IP address and port requirements for WorkSpaces - Amazon WorkSpaces

IP address and port requirements for WorkSpaces

To connect to your WorkSpaces, the network that your WorkSpaces clients are connected to must have certain ports open to the IP address ranges for the various AWS services (grouped in subsets). These address ranges vary by AWS Region. These same ports must also be open on any firewall running on the client. For more information about the AWS IP address ranges for different Regions, see AWS IP Address Ranges in the Amazon Web Services General Reference.

For an architecture diagram, see WorkSpaces Architecture. For additional architecture diagrams, see Best Practices for Deploying Amazon WorkSpaces.

Ports for client applications

The WorkSpaces client application requires outbound access on the following ports:

Port 53 (UDP)

This port is used to access DNS servers. It must be open to your DNS server IP addresses so that the client can resolve public domain names. This port requirement is optional if you are not using DNS servers for domain name resolution.

Port 443 (TCP)

This port is used for client application updates, registration, and authentication. The desktop client applications support the use of a proxy server for port 443 (HTTPS) traffic. To enable the use of a proxy server, open the client application, choose Advanced Settings, select Use Proxy Server, specify the address and port of the proxy server, and choose Save.

This port must be open to the following IP address ranges:

  • The AMAZON subset in the GLOBAL Region.

  • The AMAZON subset in the Region that the WorkSpace is in.

  • The AMAZON subset in the us-east-1 Region.

  • The AMAZON subset in the us-west-2 Region.

  • The S3 subset in the us-west-2 Region.

Port 4172 (UDP and TCP)

This port is used for streaming the WorkSpace desktop and health checks for PCoIP WorkSpaces. This port must be open to the PCoIP Gateway and to the health check servers in the Region that the WorkSpace is in. For more information, see Health check servers and PCoIP gateway servers.

For PCoIP WorkSpaces, the desktop client applications do not support the use of a proxy server nor TLS decryption and inspection for port 4172 traffic in UDP (for desktop traffic). They require a direct connection to ports 4172.

Port 4195 (UDP and TCP)

This port is used for streaming the WorkSpace desktop and health checks for WorkSpaces Streaming Protocol (WSP) WorkSpaces. This port must be open to the WSP Gateway IP address ranges and the health check servers in the Region that the WorkSpace is in. For more information, see Health check servers and WSP gateway servers.

For WSP WorkSpaces, the WorkSpaces Windows client application (version 5.1 and above) and macOS client application (version 5.4 and above) support the use of HTTP proxy servers for port 4195 TCP traffic, but the use of a proxy is not recommended. TLS decryption and inspection are not supported. For more information, see Configure device proxy server settings for internet access for Windows WorkSpaces, Amazon Linux WorkSpaces, and Ubuntu WorkSpaces.

Note
  • If your firewall uses stateful filtering, ephemeral ports (also known as dynamic ports) are automatically opened to allow return communication. If your firewall uses stateless filtering, you must open ephemeral ports explicitly to allow return communication. The required ephemeral port range that you must open will vary depending on your configuration.

  • Proxy server function is not supported for UDP traffic. If you choose to use a proxy server, the API calls that the client application makes to the Amazon WorkSpaces services are also proxied. Both API calls and desktop traffic should pass through the same proxy server.

Ports for Web Access

WorkSpaces Web Access requires outbound access for the following ports:

Port 53 (UDP)

This port is used to access DNS servers. It must be open to your DNS server IP addresses so that the client can resolve public domain names. This port requirement is optional if you are not using DNS servers for domain name resolution.

Port 80 (UDP and TCP)

This port is used for initial connections to https://clients.amazonworkspaces.com, which then switch to HTTPS. It must be open to all IP address ranges in the EC2 subset in the Region that the WorkSpace is in.

Port 443 (UDP and TCP)

This port is used for registration and authentication using HTTPS. It must be open to all IP address ranges in the EC2 subset in the Region that the WorkSpace is in.

Port 4195 (UDP and TCP)

For WorkSpaces that are configured for WorkSpaces Streaming Protocol (WSP), this port is used for streaming the WorkSpaces desktop traffic. This port must be open to the WSP Gateway IP address ranges. For more information, see WSP gateway servers.

WSP web access supports the use of a proxy server for port 4195 TCP traffic, but it’s not recommended. For more information, see Configure device proxy server settings for internet access for Windows WorkSpaces, Amazon Linux WorkSpaces, and Ubuntu WorkSpaces.

Note

If your firewall uses stateful filtering, ephemeral ports (also known as dynamic ports) are automatically opened to allow return communication. If your firewall uses stateless filtering, you must open ephemeral ports explicitly to allow return communication. The required ephemeral port range that you must open varies depending on your configuration.

Typically, the web browser randomly selects a source port in the high range to use for streaming traffic. WorkSpaces Web Access does not have control over the port that the browser selects. You must ensure that return traffic to this port is allowed.

Domains and IP addresses to add to your allow list

For the WorkSpaces client application to be able to access the WorkSpaces service, you must add the following domains and IP addresses to the allow list on the network from which the client is trying to access the service.

Domains and IP addresses to add to your allow list
Category Domain or IP address
CAPTCHA https://opfcaptcha-prod.s3.amazonaws.com/
Client Auto-update
  • https://d2td7dqidlhjx7.cloudfront.net/

  • In the AWS GovCloud (US-West) Region:

    https://d2td7dqidlhjx7.cloudfront.net/prod/pdt/windows/WorkSpacesAppCastx64.xml

Connectivity Check

https://connectivity.amazonworkspaces.com/

Client Metrics (for 3.0+ WorkSpaces client applications)

Domains:

  • https://skylight-client-ds.us-east-1.amazonaws.com

  • https://skylight-client-ds.us-west-2.amazonaws.com

  • https://skylight-client-ds.ap-south-1.amazonaws.com

  • https://skylight-client-ds.ap-northeast-2.amazonaws.com

  • https://skylight-client-ds.ap-southeast-1.amazonaws.com

  • https://skylight-client-ds.ap-southeast-2.amazonaws.com

  • https://skylight-client-ds.ap-northeast-1.amazonaws.com

  • https://skylight-client-ds.ca-central-1.amazonaws.com

  • https://skylight-client-ds.eu-central-1.amazonaws.com

  • https://skylight-client-ds.eu-west-1.amazonaws.com

  • https://skylight-client-ds.eu-west-2.amazonaws.com

  • https://skylight-client-ds.sa-east-1.amazonaws.com

  • https://skylight-client-ds.af-south-1.amazonaws.com

  • https://skylight-client-ds.il-central-1.amazonaws.com

  • In the AWS GovCloud (US-West) Region:

    https://skylight-client-ds.us-gov-west-1.amazonaws.com

  • In the AWS GovCloud (US-East) Region:

    https://skylight-client-ds.us-gov-east-1.amazonaws.com

Dynamic Messaging Service (for 3.0+ WorkSpaces client applications)

Domains:

  • https://ws-client-service.us-east-1.amazonaws.com

  • https://ws-client-service.us-west-2.amazonaws.com

  • https://ws-client-service.ap-south-1.amazonaws.com

  • https://ws-client-service.ap-northeast-2.amazonaws.com

  • https://ws-client-service.ap-southeast-1.amazonaws.com

  • https://ws-client-service.ap-southeast-2.amazonaws.com

  • https://ws-client-service.ap-northeast-1.amazonaws.com

  • https://ws-client-service.ca-central-1.amazonaws.com

  • https://ws-client-service.eu-central-1.amazonaws.com

  • https://ws-client-service.eu-west-1.amazonaws.com

  • https://ws-client-service.eu-west-2.amazonaws.com

  • https://ws-client-service.sa-east-1.amazonaws.com

  • https://ws-client-service.af-south-1.amazonaws.com

  • https://ws-client-service.il-central-1.amazonaws.com

  • In the AWS GovCloud (US-West) Region:

    https://ws-client-service.us-gov-west-1.amazonaws.com

  • In the AWS GovCloud (US-East) Region:

    https://ws-client-service.us-gov-east-1.amazonaws.com

Directory Settings

Authentication from the client to the customer directory before login to the WorkSpace:

  • https://d32i4gd7pg4909.cloudfront.net/prod/<region>/<directory ID>

Connections from macOS clients:

  • https://d32i4gd7pg4909.cloudfront.net/

Customer directory settings:

  • https://d21ui22avrxoh6.cloudfront.net/prod/<region>/<directory ID>

Login page graphics for customer directory level co-branding:

  • Legacy — https://d1cbg795sa4g1u.cloudfront.net/prod/<region>/<directory ID>

  • US East (N. Virginia) — https://d2h1yryv1jxiq.cloudfront.net/

  • US West (Oregon) — https://d1fq42e1gi7rtq.cloudfront.net/

  • Asia Pacific (Mumbai) — https://d1ctsk4u02kky7.cloudfront.net/

  • Asia Pacific (Seoul) — https://dyoj3cw6iktvg.cloudfront.net

  • Asia Pacific (Singapore) — https://d1525ef92caquk.cloudfront.net/

  • Asia Pacific (Sydney) — https://dodwxjr2amr8p.cloudfront.net/

  • Asia Pacific (Tokyo) — https://d3v7kcib8ir2e1.cloudfront.net/

  • Canada (Central) — https://d1ebdk07rro1qy.cloudfront.net/

  • Europe (Frankfurt) — https://d39q4y7cndearu.cloudfront.net/

  • Europe (Ireland) — https://d2127w6wvrc6l3.cloudfront.net/

  • Europe (London) — https://df4ahgpxbxqy2.cloudfront.net/

  • South America (São Paulo) — https://d2nezqurrjvain.cloudfront.net/

  • Africa (Cape Town) — https://dr6ry0pwaoy23.cloudfront.net

  • Israel (Tel Aviv) — https://d2kmf63k5sit88.cloudfront.net

CSS file to style the login pages:

