addresses within the public subnet IPv4 CIDR block. This traffic is routed locally within the VPC.
    Traffic destined to all other IPv4 addresses (for example, 0.0.0.0/0) Outbound (igw-ID) Traffic destined for all other IPv4 addresses is routed to the internet gateway (identified by igw-ID) that was created by the VPC wizard.

  5. In the navigation pane, choose Subnets. Then, select the first private subnet that you created (for example, WorkSpaces Secure Browser Private Subnet1).

  6. On the Route Table tab, choose the route table's ID.

  7. Select the route table. Under Name, choose the edit (pencil) icon, and enter a name for the table. For example, enter the name workspacesweb-private-routetable. Then choose the check mark to save the name.

  8. On the Routes tab, verify that the route table includes the following routes:

    Destination Target Description
    Public subnet IPv4 CIDR block (for example, 10.0.0/20) Local All traffic from the resources destined for IPv4 addresses within the public subnet IPv4 CIDR block is routed locally within the VPC.
    Traffic destined to all other IPv4 addresses (for example, 0.0.0.0/0) Outbound (nat-ID) Traffic destined for all other IPv4 addresses is routed to the NAT gateway (identified by nat-ID).
    Traffic destined for S3 buckets (applicable if you specified an S3 endpoint) [pl-ID (com.amazonaws.region.s3)] Storage (vpce-ID) Traffic destined for S3 buckets is routed to the S3 endpoint (identified by vpce-ID).

  9. In the navigation pane, choose Subnets. Then select the second private subnet that you created (for example, WorkSpaces Secure Browser Private Subnet2).

  10. On the Route Table tab, verify that the selected route table is the private route table (for example, workspacesweb-private-routetable). If the route table is different, choose Edit and select your private route table instead.