# Enabling internet browsing for Amazon WorkSpaces Secure Browser
You can choose to enable unrestricted internet browsing (the recommended option) or restricted internet browsing.
**Topics**
+ [Enabling unrestricted internet browsing for Amazon WorkSpaces Secure Browser (recommended)](unrestricted-internet-browsing.md)
+ [Enabling restricted internet browsing for Amazon WorkSpaces Secure Browser](restricted-internet-browsing.md)
+ [Internet connectivity ports for Amazon WorkSpaces Secure Browser](vpc-connection.md)
# Enabling unrestricted internet browsing for Amazon WorkSpaces Secure Browser (recommended)
Follow these steps to configure a VPC with a NAT gateway for unrestricted internet browsing. This grants WorkSpaces Secure Browser access to sites on the public internet, and private sites hosted in or with a connection to your VPC.
**To configure a VPC with a NAT gateway for unrestricted internet browsing**
If you want your WorkSpaces Secure Browser portal to have access to both public internet content and private VPC content, follow these steps:
**Note**
If you already configured a VPC, complete the following steps to add a NAT gateway to your VPC. If you need to create a new VPC, see [Creating a new VPC for Amazon WorkSpaces Secure Browser](create-vpc.md).
1. To create your NAT gateway, complete the steps in [Create a NAT gateway](https://docs.aws.amazon.com/vpc/latest/userguide/vpc-nat-gateway.html#nat-gateway-creating). Make sure that this NAT gateway has public connectivity, and is in a public subnet in your VPC.
1. You must specify at least two private subnets from different Availability Zones. Assigning your subnets to different Availability Zones helps to ensure better availability and fault tolerance. For information about how to create a VPC with private subnets, see [Quick VPC Setup (1 minute)](vpc-step1.md).
**Note**
To make sure every streaming instance has internet access, do not attach a public subnet to your WorkSpaces Secure Browser portal.
1. Update the route table associated with your private subnets to point internet-bound traffic to the NAT gateway. This enables the streaming instances in your private subnets to communicate with the internet. For information on how to associate a route table with a private subnet, complete the steps in [Configure route tables](https://docs.aws.amazon.com/vpc/latest/userguide/VPC_Route_Tables.html).
# Enabling restricted internet browsing for Amazon WorkSpaces Secure Browser
The recommended network setup of a WorkSpaces Secure Browser portal is to use private subnets with NAT gateway, so that the portal can browse both public internet and private content. For more information, see [Enabling unrestricted internet browsing for Amazon WorkSpaces Secure Browser (recommended)](unrestricted-internet-browsing.md). However, you might be required to control outbound communication from a WorkSpaces Secure Browser portal to the internet by using a web proxy. For example, if you use a web proxy as the gateway to the internet, you can implement preventive security controls, such as domain allow-listing and content filtering. This can also reduce bandwidth usage and improve network performance by caching frequently accessed resources, such as web pages or software updates locally. For some use cases, you might have private content that is only accessible by using a web proxy.
You might already be familiar with configuring proxy settings on managed devices, or on the image of your virtual environments. But this poses challenges if you aren’t in control of the device (for example, when users are on devices not owned or managed by the enterprise), or if you need to manage the image for your virtual environment. With WorkSpaces Secure Browser, you can set proxy settings using Chrome’s policies built into the web browser. You can do this by setting up an HTTP outbound proxy for WorkSpaces Secure Browser.
This solution is based on a recommended outbound VPC proxy setup. The proxy solution is based on the open source HTTP proxy [Squid](http://www.squid-cache.org/). Then, it uses WorkSpaces Secure Browser browser settings to configure WorkSpaces Secure Browser portal to connect to the proxy endpoint. For more information, see [How to set up an outbound VPC proxy with domain whitelisting and content filtering](https://aws.amazon.com/blogs/security/how-to-set-up-an-outbound-vpc-proxy-with-domain-whitelisting-and-content-filtering/).
This solution provides you with the following benefits:
+ An outbound proxy that includes a group of auto-scaling Amazon EC2 instances, hosted by a network load balancer. Proxy instances live in a public subnet, and each of them is attached with an Elastic IP, so they can have access to the internet.
+ A WorkSpaces Secure Browser portal deployed to private subnets. You don’t need to configure NAT gateway to enable internet access. Instead, you configure your browser policy, so all internet traffic goes through the outbound proxy. If you want to use your own proxy, the WorkSpaces Secure Browser portal setup will be similar.