  • https://d3s98kk2h6f4oh.cloudfront.net/

  • https://dyqsoz7pkju4e.cloudfront.net/

JavaScript file for the login pages:

  • US East (N. Virginia) — https://d32i4gd7pg4909.cloudfront.net/

  • US West (Oregon) — https://d18af777lco7lp.cloudfront.net/

  • Asia Pacific (Mumbai) — https://d78hovzzqqtsb.cloudfront.net/

  • Asia Pacific (Seoul) — https://dtyv4uwoh7ynt.cloudfront.net/

  • Asia Pacific (Singapore) — https://d3qzmd7y07pz0i.cloudfront.net/

  • Asia Pacific (Sydney) — https://dwcpoxuuza83q.cloudfront.net/

  • Asia Pacific (Tokyo) — https://d2c2t8mxjhq5z1.cloudfront.net/

  • Canada (Central) — https://d2wfbsypmqjmog.cloudfront.net/

  • Europe (Frankfurt) — https://d1whcm49570jjw.cloudfront.net/

  • Europe (Ireland) — https://d3pgffbf39h4k4.cloudfront.net/

  • Europe (London) — https://d16q6638mh01s7.cloudfront.net/

  • South America (São Paulo) — https://d2lh2qc5bdoq4b.cloudfront.net/

  • Africa (Cape Town) — https://di5ygl2cs0mrh.cloudfront.net/

  • Israel (Tel Aviv) — https://d1a3pnge9on3sx.cloudfront.net

In the AWS GovCloud (US-West) Region:

  • Customer directory settings:

    https://s3.amazonaws.com/workspaces-client-properties/prod/pdt/<directory ID>

  • Login page graphics for customer directory level co-branding:

    https://workspace-client-assets-pdt.s3-us-gov-west-1.amazonaws.com

  • CSS file to style the login pages:

    https://s3.amazonaws.com/workspaces-clients-css/workspaces_v2.css

  • JavaScript file for the login pages:

    Not applicable

In the AWS GovCloud (US-East) Region:

  • Customer directory settings:

    https://s3.amazonaws.com/workspaces-client-properties/prod/osu/<directory ID>

  • Login page graphics for customer directory level co-branding:

    https://workspace-client-assets-pdt.s3-us-gov-east-1.amazonaws.com

  • CSS file to style the login pages:

    https://s3.amazonaws.com/workspaces-clients-css/workspaces_v2.css

  • JavaScript file for the login pages:

    Not applicable

Forrester Log Service https://fls-na.amazon.com/
Health Check (DRP) Servers Health check servers
Pre-session Smart Card Authentication Endpoints
  • https://smartcard.us-east-1.signin.aws

  • https://smartcard.us-west-2.signin.aws

  • https://smartcard.ap-southeast-2.signin.aws

  • https://smartcard.ap-northeast-1.signin.aws

  • https://smartcard.eu-west-1.signin.aws

  • https://smartcard.signin.amazonaws-us-gov.com

User Login Pages

https://<directory id>.awsapps.com/ (where <directory id> is the customer's domain)

In the AWS GovCloud (US-West) and AWS GovCloud (US-East) Regions:

https://login.us-gov-home.awsapps.com/directory/<directory id>/ (where <directory id> is the customer's domain)

WS Broker

Domains:

  • https://ws-broker-service.us-east-1.amazonaws.com

  • https://ws-broker-service-fips.us-east-1.amazonaws.com

  • https://ws-broker-service.us-west-2.amazonaws.com

  • https://ws-broker-service-fips.us-west-2.amazonaws.com

  • https://ws-broker-service.ap-south-1.amazonaws.com

  • https://ws-broker-service.ap-northeast-2.amazonaws.com

  • https://ws-broker-service.ap-southeast-1.amazonaws.com

  • https://ws-broker-service.ap-southeast-2.amazonaws.com

  • https://ws-broker-service.ap-northeast-1.amazonaws.com

  • https://ws-broker-service.ca-central-1.amazonaws.com

  • https://ws-broker-service.eu-central-1.amazonaws.com

  • https://ws-broker-service.eu-west-1.amazonaws.com

  • https://ws-broker-service.eu-west-2.amazonaws.com

  • https://ws-broker-service.sa-east-1.amazonaws.com

  • https://ws-broker-service.af-south-1.amazonaws.com

  • https://ws-broker-service.il-central-1.amazonaws.com

  • https://ws-broker-service.us-gov-west-1.amazonaws.com

  • https://ws-broker-service-fips.us-gov-west-1.amazonaws.com

  • https://ws-broker-service.us-gov-east-1.amazonaws.com

  • https://ws-broker-service-fips.us-gov-east-1.amazonaws.com

WorkSpaces API Endpoints

Domains:

  • https://workspaces.us-east-1.amazonaws.com

  • https://workspaces-fips.us-east-1.amazonaws.com

  • https://workspaces.us-west-2.amazonaws.com

  • https://workspaces-fips.us-west-2.amazonaws.com

  • https://workspaces.ap-south-1.amazonaws.com

  • https://workspaces.ap-northeast-2.amazonaws.com

  • https://workspaces.ap-southeast-1.amazonaws.com

  • https://workspaces.ap-southeast-2.amazonaws.com

  • https://workspaces.ap-northeast-1.amazonaws.com

  • https://workspaces.ca-central-1.amazonaws.com

  • https://workspaces.eu-central-1.amazonaws.com

  • https://workspaces.eu-west-1.amazonaws.com

  • https://workspaces.eu-west-2.amazonaws.com

  • https://workspaces.sa-east-1.amazonaws.com

  • https://workspaces.af-south-1.amazonaws.com

  • https://workspaces.il-central-1.amazonaws.com

  • https://workspaces.us-gov-west-1.amazonaws.com

  • https://workspaces-fips.us-gov-west-1.amazonaws.com

  • https://workspaces.us-gov-east-1.amazonaws.com

  • https://workspaces-fips.us-gov-east-1.amazonaws.com

WorkSpaces Endpoints for SAML Single Sign-On (SSO)

Domains:

  • https://euc-sso-sm.us-east-1.amazonaws.com/v1/report-heartbeat

  • https://euc-sso-sm-fips.us-east-1.amazonaws.com/v1/report-heartbeat

  • https://euc-sso-sm.us-west-2.amazonaws.com/v1/report-heartbeat

  • https://euc-sso-sm-fips.us-west-2.amazonaws.com/v1/report-heartbeat

  • https://euc-sso-sm.ap-south-1.amazonaws.com/v1/report-heartbeat

  • https://euc-sso-sm.ap-northeast-2.amazonaws.com/v1/report-heartbeat

  • https://euc-sso-sm.ap-southeast-1.amazonaws.com/v1/report-heartbeat

  • https://euc-sso-sm.ap-southeast-2.amazonaws.com/v1/report-heartbeat

  • https://euc-sso-sm.ap-northeast-1.amazonaws.com/v1/report-heartbeat

  • https://euc-sso-sm.eu-central-1.amazonaws.com/v1/report-heartbeat

  • https://euc-sso-sm.eu-west-2.amazonaws.com/v1/report-heartbeat

  • https://euc-sso-sm.af-south-1.amazonaws.com/v1/report-heartbeat

  • https://euc-sso-sm.il-central-1.amazonaws.com/v1/report-heartbeat

  • https://euc-sso-sm.us-gov-west-1.amazonaws.com/v1/report-heartbeat

  • https://euc-sso-sm-fips.us-gov-west-1.amazonaws.com/v1/report-heartbeat

  • https://euc-sso-sm.us-gov-east-1.amazonaws.com/v1/report-heartbeat

  • https://euc-sso-sm-fips.us-gov-east-1.amazonaws.com/v1/report-heartbeat

Domains and IP addresses to add to your allow list for PCoIP
Category Domain or IP address
PCoIP Session Gateway (PSG) PCoIP gateway servers
Session Broker (PCM)

Domains:

  • https://skylight-cm.us-east-1.amazonaws.com

  • https://skylight-cm-fips.us-east-1.amazonaws.com

  • https://skylight-cm.us-west-2.amazonaws.com

  • https://skylight-cm-fips.us-west-2.amazonaws.com

  • https://skylight-cm.ap-south-1.amazonaws.com

  • https://skylight-cm.ap-northeast-2.amazonaws.com

  • https://skylight-cm.ap-southeast-1.amazonaws.com

  • https://skylight-cm.ap-southeast-2.amazonaws.com

  • https://skylight-cm.ap-northeast-1.amazonaws.com

  • https://skylight-cm.ca-central-1.amazonaws.com

  • https://skylight-cm.eu-central-1.amazonaws.com

  • https://skylight-cm.eu-west-1.amazonaws.com

  • https://skylight-cm.eu-west-2.amazonaws.com

  • https://skylight-cm.sa-east-1.amazonaws.com

  • https://skylight-cm.af-south-1.amazonaws.com

  • https://skylight-cm.il-central-1.amazonaws.com

  • https://skylight-cm.us-gov-west-1.amazonaws.com

  • https://skylight-cm-fips.us-gov-west-1.amazonaws.com

  • https://skylight-cm.us-gov-east-1.amazonaws.com

  • https://skylight-cm-fips.us-gov-east-1.amazonaws.com

Web Access TURN Servers for PCoIP

Servers:

  • turn:*.us-east-1.rdn.amazonaws.com

  • turn:*.us-west-2.rdn.amazonaws.com

  • Web Access isn't currently available in the Asia Pacific (Mumbai) Region.

