Amazon WorkSpaces
Administration Guide

IP Access Control Groups for Your WorkSpaces

An IP access control group acts as a virtual firewall that controls the IP addresses from which users are allowed to access their WorkSpaces. You can associate each IP access control group with one or more directories. You can associate up to 25 IP access control groups with each directory.

There is a default IP access control group associated with each directory. The default group allows all traffic. If you associate an IP access control group with a directory, the default IP access control group is disassociated.

To specify the IP addresses and ranges of IP addresses for your trusted networks, add rules to your IP access control groups. If your users access their WorkSpaces through a NAT gateway or VPN, you must create rules that allow traffic from the IP addresses for the NAT gateway or VPN.

You can use this feature with Web Access and the client applications for Mac OS X, iPad, Windows, Android, and Chromebook. To use this feature with a PCoIP zero client, you cannot use PCoIP Connection Manager.

Create an IP Access Control Group

You can create up to 25 IP access control groups. Each IP access control group can contain up to 10 rules.

To create an IP access control group

  1. Open the Amazon WorkSpaces console at https://console.aws.amazon.com/workspaces/.

  2. In the navigation pane, choose IP Access Controls.

  3. Choose Create IP Group.

  4. In the Create IP Group dialog box, type a name and description for the group and choose Create.

  5. Select the group and choose Edit.

  6. For each IP address, choose Add Rule. For Source, type the IP address or IP address range. For Description, type a description. When you are done adding rules, choose Save.

Associate an IP Access Control Group with a Directory

You can associate an IP access control group with a directory to ensure that WorkSpaces are accessed only from trusted networks.

If you associate an IP access control group that has no rules with a directory, this blocks all access to all WorkSpaces.

To associate an IP access control group with a directory

  1. Open the Amazon WorkSpaces console at https://console.aws.amazon.com/workspaces/.

  2. In the navigation pane, choose Directories.

  3. Select the directory and choose Actions, Update Details.

  4. Expand IP Access Control Groups and select one or more IP access control groups.

  5. Choose Update and Exit.

Copy an IP Access Control Group

You can use an existing IP access control group as a base for creating a new IP access control group.

To create an IP access control group from an existing one

  1. Open the Amazon WorkSpaces console at https://console.aws.amazon.com/workspaces/.

  2. In the navigation pane, choose IP Access Controls.

  3. Select the group and choose Actions, Copy to New.

  4. In the Copy IP Group dialog box, type a name and description for the new group and choose Copy Group.

  5. (Optional) To modify the rules copied from the original group, select the new group and choose Edit. Add, update, or remove rules as needed. Choose Save.

Delete an IP Access Control Group

You can delete a rule from an IP access control group at any time. If you remove a rule that was used to allow a connection to a WorkSpace, the user is disconnected from the WorkSpace.

Before you can delete an IP access control group, you must disassociate it from any directories.

To delete an IP access control group

  1. Open the Amazon WorkSpaces console at https://console.aws.amazon.com/workspaces/.

  2. In the navigation pane, choose Directories.

  3. For each directory that is associated with the IP access control group, select the directory and choose Actions, Update Details. Expand IP Access Control Groups, clear the checkbox for the IP access control group, and choose Update and Exit.

  4. In the navigation pane, choose IP Access Controls.

  5. Select the group and choose Actions, Delete IP Group.