VPC setup recommendations

The following recommendations can help you configure your VPC more effectively and securely.

Overall VPC Configuration

Make sure that your VPC configuration can support your scaling needs.
Make sure that your WorkSpaces Secure Browser service quotas (also referred to as limits) are sufficient to support your anticipated demand. To request a quota increase, you can use the Service Quotas console at https://console.aws.amazon.com/servicequotas/. For information about default WorkSpaces Secure Browser quotas, see Manage service quotas for your portal.
If you plan to provide your streaming sessions with access to the internet, we recommend that you configure a VPC with a NAT gateway in a public subnet.

Elastic Network Interfaces

Each WorkSpaces Secure Browser session requires its own elastic network interface during the streaming duration. WorkSpaces Secure Browser creates as many elastic network interfaces (ENIs) as the maximum desired capacity of your fleet. By default, the limit for ENIs per Region is 5000. For more information, see Network interfaces.

When planning capacity for very large deployments, for example, thousands of concurrent streaming sessions, consider the number of ENIs that might be required for your peak usage. We recommend that you keep your ENI limit at or above the max concurrent usage limit you configure for your web portal.

Subnets

As you develop your plan to scale up users, keep in mind that each WorkSpaces Secure Browser session requires a unique client IP address from your configured subnets. Therefore, the size of the client IP address space configured on your subnets determines the number of users who can stream concurrently.
We recommend each subnet is configured with a subnet mask that allows for enough client IP addresses to account for the maximum number of expected concurrent users. In addition, consider adding additional IP addresses to account for anticipated growth. For more information, see VPC and Subnet Sizing for IPv4.
We recommend that you configure a subnet in each unique Availability Zone that WorkSpaces Secure Browser supports in your desired region for availability and scaling consideration. For more information, see Create and configure a new VPC.
Make sure that the network resources required for your web applications are accessible through your subnets.

Security Groups

Use security groups to provide additional access control to your VPC.

Security groups that belong to your VPC let you control the network traffic between WorkSpaces Secure Browser streaming instances and network resources required by web applications. Make sure that the security groups provide access to the network resources that your web applications require.

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Enable restricted internet browsing (using outbound HTTP proxy)

Supported Availability Zones