  • turn:*.ap-northeast-2.rdn.amazonaws.com

  • turn:*.ap-southeast-1.rdn.amazonaws.com

  • turn:*.ap-southeast-2.rdn.amazonaws.com

  • turn:*.ap-northeast-1.rdn.amazonaws.com

  • turn:*.ca-central-1.rdn.amazonaws.com

  • turn:*.eu-central-1.rdn.amazonaws.com

  • turn:*.eu-west-1.rdn.amazonaws.com

  • turn:*.eu-west-2.rdn.amazonaws.com

  • turn:*.sa-east-1.rdn.amazonaws.com

  • Web Access isn't currently available in the Africa (Cape Town) Region

  • Web Access isn't currently available in the Israel (Tel Aviv) Region.

Domains and IP addresses to add to your allow list for WorkSpaces Streaming Protocol (WSP)
Category Domain or IP address
WSP Session Gateway (WSG) WSP gateway servers
Web Access TURN Servers for WSP WSP gateway servers

Health check servers

The WorkSpaces client applications perform health checks over ports 4172 and 4195. These checks validate whether TCP or UDP traffic streams from the WorkSpaces servers to the client applications. For these checks to finish successfully, your firewall policies must allow outbound traffic to the IP addresses of the following Regional health check servers.

Region Health check hostname IP addresses
US East (N. Virginia) drp-iad.amazonworkspaces.com

3.209.215.252

3.212.50.30

3.225.55.35

3.226.24.234

34.200.29.95

52.200.219.150

US West (Oregon) drp-pdx.amazonworkspaces.com

34.217.248.177

52.34.160.80

54.68.150.54

54.185.4.125

54.188.171.18

54.244.158.140

Asia Pacific (Mumbai) drp-bom.amazonworkspaces.com

13.127.57.82

13.234.250.73

Asia Pacific (Seoul) drp-icn.amazonworkspaces.com

13.124.44.166

13.124.203.105

52.78.44.253

52.79.54.102

Asia Pacific (Singapore) drp-sin.amazonworkspaces.com

3.0.212.144

18.138.99.116

18.140.252.123

52.74.175.118

Asia Pacific (Sydney) drp-syd.amazonworkspaces.com

3.24.11.127

13.237.232.125

Asia Pacific (Tokyo) drp-nrt.amazonworkspaces.com

18.178.102.247

54.64.174.128

Canada (Central) drp-yul.amazonworkspaces.com

52.60.69.16

52.60.80.237

52.60.173.117

52.60.201.0

Europe (Frankfurt) drp-fra.amazonworkspaces.com

52.59.191.224

52.59.191.225

52.59.191.226

52.59.191.227

Europe (Ireland) drp-dub.amazonworkspaces.com

18.200.177.86

52.48.86.38

54.76.137.224

Europe (London) drp-lhr.amazonworkspaces.com

35.176.62.54

35.177.255.44

52.56.46.102

52.56.111.36

South America (São Paulo) drp-gru.amazonworkspaces.com

18.231.0.105

52.67.55.29

54.233.156.245

54.233.216.234

Africa (Cape Town) drp-cpt.amazonworkspaces.com/

13.244.128.155

13.245.205.255

13.245.216.116

Israel (Tel Aviv) drp-tlv.amazonworkspaces.com/

51.17.52.90

51.17.109.231

51.16.190.43

AWS GovCloud (US-West) drp-pdt.amazonworkspaces.com

52.61.60.65

52.61.65.14

52.61.88.170

52.61.137.87

52.61.155.110

52.222.20.88

AWS GovCloud (US-East) drp-osu.amazonworkspaces.com

18.253.251.70

18.254.0.118

PCoIP gateway servers

WorkSpaces uses PCoIP to stream the desktop session to clients over port 4172. For its PCoIP gateway servers, WorkSpaces uses a small range of Amazon EC2 public IPv4 addresses. This enables you to set more finely grained firewall policies for devices that access WorkSpaces. Note that the WorkSpaces clients do not support IPv6 addresses as a connectivity option at this time.

Region Public IP address range
US East (N. Virginia)

3.217.228.0 - 3.217.231.255

3.235.112.0 - 3.235.119.255

52.23.61.0 - 52.23.62.255

US West (Oregon)

35.80.88.0 - 35.80.95.255

44.234.54.0 - 44.234.55.255

54.244.46.0 - 54.244.47.255

Asia Pacific (Mumbai)

13.126.243.0 - 13.126.243.255

Asia Pacific (Seoul)

3.34.37.0 - 3.34.37.255

3.34.38.0 - 3.34.39.255

13.124.247.0 - 13.124.247.255

Asia Pacific (Singapore)

18.141.152.0 - 18.141.152.255

18.141.154.0 - 18.141.155.255

52.76.127.0 - 52.76.127.255

Asia Pacific (Sydney)

3.25.43.0 - 3.25.43.255

3.25.44.0 - 3.25.45.255

54.153.254.0 - 54.153.254.255

Asia Pacific (Tokyo)

18.180.178.0 - 18.180.178.255

18.180.180.0 - 18.180.181.255

54.250.251.0 - 54.250.251.255

Canada (Central)

15.223.100.0 - 15.223.100.255

15.223.102.0 - 15.223.103.255

35.183.255.0 - 35.183.255.255

Europe (Frankfurt)

18.156.52.0 - 18.156.52.255

18.156.54.0 - 18.156.55.255

52.59.127.0 - 52.59.127.255

Europe (Ireland)

3.249.28.0 - 3.249.29.255

52.19.124.0 - 52.19.125.255

Europe (London)

18.132.21.0 - 18.132.21.255

18.132.22.0 - 18.132.23.255

35.176.32.0 - 35.176.32.255

South America (São Paulo)

18.230.103.0 - 18.230.103.255

18.230.104.0 - 18.230.105.255

54.233.204.0 - 54.233.204.255

Africa (Cape Town)

13.246.120.0 - 13.246.123.255

Israel (Tel Aviv)

51.17.28.0-51.17.31.255

AWS GovCloud (US-West)

52.61.193.0 - 52.61.193.255

AWS GovCloud (US-East)

18.254.140.0 - 18.254.143.255

WSP gateway servers

Important

Starting in June 2020, WorkSpaces streams the desktop session for WSP WorkSpaces to clients over port 4195 instead of port 4172. If you want to use WSP WorkSpaces, make sure that port 4195 is open to traffic.

WorkSpaces uses a small range of Amazon EC2 public IPv4 addresses for its WSP gateway servers. This enables you to set more finely grained firewall policies for devices that access WorkSpaces. Note that the WorkSpaces clients do not support IPv6 addresses as a connectivity option at this time.

Region Public IP address range
US East (N. Virginia)
  • 3.227.4.0/22

  • 44.209.84.0/22

US West (Oregon) 34.223.96.0/22
Asia Pacific (Mumbai) 65.1.156.0/22
Asia Pacific (Seoul) 3.35.160.0/22
Asia Pacific (Singapore) 13.212.132.0/22
Asia Pacific (Sydney) 3.25.248.0/22
Asia Pacific (Tokyo) 3.114.164.0/22
Canada (Central) 3.97.20.0/22
Europe (Frankfurt) 18.192.216.0/22
Europe (Ireland) 3.248.176.0/22
Europe (London) 18.134.68.0/22
South America (São Paulo) 15.228.64.0/22
Africa (Cape Town) 13.246.108.0/22
Israel (Tel Aviv) 51.17.72.0/22
AWS GovCloud (US-West)
  • 3.32.139.0/24

  • 3.30.129.0/24

  • 3.30.130.0/23

AWS GovCloud (US-East) 18.254.148.0/22

WSP gateway domain names

The following table lists the WSP WorkSpace gateway domain names. These domains must be contactable, for the WorkSpaces client application to be able to access the WorkSpace WSP service.

Region Domain
US East (N. Virginia) *.prod.us-east-1.highlander.aws.a2z.com
US West (Oregon) *.prod.us-west-2.highlander.aws.a2z.com
Asia Pacific (Mumbai) *.prod.ap-south-1.highlander.aws.a2z.com
Asia Pacific (Seoul) *.prod.ap-northeast-2.highlander.aws.a2z.com
Asia Pacific (Singapore) *.prod.ap-southeast-1.highlander.aws.a2z.com
Asia Pacific (Sydney) *.prod.ap-southeast-2.highlander.aws.a2z.com
Asia Pacific (Tokyo) *.prod.ap-northeast-1.highlander.aws.a2z.com
Canada (Central) *.prod.ca-central-1.highlander.aws.a2z.com
Europe (Frankfurt) *.prod.eu-central-1.highlander.aws.a2z.com
Europe (Ireland) *.prod.eu-west-1.highlander.aws.a2z.com
Europe (London) *.prod.eu-west-2.highlander.aws.a2z.com
South America (São Paulo) *.prod.sa-east-1.highlander.aws.a2z.com
Africa (Cape Town) *.prod.af-south-1.highlander.aws.a2z.com
Israel (Tel Aviv) *.prod.il-central-1.highlander.aws.a2z.com
AWS GovCloud (US-West) *.prod.us-gov-west-1.highlander.aws.a2z.com
AWS GovCloud (US-East) *.prod.us-gov-east-1.highlander.aws.a2z.com

Network interfaces

Each WorkSpace has the following network interfaces:

  • The primary network interface (eth1) provides connectivity to the resources within your VPC and on the internet, and is used to join the WorkSpace to the directory.

  • The management network interface (eth0) is connected to a secure WorkSpaces management network. It is used for interactive streaming of the WorkSpace desktop to WorkSpaces clients, and to allow WorkSpaces to manage the WorkSpace.

WorkSpaces selects the IP address for the management network interface from various address ranges, depending on the Region that the WorkSpaces are created in. When a directory is registered, WorkSpaces tests the VPC CIDR and the route tables in your VPC to determine if these address ranges create a conflict. If a conflict is found in all available address ranges in the Region, an error message is displayed and the directory is not registered. If you change the route tables in your VPC after the directory is registered, you might cause a conflict.