**Topics**
+ [Restricted internet browsing architecture for Amazon WorkSpaces Secure Browser](restricted-architecture.md)
+ [Restricted internet browsing prerequisites for Amazon WorkSpaces Secure Browser](restricted-prerequisites.md)
+ [HTTP outbound proxy for Amazon WorkSpaces Secure Browser](restricted-setup.md)
+ [Troubleshooting restricted internet browsing for Amazon WorkSpaces Secure Browser](restricted-troubleshooting.md)
# Restricted internet browsing architecture for Amazon WorkSpaces Secure Browser
The following is an example of a typical proxy setup in your VPC. The proxy Amazon EC2 instance is in public subnets and associated with Elastic IP, so they have access to internet. A network load balancer hosts an auto scaling group of proxy instances. This ensures that proxy instances can scale up automatically, and the network load balancer is the single proxy endpoint, which can be consumed by WorkSpaces Secure Browser sessions.
![\[WorkSpaces Secure Browser architecture\]](http://docs.aws.amazon.com/workspaces-web/latest/adminguide/images/restricted-internet-architecture.png)
# Restricted internet browsing prerequisites for Amazon WorkSpaces Secure Browser
Before you get started, make sure that you meet the following prerequisites:
+ You need an already deployed VPC, with public and private subnets spreading over several Availability Zones (AZs). For more information about how to set up your VPC environment, see [Default VPCs](https://docs.aws.amazon.com/vpc/latest/userguide/default-vpc.html).
+ You need one single proxy endpoint that is accessible from private subnets, where WorkSpaces Secure Browser sessions live (for example, the network load balancer DNS name). If you want to use your existing proxy, make sure it also has a single endpoint that is accessible from your private subnets.
# HTTP outbound proxy for Amazon WorkSpaces Secure Browser
To set up an HTTP outbound proxy for WorkSpaces Secure Browser, follow these steps.
1. To deploy an example outbound proxy to your VPC, follow the steps in [How to set up an outbound VPC proxy with domain whitelisting and content filtering](https://aws.amazon.com/blogs/security/how-to-set-up-an-outbound-vpc-proxy-with-domain-whitelisting-and-content-filtering/).
1. Follow the steps in "Installation (one-time setup)" to deploy the CloudFormation template to your account. Make sure to choose the right VPC and subnets as the CloudFormation template parameters.
1. After deployment, find the CloudFormation output parameter **OutboundProxyDomain** and **OutboundProxyPort**. This is your proxy’s DNS name and port.
1. If you already have your own proxy, skip this step and use your proxy’s DNS name and port.
1. In the WorkSpaces Secure Browser, console, select your portal and then choose **Edit**.
1. In the **Network connection details**, choose the VPC and private subnets that have access to the proxy.
1. In the **Policy settings**, add the following ProxySettings policy by using a JSON editor. The `ProxyServer` field should be your proxy’s DNS name and port. For more details about ProxySettings policy, see [ProxySettings](https://chromeenterprise.google/policies/#ProxySettings).
```
{
"chromePolicies":
{
...
"ProxySettings": {
"value": {
"ProxyMode": "fixed_servers",
"ProxyServer": "OutboundProxyLoadBalancer-0a01409a46943c47.elb.us-west-2.amazonaws.com:3128",
"ProxyBypassList": "https://www.example1.com,https://www.example2.com,https://internalsite/"
}
},
}
}
```
1. In your WorkSpaces Secure Browser session, you will see the proxy is applied to Chrome setting **Chrome is using proxy settings from your administrator**.
1. Go to chrome://policy and the **Chrome policy** tab to confirm that the policy is applied.
1. Verify that your WorkSpaces Secure Browser session can successfully browse internet content without NAT gateway. In the CloudWatch Logs, verify that Squid proxy access logs are recorded.
# Troubleshooting restricted internet browsing for Amazon WorkSpaces Secure Browser
After Chrome policy is applied, if your WorkSpaces Secure Browser session still can't access the internet, follow these steps to try to resolve your issue:
+ Verify that the proxy endpoint is accessible from the private subnets where your WorkSpaces Secure Browser portal lives. To do you this, create an EC2 instance in the private subnet, and test the connection from the private EC2 instance to your proxy endpoint.
+ Verify that the proxy has internet access.
+ Verify that the Chrome policy is correct.
+ Confirm the following formatting for the `ProxyServer` field of the policy: `:`. There should be no `http://` or `https://` in the prefix.
+ In the WorkSpaces Secure Browser session, use Chrome to navigate to chrome://policy, and make sure that the ProxySettings policy is successfully applied.
# Internet connectivity ports for Amazon WorkSpaces Secure Browser
Each WorkSpaces Secure Browser streaming instance has a customer network interface that provides connectivity to the resources within your VPC, as well as to the internet if private subnets with NAT gateway are set up.
For internet connectivity, the following ports must be open to all destinations. If you are using a modified or custom security group, you'll need to add the required rules manually. For more information, see [Security group rules](https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html#SecurityGroupRules.html).
**Note**
This applies to egress traffic.
+ TCP 80 (HTTP)
+ TCP 443 (HTTPS)
+ UDP 8433