Warning

Do not modify or delete any of the network interfaces that are attached to a WorkSpace. Doing so might cause the WorkSpace to become unreachable or lose internet access. For example, if you have enabled automatic assignment of Elastic IP addresses at the directory level, an Elastic IP address (from the Amazon-provided pool) is assigned to your WorkSpace when it is launched. However, if you associate an Elastic IP address that you own to a WorkSpace, and then you later disassociate that Elastic IP address from the WorkSpace, the WorkSpace loses its public IP address, and it doesn't automatically get a new one from the Amazon-provided pool.

To associate a new public IP address from the Amazon-provided pool with the WorkSpace, you must rebuild the WorkSpace. If you don't want to rebuild the WorkSpace, you must associate another Elastic IP address that you own to the WorkSpace.

Management interface IP ranges

The following table lists the IP address ranges used for the management network interface.

Note
  • If you're using Bring Your Own License (BYOL) Windows WorkSpaces, the IP address ranges in the following table do not apply. Instead, PCoIP BYOL WorkSpaces use the 54.239.224.0/20 IP address range for management interface traffic in all AWS Regions. For WSP BYOL Windows WorkSpaces, both the 54.239.224.0/20 and 10.0.0.0/8 IP address ranges apply in all AWS Regions. (These IP address ranges are used in addition to the /16 CIDR block that you select for management traffic for your BYOL WorkSpaces.)

  • If you're using WSP WorkSpaces created from public bundles, the IP address range 10.0.0.0/8 also applies for management interface traffic in all AWS Regions, in addition to the PCoIP/WSP ranges shown in the following table.

Region IP address range
US East (N. Virginia)

PCoIP/WSP: 172.31.0.0/16, 192.168.0.0/16, 198.19.0.0/16

WSP: 10.0.0.0/8

US West (Oregon)

PCoIP/WSP: 172.31.0.0/16, 192.168.0.0/16, and 198.19.0.0/16

WSP: 10.0.0.0/8

Asia Pacific (Mumbai)

PCoIP/WSP: 192.168.0.0/16

WSP: 10.0.0.0/8

Asia Pacific (Seoul)

PCoIP/WSP: 198.19.0.0/16

WSP: 10.0.0.0/8

Asia Pacific (Singapore)

PCoIP/WSP: 198.19.0.0/16

WSP: 10.0.0.0/8

Asia Pacific (Sydney)

PCoIP/WSP: 172.31.0.0/16, 192.168.0.0/16, and 198.19.0.0/16

WSP: 10.0.0.0/8

Asia Pacific (Tokyo)

PCoIP/WSP: 198.19.0.0/16

WSP: 10.0.0.0/8

Canada (Central)

PCoIP/WSP: 198.19.0.0/16

WSP: 10.0.0.0/8

Europe (Frankfurt)

PCoIP/WSP: 198.19.0.0/16

WSP: 10.0.0.0/8

Europe (Ireland)

PCoIP/WSP: 172.31.0.0/16, 192.168.0.0/16, and 198.19.0.0/16

WSP: 10.0.0.0/8

Europe (London)

PCoIP/WSP: 198.19.0.0/16

WSP: 10.0.0.0/8

South America (São Paulo)

PCoIP/WSP: 198.19.0.0/16

WSP: 10.0.0.0/8

Africa (Cape Town)

PCoIP/WSP: 172.31.0.0/16 and 198.19.0.0/16

WSP: 10.0.0.0/8

Israel (Tel Aviv)

PCoIP/WSP: 198.19.0.0/16

WSP: 10.0.0.0/8

AWS GovCloud (US-West)

PCoIP/WSP: 198.19.0.0/16

WSP: 10.0.0.0/8 and 192.169.0.0/16

AWS GovCloud (US-East)

PCoIP/WSP: 198.19.0.0/16

WSP: 10.0.0.0/8

Management interface ports

The following ports must be open on the management network interface of all WorkSpaces:

  • Inbound TCP on port 4172. This is used for establishment of the streaming connection on the PCoIP protocol.

  • Inbound UDP on port 4172. This is used for streaming user input on the PCoIP protocol.

  • Inbound TCP on port 4489. This is used for access using the web client.

  • Inbound TCP on port 8200. This is used for management and configuration of the WorkSpace.

  • Inbound TCP on ports 8201-8250. These ports are used for establishment of the streaming connection and for streaming user input on the WSP protocol.

  • Inbound UDP on port 8220. This port is used for establishment of the streaming connection and for streaming user input on the WSP protocol

  • Outbound TCP on ports 8443 and 9997. This is used for access using the web client.

  • Outbound UDP on ports 3478, 4172, and 4195. This is used for access using the web client.

  • Outbound UDP on ports 50002 and 55002. This is used for streaming. If your firewall uses stateful filtering, the ephemeral ports 50002 and 55002 are automatically opened to allow return communication. If your firewall uses stateless filtering, you must open ephemeral ports 49152 - 65535 to allow return communication.

  • Outbound TCP on port 80, as defined in Management interface IP ranges, to IP address 169.254.169.254 for access to the EC2 metadata service. Any HTTP proxy assigned to your WorkSpaces must also exclude 169.254.169.254.

  • Outbound TCP on port 1688 to IP addresses 169.254.169.250 and 169.254.169.251 to allow access to Microsoft KMS for Windows activation for Workspaces that are based on public bundles. If you're using Bring Your Own License (BYOL) Windows WorkSpaces, you must allow access to your own KMS servers for Windows activation.

  • Outbound TCP on port 1688 to IP address 54.239.236.220 to allow access to Microsoft KMS for Office activation for BYOL WorkSpaces.

    If you're using Office through one of the WorkSpaces public bundles, the IP address for Microsoft KMS for Office activation varies. To determine that IP address, find the IP address for the management interface of the WorkSpace, and then replace the last two octets with 64.250. For example, if the IP address of the management interface is 192.168.3.5, the IP address for Microsoft KMS Office activation is 192.168.64.250.

  • Outbound TCP to IP address 127.0.0.2 for WSP WorkSpaces when the WorkSpace host is configured to use a proxy server.

  • Communications originating from loopback address 127.0.01.

Under normal circumstances, the WorkSpaces service configures these ports for your WorkSpaces. If any security or firewall software is installed on a WorkSpace that blocks any of these ports, the WorkSpace may not function correctly or may be unreachable.

Primary interface ports

No matter which type of directory you have, the following ports must be open on the primary network interface of all WorkSpaces:

  • For internet connectivity, the following ports must be open outbound to all destinations and inbound from the WorkSpaces VPC. You need to add these manually to the security group for your WorkSpaces if you want them to have internet access.

    • TCP 80 (HTTP)

    • TCP 443 (HTTPS)

  • To communicate with the directory controllers, the following ports must be open between your WorkSpaces VPC and your directory controllers. For a Simple AD directory, the security group created by AWS Directory Service will have these ports configured correctly. For an AD Connector directory, you might need to adjust the default security group for the VPC to open these ports.

    • TCP/UDP 53 - DNS

    • TCP/UDP 88 - Kerberos authentication

    • UDP 123 - NTP

    • TCP 135 - RPC

    • UDP 137-138 - Netlogon

    • TCP 139 - Netlogon

    • TCP/UDP 389 - LDAP

    • TCP/UDP 445 - SMB

    • TCP/UDP 636 - LDAPS (LDAP over TLS/SSL)

    • TCP 1024-65535 - Dynamic ports for RPC

    If any security or firewall software is installed on a WorkSpace that blocks any of these ports, the WorkSpace may not function correctly or may be unreachable.

IP address and port requirements by Region

Domains and IP Addresses to add to your allowlist
Category Details
CAPTCHA https://opfcaptcha-prod.s3.amazonaws.com/
Client Auto-update

https://d2td7dqidlhjx7.cloudfront.net/

Connectivity Check

https://connectivity.amazonworkspaces.com/

Client Metrics (for 3.0+ WorkSpaces client applications)

Domain:

https://skylight-client-ds.us-east-1.amazonaws.com

Dynamic Messaging Service (for 3.0+ WorkSpaces client applications)

Domain:

https://ws-client-service.us-east-1.amazonaws.com

Directory Settings

Authentication from the client to the customer directory before login to the WorkSpace:

  • https://d32i4gd7pg4909.cloudfront.net/prod/<region>/<directory ID>

Connections from macOS clients:

  • https://d32i4gd7pg4909.cloudfront.net/

Customer directory settings:

  • https://d21ui22avrxoh6.cloudfront.net/prod/<region>/<directory ID>

Login page graphics for customer directory level co-branding:

  • https://d1cbg795sa4g1u.cloudfront.net/prod/<region>/<directory ID>

CSS file to style the login pages:

  • https://d3s98kk2h6f4oh.cloudfront.net/

  • https://dyqsoz7pkju4e.cloudfront.net/

JavaScript file for the login pages:

  • US East (N. Virginia) — https://d32i4gd7pg4909.cloudfront.net/

Forrester Log Service https://fls-na.amazon.com/
Health Check (DRP) Servers Health check servers
Pre-session Smart Card Authentication Endpoints https://smartcard.us-east-1.signin.aws
Registration Dependency (for Web Access and Teradici PCoIP Zero Clients) https://s3.amazonaws.com
User Login Pages

https://<directory id>.awsapps.com/ (where <directory id> is the customer's domain)

WS Broker

Domains:

  • https://ws-broker-service.us-east-1.amazonaws.com

  • https://ws-broker-service-fips.us-east-1.amazonaws.com

WorkSpaces API Endpoints

Domains:

https://workspaces.us-east-1.amazonaws.com

Session Broker (PCM)

Domains:

  • https://skylight-cm.us-east-1.amazonaws.com

  • https://skylight-cm-fips.us-east-1.amazonaws.com

Web Access TURN Servers for PCoIP

Server:

  • turn:*.us-east-1.rdn.amazonaws.com

Health check hostname drp-iad.amazonworkspaces.com
Health check IP addresses
  • 3.209.215.252

  • 3.212.50.30

  • 3.225.55.35

  • 3.226.24.234

  • 34.200.29.95

  • 52.200.219.150

PCoIP gateway servers public IP address ranges
  • 3.217.228.0 - 3.217.231.255

  • 3.235.112.0 - 3.235.119.255

  • 52.23.61.0 - 52.23.62.255

WSP gateway servers IP address range
  • 3.227.4.0/22

  • 44.209.84.0/22

WSP gateway domain name *.prod.us-east-1.highlander.aws.a2z.com
Management interface IP address ranges
  • PCoIP/WSP: 172.31.0.0/16, 192.168.0.0/16, 198.19.0.0/16

  • WSP: 10.0.0.0/8

Domains and IP Addresses to add to your allowlist
Category Details
CAPTCHA https://opfcaptcha-prod.s3.amazonaws.com/
Client Auto-update

https://d2td7dqidlhjx7.cloudfront.net/

Connectivity Check

https://connectivity.amazonworkspaces.com/

Client Metrics (for 3.0+ WorkSpaces client applications)

Domain:

https://skylight-client-ds.us-west-2.amazonaws.com

Dynamic Messaging Service (for 3.0+ WorkSpaces client applications)

Domain:

https://ws-client-service.us-west-2.amazonaws.com

Directory Settings

Authentication from the client to the customer directory before login to the WorkSpace:

  • https://d32i4gd7pg4909.cloudfront.net/prod/<region>/<directory ID>

Connections from macOS clients:

  • https://d32i4gd7pg4909.cloudfront.net/

Customer directory settings:

  • https://d21ui22avrxoh6.cloudfront.net/prod/<region>/<directory ID>

Login page graphics for customer directory level co-branding:

  • https://d1cbg795sa4g1u.cloudfront.net/prod/<region>/<directory ID>

CSS file to style the login pages:

  • https://d3s98kk2h6f4oh.cloudfront.net/

  • https://dyqsoz7pkju4e.cloudfront.net/

JavaScript file for the login pages:

  • US West (Oregon) — https://d18af777lco7lp.cloudfront.net/

Forrester Log Service https://fls-na.amazon.com/
Health Check (DRP) Servers Health check servers
Pre-session Smart Card Authentication Endpoints https://smartcard.us-west-2.signin.aws
Registration Dependency (for Web Access and Teradici PCoIP Zero Clients) https://s3.amazonaws.com
User Login Pages

https://<directory id>.awsapps.com/ (where <directory id> is the customer's domain)

WS Broker

Domains:

  • https://ws-broker-service.us-west-2.amazonaws.com

  • https://ws-broker-service-fips.us-west-2.amazonaws.com

WorkSpaces API Endpoints

Domains:

  • https://workspaces.us-west-2.amazonaws.com

  • https://workspaces-fips.us-west-2.amazonaws.com

Session Broker (PCM)

Domains:

  • https://skylight-cm.us-west-2.amazonaws.com

  • https://skylight-cm-fips.us-west-2.amazonaws.com

Web Access TURN Servers for PCoIP

Server:

  • turn:*.us-west-2.rdn.amazonaws.com

Health check hostname drp-pdx.amazonworkspaces.com
Health check IP addresses
  • 34.217.248.177

  • 52.34.160.80

  • 54.68.150.54

  • 54.185.4.125

  • 54.188.171.18

  • 54.244.158.140

PCoIP gateway servers public IP address ranges
  • 35.80.88.0 - 35.80.95.255

  • 44.234.54.0 - 44.234.55.255

  • 54.244.46.0 - 54.244.47.255

WSP gateway servers IP address range 34.223.96.0/22
WSP gateway domain name *.prod.us-west-2.highlander.aws.a2z.com
Management interface IP address ranges
  • PCoIP/WSP: 172.31.0.0/16, 192.168.0.0/16, 198.19.0.0/16

  • WSP: 10.0.0.0/8

Domains and IP Addresses to add to your allowlist
Category Details
CAPTCHA https://opfcaptcha-prod.s3.amazonaws.com/
Client Auto-update

https://d2td7dqidlhjx7.cloudfront.net/

Connectivity Check

https://connectivity.amazonworkspaces.com/

Client Metrics (for 3.0+ WorkSpaces client applications)

Domain:

https://skylight-client-ds.ap-south-1.amazonaws.com

Dynamic Messaging Service (for 3.0+ WorkSpaces client applications)

Domain:

https://ws-client-service.ap-south-1.amazonaws.com

Directory Settings

Authentication from the client to the customer directory before login to the WorkSpace:

  • https://d32i4gd7pg4909.cloudfront.net/prod/<region>/<directory ID>

Connections from macOS clients:

  • https://d32i4gd7pg4909.cloudfront.net/

Customer directory settings:

  • https://d21ui22avrxoh6.cloudfront.net/prod/<region>/<directory ID>

Login page graphics for customer directory level co-branding:

  • https://d1cbg795sa4g1u.cloudfront.net/prod/<region>/<directory ID>

CSS file to style the login pages:

  • https://d3s98kk2h6f4oh.cloudfront.net/

  • https://dyqsoz7pkju4e.cloudfront.net/

JavaScript file for the login pages:

  • Asia Pacific (Mumbai) — https://d78hovzzqqtsb.cloudfront.net/

Forrester Log Service https://fls-na.amazon.com/
Health Check (DRP) Servers Health check servers
Registration Dependency (for Web Access and Teradici PCoIP Zero Clients) https://s3.amazonaws.com
User Login Pages

https://<directory id>.awsapps.com/ (where <directory id> is the customer's domain)

WS Broker

Domain:

  • https://ws-broker-service.ap-south-1.amazonaws.com

WorkSpaces API Endpoints

Domain:

  • https://workspaces.ap-south-1.amazonaws.com

Session Broker (PCM)

Domain:

  • https://skylight-cm.ap-south-1.amazonaws.com

Web Access TURN Servers for PCoIP

Web Access isn't currently available in the Asia Pacific (Mumbai) Region

Health check hostname drp-bom.amazonworkspaces.com
Health check IP addresses
  • 13.127.57.82

  • 13.234.250.73

PCoIP gateway servers public IP address ranges

13.126.243.0 - 13.126.243.255

WSP gateway servers IP address range 65.1.156.0/22
WSP gateway domain name *.prod.ap-south-1.highlander.aws.a2z.com
Management interface IP address ranges
  • PCoIP/WSP: 192.168.0.0/16

  • WSP: 10.0.0.0/8

Domains and IP Addresses to add to your allowlist
Category Details
CAPTCHA https://opfcaptcha-prod.s3.amazonaws.com/
Client Auto-update

https://d2td7dqidlhjx7.cloudfront.net/

Connectivity Check

https://connectivity.amazonworkspaces.com/

Device Metrics (for 1.0+ and 2.0+ WorkSpaces client applications) https://device-metrics-us-2.amazon.com/
Client Metrics (for 3.0+ WorkSpaces client applications)

Domain:

https://skylight-client-ds.ap-northeast-2.amazonaws.com

Dynamic Messaging Service (for 3.0+ WorkSpaces client applications)

Domain:

https://ws-client-service.ap-northeast-2.amazonaws.com

Directory Settings

Authentication from the client to the customer directory before login to the WorkSpace:

  • https://d32i4gd7pg4909.cloudfront.net/prod/<region>/<directory ID>

Connections from macOS clients:

  • https://d32i4gd7pg4909.cloudfront.net/

Customer directory settings:

  • https://d21ui22avrxoh6.cloudfront.net/prod/<region>/<directory ID>

Login page graphics for customer directory level co-branding:

  • https://d1cbg795sa4g1u.cloudfront.net/prod/<region>/<directory ID>

CSS file to style the login pages:

  • https://d3s98kk2h6f4oh.cloudfront.net/

  • https://dyqsoz7pkju4e.cloudfront.net/

JavaScript file for the login pages:

  • Asia Pacific (Seoul) — https://dtyv4uwoh7ynt.cloudfront.net/

Forrester Log Service https://fls-na.amazon.com/
Health Check (DRP) Servers Health check servers
Registration Dependency (for Web Access and Teradici PCoIP Zero Clients) https://s3.amazonaws.com
User Login Pages

https://<directory id>.awsapps.com/ (where <directory id> is the customer's domain)

WS Broker

Domain:

  • https://ws-broker-service.ap-northeast-2.amazonaws.com

WorkSpaces API Endpoints

Domain:

  • https://workspaces.ap-northeast-2.amazonaws.com

Session Broker (PCM)

Domain:

  • https://skylight-cm.ap-northeast-2.amazonaws.com

Web Access TURN Servers for PCoIP

Server:

  • turn:*.ap-northeast-2.rdn.amazonaws.com

Health check hostname drp-icn.amazonworkspaces.com
Health check IP addresses
  • 13.124.44.166

  • 13.124.203.105

  • 52.78.44.253

  • 52.79.54.102

PCoIP gateway servers public IP address ranges
  • 3.34.37.0 - 3.34.37.255

  • 3.34.38.0 - 3.34.39.255

  • 13.124.247.0 - 13.124.247.255

WSP gateway servers IP address range 3.35.160.0/22
WSP gateway domain name *.prod.ap-northeast-2.highlander.aws.a2z.com
Management interface IP address ranges
  • PCoIP/WSP: 198.19.0.0/16

  • WSP: 10.0.0.0/8

Domains and IP Addresses to add to your allowlist
Category Details
CAPTCHA https://opfcaptcha-prod.s3.amazonaws.com/
Client Auto-update

https://d2td7dqidlhjx7.cloudfront.net/

Connectivity Check

https://connectivity.amazonworkspaces.com/

Client Metrics (for 3.0+ WorkSpaces client applications)

Domain:

https://skylight-client-ds.ap-southeast-1.amazonaws.com

Dynamic Messaging Service (for 3.0+ WorkSpaces client applications)

Domain: https://ws-client-service.ap-southeast-1.amazonaws.com

Directory Settings

Authentication from the client to the customer directory before login to the WorkSpace:

  • https://d32i4gd7pg4909.cloudfront.net/prod/<region>/<directory ID>

Connections from macOS clients:

  • https://d32i4gd7pg4909.cloudfront.net/

Customer directory settings:

  • https://d21ui22avrxoh6.cloudfront.net/prod/<region>/<directory ID>

Login page graphics for customer directory level co-branding:

  • https://d1cbg795sa4g1u.cloudfront.net/prod/<region>/<directory ID>

CSS file to style the login pages:

  • https://d3s98kk2h6f4oh.cloudfront.net/

  • https://dyqsoz7pkju4e.cloudfront.net/

JavaScript file for the login pages:

  • Asia Pacific (Singapore) — https://d3qzmd7y07pz0i.cloudfront.net/

Forrester Log Service https://fls-na.amazon.com/
Health Check (DRP) Servers Health check servers
Registration Dependency (for Web Access and Teradici PCoIP Zero Clients) https://s3.amazonaws.com
User Login Pages

https://<directory id>.awsapps.com/ (where <directory id> is the customer's domain)

WS Broker

Domain:

  • https://ws-broker-service.ap-southeast-1.amazonaws.com

WorkSpaces API Endpoints

Domain:

  • https://workspaces.ap-southeast-1.amazonaws.com

Session Broker (PCM)

Domain:

  • https://skylight-cm.ap-southeast-1.amazonaws.com

Web Access TURN Servers for PCoIP

Server:

  • turn:*.ap-southeast-1.rdn.amazonaws.com

Health check hostname drp-sin.amazonworkspaces.com
Health check IP addresses
  • 3.0.212.144

  • 18.138.99.116

  • 18.140.252.123

  • 52.74.175.118

PCoIP gateway servers public IP address ranges
  • 18.141.152.0 - 18.141.152.255

  • 18.141.154.0 - 18.141.155.255

  • 52.76.127.0 - 52.76.127.255

WSP gateway servers IP address range 13.212.132.0/22
WSP gateway domain name *.prod.ap-southeast-1.highlander.aws.a2z.com
Management interface IP address ranges
  • PCoIP/WSP: 198.19.0.0/16

  • WSP: 10.0.0.0/8

Domains and IP Addresses to add to your allowlist
Category Details
CAPTCHA https://opfcaptcha-prod.s3.amazonaws.com/
Client Auto-update

https://d2td7dqidlhjx7.cloudfront.net/

Connectivity Check

https://connectivity.amazonworkspaces.com/

Client Metrics (for 3.0+ WorkSpaces client applications)

Domain:

https://skylight-client-ds.ap-southeast-2.amazonaws.com

Dynamic Messaging Service (for 3.0+ WorkSpaces client applications)

Domain:

https://ws-client-service.ap-southeast-2.amazonaws.com

Directory Settings

Authentication from the client to the customer directory before login to the WorkSpace:

  • https://d32i4gd7pg4909.cloudfront.net/prod/<region>/<directory ID>

Connections from macOS clients:

  • https://d32i4gd7pg4909.cloudfront.net/

Customer directory settings:

  • https://d21ui22avrxoh6.cloudfront.net/prod/<region>/<directory ID>

Login page graphics for customer directory level co-branding:

  • https://d1cbg795sa4g1u.cloudfront.net/prod/<region>/<directory ID>

CSS file to style the login pages:

  • https://d3s98kk2h6f4oh.cloudfront.net/

  • https://dyqsoz7pkju4e.cloudfront.net/

JavaScript file for the login pages:

  • Asia Pacific (Sydney) — https://dwcpoxuuza83q.cloudfront.net/

Forrester Log Service https://fls-na.amazon.com/
Health Check (DRP) Servers Health check servers
Pre-session Smart Card Authentication Endpoints https://smartcard.ap-southeast-2.signin.aws
Registration Dependency (for Web Access and Teradici PCoIP Zero Clients) https://s3.amazonaws.com
User Login Pages

https://<directory id>.awsapps.com/ (where <directory id> is the customer's domain)

WS Broker

Domain:

  • https://ws-broker-service.ap-southeast-2.amazonaws.com

WorkSpaces API Endpoints

Domain:

  • https://workspaces.ap-southeast-2.amazonaws.com

Session Broker (PCM)

Domain:

  • https://skylight-cm.ap-southeast-2.amazonaws.com

Web Access TURN Servers for PCoIP

Server:

  • turn:*.ap-southeast-2.rdn.amazonaws.com

Health check hostname drp-syd.amazonworkspaces.com
Health check IP addresses
  • 3.24.11.127

  • 13.237.232.125

PCoIP gateway servers public IP address ranges
  • 3.25.43.0 - 3.25.43.255

  • 3.25.44.0 - 3.25.45.255

  • 54.153.254.0 - 54.153.254.255

WSP gateway servers IP address range 3.25.248.0/22
WSP gateway domain name *.prod.ap-southeast-2.highlander.aws.a2z.com
Management interface IP address ranges
  • PCoIP/WSP: 172.31.0.0/16, 192.168.0.0/16, and 198.19.0.0/16

  • WSP: 10.0.0.0/8

Domains and IP Addresses to add to your allowlist
Category Details
CAPTCHA https://opfcaptcha-prod.s3.amazonaws.com/
Client Auto-update

https://d2td7dqidlhjx7.cloudfront.net/

Connectivity Check

https://connectivity.amazonworkspaces.com/

Client Metrics (for 3.0+ WorkSpaces client applications)

Domain:

https://skylight-client-ds.ap-northeast-1.amazonaws.com

Dynamic Messaging Service (for 3.0+ WorkSpaces client applications)

Domain:

https://ws-client-service.ap-northeast-1.amazonaws.com

Directory Settings

Authentication from the client to the customer directory before login to the WorkSpace:

  • https://d32i4gd7pg4909.cloudfront.net/prod/<region>/<directory ID>

Connections from macOS clients:

  • https://d32i4gd7pg4909.cloudfront.net/

Customer directory settings:

  • https://d21ui22avrxoh6.cloudfront.net/prod/<region>/<directory ID>

Login page graphics for customer directory level co-branding:

  • https://d1cbg795sa4g1u.cloudfront.net/prod/<region>/<directory ID>

CSS file to style the login pages:

  • https://d3s98kk2h6f4oh.cloudfront.net/

  • https://dyqsoz7pkju4e.cloudfront.net/

JavaScript file for the login pages:

  • Asia Pacific (Tokyo) — https://d2c2t8mxjhq5z1.cloudfront.net/

Forrester Log Service https://fls-na.amazon.com/
Health Check (DRP) Servers Health check servers
Pre-session Smart Card Authentication Endpoints https://smartcard.ap-northeast-1.signin.aws
Registration Dependency (for Web Access and Teradici PCoIP Zero Clients) https://s3.amazonaws.com
User Login Pages

https://<directory id>.awsapps.com/ (where <directory id> is the customer's domain)

WS Broker

Domain:

  • https://ws-broker-service.ap-northeast-1.amazonaws.com

WorkSpaces API Endpoints

Domain:

  • https://workspaces.ap-northeast-1.amazonaws.com

Session Broker (PCM)

Domain:

  • https://skylight-cm.ap-northeast-1.amazonaws.com

Web Access TURN Servers for PCoIP

Server:

  • turn:*.ap-northeast-1.rdn.amazonaws.com

Health check hostname drp-nrt.amazonworkspaces.com
Health check IP addresses
  • 18.178.102.247

  • 54.64.174.128

PCoIP gateway servers public IP address ranges
  • 18.180.178.0 - 18.180.178.255

  • 18.180.180.0 - 18.180.181.255

  • 54.250.251.0 - 54.250.251.255

WSP gateway servers IP address range 3.114.164.0/22
WSP gateway domain name *.prod.ap-northeast-1.highlander.aws.a2z.com
Management interface IP address ranges
  • PCoIP/WSP: 198.19.0.0/16

  • WSP: 10.0.0.0/8

Domains and IP Addresses to add to your allowlist
Category Details
CAPTCHA https://opfcaptcha-prod.s3.amazonaws.com/
Client Auto-update

https://d2td7dqidlhjx7.cloudfront.net/

Connectivity Check

https://connectivity.amazonworkspaces.com/

Client Metrics (for 3.0+ WorkSpaces client applications)

Domain:

https://skylight-client-ds.ca-central-1.amazonaws.com

Dynamic Messaging Service (for 3.0+ WorkSpaces client applications)

Domain:

https://ws-client-service.ca-central-1.amazonaws.com

Directory Settings

Authentication from the client to the customer directory before login to the WorkSpace:

  • https://d32i4gd7pg4909.cloudfront.net/prod/<region>/<directory ID>

Connections from macOS clients:

  • https://d32i4gd7pg4909.cloudfront.net/

Customer directory settings:

  • https://d21ui22avrxoh6.cloudfront.net/prod/<region>/<directory ID>

Login page graphics for customer directory level co-branding:

  • https://d1cbg795sa4g1u.cloudfront.net/prod/<region>/<directory ID>

CSS file to style the login pages:

  • https://d3s98kk2h6f4oh.cloudfront.net/

  • https://dyqsoz7pkju4e.cloudfront.net/

JavaScript file for the login pages:

  • Canada (Central) — https://d2wfbsypmqjmog.cloudfront.net/

Forrester Log Service https://fls-na.amazon.com/
Health Check (DRP) Servers Health check servers
Registration Dependency (for Web Access and Teradici PCoIP Zero Clients) https://s3.amazonaws.com
User Login Pages

https://<directory id>.awsapps.com/ (where <directory id> is the customer's domain)

WS Broker

Domain:

  • https://ws-broker-service.ca-central-1.amazonaws.com

WorkSpaces API Endpoints

Domain:

  • https://workspaces.ca-central-1.amazonaws.com

Session Broker (PCM)

Domain:

  • https://skylight-cm.ca-central-1.amazonaws.com

Web Access TURN Servers for PCoIP

Server:

  • turn:*.ca-central-1.rdn.amazonaws.com

Health check hostname drp-yul.amazonworkspaces.com
Health check IP addresses
  • 52.60.69.16

  • 52.60.80.237

  • 52.60.173.117

  • 52.60.201.0

PCoIP gateway servers public IP address ranges
  • 15.223.100.0 - 15.223.100.255

  • 15.223.102.0 - 15.223.103.255

  • 35.183.255.0 - 35.183.255.255

WSP gateway servers IP address range 3.97.20.0/22
WSP gateway domain name *.prod.ca-central-1.highlander.aws.a2z.com
Management interface IP address ranges
  • PCoIP/WSP: 198.19.0.0/16

  • WSP: 10.0.0.0/8

Domains and IP Addresses to add to your allowlist
Category Details
CAPTCHA https://opfcaptcha-prod.s3.amazonaws.com/
Client Auto-update

https://d2td7dqidlhjx7.cloudfront.net/

Connectivity Check

https://connectivity.amazonworkspaces.com/

Client Metrics (for 3.0+ WorkSpaces client applications)

Domain:

https://skylight-client-ds.eu-central-1.amazonaws.com

Dynamic Messaging Service (for 3.0+ WorkSpaces client applications)

Domain:

https://ws-client-service.eu-central-1.amazonaws.com

Directory Settings

Authentication from the client to the customer directory before login to the WorkSpace:

  • https://d32i4gd7pg4909.cloudfront.net/prod/<region>/<directory ID>

Connections from macOS clients:

  • https://d32i4gd7pg4909.cloudfront.net/

Customer directory settings:

  • https://d21ui22avrxoh6.cloudfront.net/prod/<region>/<directory ID>

Login page graphics for customer directory level co-branding:

  • https://d1cbg795sa4g1u.cloudfront.net/prod/<region>/<directory ID>

CSS file to style the login pages:

  • https://d3s98kk2h6f4oh.cloudfront.net/

  • https://dyqsoz7pkju4e.cloudfront.net/

JavaScript file for the login pages:

  • Europe (Frankfurt) — https://d1whcm49570jjw.cloudfront.net/

Forrester Log Service https://fls-na.amazon.com/
Health Check (DRP) Servers Health check servers
Registration Dependency (for Web Access and Teradici PCoIP Zero Clients) https://s3.amazonaws.com
User Login Pages

https://<directory id>.awsapps.com/ (where <directory id> is the customer's domain)

WS Broker

Domain:

  • https://ws-broker-service.eu-central-1.amazonaws.com

WorkSpaces API Endpoints

Domain:

  • https://workspaces.eu-central-1.amazonaws.com

Session Broker (PCM)

Domain:

  • https://skylight-cm.eu-central-1.amazonaws.com

Web Access TURN Servers for PCoIP

Server:

  • turn:*.eu-central-1.rdn.amazonaws.com

Health check hostname drp-fra.amazonworkspaces.com
Health check IP addresses
  • 52.59.191.224

  • 52.59.191.225

  • 52.59.191.226

  • 52.59.191.227

PCoIP gateway servers public IP address ranges
  • 18.156.52.0 - 18.156.52.255

  • 18.156.54.0 - 18.156.55.255

  • 52.59.127.0 - 52.59.127.255

WSP gateway servers IP address range 18.192.216.0/22
WSP gateway domain name *.prod.eu-central-1.highlander.aws.a2z.com
Management interface IP address ranges
  • PCoIP/WSP: 198.19.0.0/16

  • WSP: 10.0.0.0/8

Domains and IP Addresses to add to your allowlist
Category Details
CAPTCHA https://opfcaptcha-prod.s3.amazonaws.com/
Client Auto-update

https://d2td7dqidlhjx7.cloudfront.net/

Connectivity Check

https://connectivity.amazonworkspaces.com/

Client Metrics (for 3.0+ WorkSpaces client applications)

Domain:

https://skylight-client-ds.eu-west-1.amazonaws.com

Dynamic Messaging Service (for 3.0+ WorkSpaces client applications)

Domain:

https://ws-client-service.eu-west-1.amazonaws.com

Directory Settings

Authentication from the client to the customer directory before login to the WorkSpace:

  • https://d32i4gd7pg4909.cloudfront.net/prod/<region>/<directory ID>

Connections from macOS clients:

  • https://d32i4gd7pg4909.cloudfront.net/

Customer directory settings:

  • https://d21ui22avrxoh6.cloudfront.net/prod/<region>/<directory ID>

Login page graphics for customer directory level co-branding:

  • https://d1cbg795sa4g1u.cloudfront.net/prod/<region>/<directory ID>

CSS file to style the login pages:

  • https://d3s98kk2h6f4oh.cloudfront.net/

  • https://dyqsoz7pkju4e.cloudfront.net/

JavaScript file for the login pages:

  • Europe (Ireland) — https://d3pgffbf39h4k4.cloudfront.net/

Forrester Log Service https://fls-na.amazon.com/
Health Check (DRP) Servers Health check servers
Pre-session Smart Card Authentication Endpoints https://smartcard.eu-west-1.signin.aws
Registration Dependency (for Web Access and Teradici PCoIP Zero Clients) https://s3.amazonaws.com
User Login Pages

https://<directory id>.awsapps.com/ (where <directory id> is the customer's domain)

WS Broker

Domain:

  • https://ws-broker-service.eu-west-1.amazonaws.com

WorkSpaces API Endpoints

Domain:

  • https://workspaces.eu-west-1.amazonaws.com

Session Broker (PCM)

Domain:

  • https://skylight-cm.eu-west-1.amazonaws.com

Web Access TURN Servers for PCoIP

Server:

  • turn:*.eu-west-1.rdn.amazonaws.com

Health check hostname drp-dub.amazonworkspaces.com
Health check IP addresses
  • 18.200.177.86

  • 52.48.86.38

  • 54.76.137.224

PCoIP gateway servers public IP address ranges
  • 3.249.28.0 - 3.249.29.255

  • 52.19.124.0 - 52.19.125.255

WSP gateway servers IP address range 3.248.176.0/22
WSP gateway domain name *.prod.eu-west-1.highlander.aws.a2z.com
Management interface IP address ranges
  • PCoIP/WSP: 172.31.0.0/16, 192.168.0.0/16, and 198.19.0.0/16

  • WSP: 10.0.0.0/8

Domains and IP Addresses to add to your allowlist
Category Details
CAPTCHA https://opfcaptcha-prod.s3.amazonaws.com/
Client Auto-update

https://d2td7dqidlhjx7.cloudfront.net/

Connectivity Check

https://connectivity.amazonworkspaces.com/

Client Metrics (for 3.0+ WorkSpaces client applications)

Domain:

https://skylight-client-ds.eu-west-2.amazonaws.com

Dynamic Messaging Service (for 3.0+ WorkSpaces client applications)

Domain:

https://ws-client-service.eu-west-2.amazonaws.com

Directory Settings

Authentication from the client to the customer directory before login to the WorkSpace:

  • https://d32i4gd7pg4909.cloudfront.net/prod/<region>/<directory ID>

Connections from macOS clients:

  • https://d32i4gd7pg4909.cloudfront.net/

Customer directory settings:

  • https://d21ui22avrxoh6.cloudfront.net/prod/<region>/<directory ID>

Login page graphics for customer directory level co-branding:

  • https://d1cbg795sa4g1u.cloudfront.net/prod/<region>/<directory ID>

CSS file to style the login pages:

  • https://d3s98kk2h6f4oh.cloudfront.net/

  • https://dyqsoz7pkju4e.cloudfront.net/

JavaScript file for the login pages:

  • Europe (London) — https://d16q6638mh01s7.cloudfront.net/

Forrester Log Service https://fls-na.amazon.com/
Health Check (DRP) Servers Health check servers
Registration Dependency (for Web Access and Teradici PCoIP Zero Clients) https://s3.amazonaws.com
User Login Pages

https://<directory id>.awsapps.com/ (where <directory id> is the customer's domain)

WS Broker

Domain:

  • https://ws-broker-service.eu-west-2.amazonaws.com

WorkSpaces API Endpoints

Domain:

  • https://workspaces.eu-west-2.amazonaws.com

Session Broker (PCM)

Domain:

  • https://skylight-cm.eu-west-2.amazonaws.com

Web Access TURN Servers for PCoIP

Server:

  • turn:*.eu-west-2.rdn.amazonaws.com

Health check hostname drp-lhr.amazonworkspaces.com
Health check IP addresses
  • 35.176.62.54

  • 35.177.255.44

  • 52.56.46.102

  • 52.56.111.36

PCoIP gateway servers public IP address ranges
  • 18.132.21.0 - 18.132.21.255

  • 18.132.22.0 - 18.132.23.255

  • 35.176.32.0 - 35.176.32.255

WSP gateway servers IP address range 18.134.68.0/22
WSP gateway domain name *.prod.eu-west-2.highlander.aws.a2z.com
Management interface IP address ranges
  • 198.19.0.0/16

  • WSP: 10.0.0.0/8

Domains and IP Addresses to add to your allowlist
Category Details
CAPTCHA https://opfcaptcha-prod.s3.amazonaws.com/
Client Auto-update

https://d2td7dqidlhjx7.cloudfront.net/

Connectivity Check

https://connectivity.amazonworkspaces.com/

Client Metrics (for 3.0+ WorkSpaces client applications)

Domain:

https://skylight-client-ds.sa-east-1.amazonaws.com

Dynamic Messaging Service (for 3.0+ WorkSpaces client applications)

Domain:

https://ws-client-service.sa-east-1.amazonaws.com

Directory Settings

Authentication from the client to the customer directory before login to the WorkSpace:

  • https://d32i4gd7pg4909.cloudfront.net/prod/<region>/<directory ID>

Connections from macOS clients:

  • https://d32i4gd7pg4909.cloudfront.net/

Customer directory settings:

  • https://d21ui22avrxoh6.cloudfront.net/prod/<region>/<directory ID>

Login page graphics for customer directory level co-branding:

  • https://d1cbg795sa4g1u.cloudfront.net/prod/<region>/<directory ID>

CSS file to style the login pages:

  • https://d3s98kk2h6f4oh.cloudfront.net/

  • https://dyqsoz7pkju4e.cloudfront.net/

JavaScript file for the login pages:

  • South America (São Paulo) — https://d2lh2qc5bdoq4b.cloudfront.net/

Forrester Log Service https://fls-na.amazon.com/
Health Check (DRP) Servers Health check servers
Registration Dependency (for Web Access and Teradici PCoIP Zero Clients) https://s3.amazonaws.com
User Login Pages

https://<directory id>.awsapps.com/ (where <directory id> is the customer's domain)

WS Broker

Domain:

  • https://ws-broker-service.sa-east-1.amazonaws.com

WorkSpaces API Endpoints

Domain:

  • https://workspaces.sa-east-1.amazonaws.com

Session Broker (PCM)

Domain:

  • https://skylight-cm.sa-east-1.amazonaws.com

Web Access TURN Servers for PCoIP

Server:

  • turn:*.sa-east-1.rdn.amazonaws.com

Health check hostname drp-gru.amazonworkspaces.com
Health check IP addresses
  • 18.231.0.105

  • 52.67.55.29

  • 54.233.156.245

  • 54.233.216.234

PCoIP gateway servers public IP address ranges
  • 18.230.103.0 - 18.230.103.255

  • 18.230.104.0 - 18.230.105.255

  • 54.233.204.0 - 54.233.204.255

WSP gateway servers IP address range 15.228.64.0/22
WSP gateway domain name *.prod.sa-east-1.highlander.aws.a2z.com
Management interface IP address ranges
  • 198.19.0.0/16

  • WSP: 10.0.0.0/8

Domains and IP Addresses to add to your allowlist
Category Details
CAPTCHA https://opfcaptcha-prod.s3.amazonaws.com/
Client Auto-update

https://d2td7dqidlhjx7.cloudfront.net/

Connectivity Check

https://connectivity.amazonworkspaces.com/

Client Metrics (for 3.0+ WorkSpaces client applications)

Domain:

https://skylight-client-ds.af-south-1.amazonaws.com

Dynamic Messaging Service (for 3.0+ WorkSpaces client applications)

Domain:

https://ws-client-service.af-south-1.amazonaws.com

Directory Settings

Authentication from the client to the customer directory before login to the WorkSpace:

  • https://d32i4gd7pg4909.cloudfront.net/prod/<region>/<directory ID>

Connections from macOS clients:

  • https://d32i4gd7pg4909.cloudfront.net/

Customer directory settings:

  • https://d21ui22avrxoh6.cloudfront.net/prod/<region>/<directory ID>

Login page graphics for customer directory level co-branding:

  • https://d1cbg795sa4g1u.cloudfront.net/prod/<region>/<directory ID>

CSS file to style the login pages:

  • https://d3s98kk2h6f4oh.cloudfront.net/

  • https://dyqsoz7pkju4e.cloudfront.net/

JavaScript file for the login pages:

  • Africa (Cape Town); — https://di5ygl2cs0mrh.cloudfront.net/

Forrester Log Service https://fls-na.amazon.com/
Health Check (DRP) Servers Health check servers
Registration Dependency (for Web Access and Teradici PCoIP Zero Clients) https://s3.amazonaws.com
User Login Pages

https://<directory id>.awsapps.com/ (where <directory id> is the customer's domain)

WS Broker

Domain:

  • https://ws-broker-service.af-south-1.amazonaws.com

WorkSpaces API Endpoints

Domain:

  • https://workspaces.af-south-1.amazonaws.com

Session Broker (PCM)

Domain:

  • https://skylight-cm.af-south-1.amazonaws.com

Health check hostname drp-cpt.amazonworkspaces.com
Health check IP addresses
  • 18.231.0.105

  • 52.67.55.29

  • 54.233.156.245

  • 54.233.216.234

PCoIP gateway servers public IP address ranges
  • 13.246.120.0 - 13.246.123.255

WSP gateway servers IP address range 15.228.64.0/22
WSP gateway domain name *.prod.af-south-1.highlander.aws.a2z.com
Management interface IP address ranges
  • 172.31.0.0/16 and 198.19.0.0/16

  • WSP: 10.0.0.0/8

Domains and IP Addresses to add to your allowlist
Category Details
CAPTCHA https://opfcaptcha-prod.s3.amazonaws.com/
Client Auto-update

https://d2td7dqidlhjx7.cloudfront.net/

Connectivity Check

https://connectivity.amazonworkspaces.com/

Client Metrics (for 3.0+ WorkSpaces client applications)

Domain:

https://skylight-client-ds.il-central-1.amazonaws.com

Dynamic Messaging Service (for 3.0+ WorkSpaces client applications)

Domain:

https://ws-client-service.il-central-1.amazonaws.com

Directory Settings

Authentication from the client to the customer directory before login to the WorkSpace:

  • https://d32i4gd7pg4909.cloudfront.net/prod/<region>/<directory ID>

Connections from macOS clients:

  • https://d32i4gd7pg4909.cloudfront.net/

Customer directory settings:

  • https://d21ui22avrxoh6.cloudfront.net/prod/<region>/<directory ID>

Login page graphics for customer directory level co-branding:

CSS file to style the login pages:

  • https://d3s98kk2h6f4oh.cloudfront.net/

  • https://dyqsoz7pkju4e.cloudfront.net/

JavaScript file for the login pages:

  • Israel (Tel Aviv); —

Forrester Log Service https://fls-na.amazon.com/
Health Check (DRP) Servers Health check servers
Registration Dependency (for Web Access and Teradici PCoIP Zero Clients) https://s3.amazonaws.com
User Login Pages

https://<directory id>.awsapps.com/ (where <directory id> is the customer's domain)

WS Broker

Domain:

  • https://ws-broker-service.il-central-1.amazonaws.com

WorkSpaces API Endpoints

Domain:

  • https://workspaces.il-central-1.amazonaws.com

Session Broker (PCM)

Domain:

  • https://skylight-cm.il-central-1.amazonaws.com

Web Access TURN Servers for PCoIP

Server:

  • turn:*.il-central-1.rdn.amazonaws.com

Health check hostname drp-tlv.amazonworkspaces.com
Health check IP addresses
  • 51.17.52.90

  • 51.17.109.231

  • 51.16.190.43

PCoIP gateway servers public IP address ranges
  • 51.17.28.0-51.17.31.255

WSP gateway servers IP address range 51.17.72.0/22
WSP gateway domain name *.prod.il-central-1.highlander.aws.a2z.com
Management interface IP address ranges
  • 198.19.0.0/16

  • WSP: 10.0.0.0/8

Domains and IP Addresses to add to your allowlist
Category Details
CAPTCHA https://opfcaptcha-prod.s3.amazonaws.com/
Client Auto-update

https://s3.amazonaws.com/workspaces-client-updates/prod/pdt/windows/WorkSpacesAppCast.xml

Connectivity Check

https://connectivity.amazonworkspaces.com/

Client Metrics (for 3.0+ WorkSpaces client applications)

Domain:

hhttps://skylight-client-ds.us-gov-west-1.amazonaws.com

Dynamic Messaging Service (for 3.0+ WorkSpaces client applications)

Domain:

https://ws-client-service.us-gov-west-1.amazonaws.com

Directory Settings

Authentication from the client to the customer directory before login to the WorkSpace:

  • https://d32i4gd7pg4909.cloudfront.net/prod/<region>/<directory ID>

Connections from macOS clients:

  • https://d32i4gd7pg4909.cloudfront.net/

Customer directory settings:

  • https://s3.amazonaws.com/workspaces-client-properties/prod/pdt/<directory ID>

Login page graphics for customer directory level co-branding:

  • https://s3.amazonaws.com/workspaces-client-assets/prod/pdt/<directory ID>

CSS file to style the login pages:

  • https://s3.amazonaws.com/workspaces-clients-css/workspaces_v2.css

JavaScript file for the login pages:

  • Not applicable

Forrester Log Service https://fls-na.amazon.com/
Health Check (DRP) Servers Health check servers
Pre-session Smart Card Authentication Endpoints https://smartcard.signin.amazonaws-us-gov.com
Registration Dependency (for Web Access and Teradici PCoIP Zero Clients) https://s3.amazonaws.com
User Login Pages

https://login.us-gov-home.awsapps.com/directory/<directory id>/ (where <directory id> is the customer's domain)

WS Broker

Domain:

  • https://ws-broker-service.us-gov-west-1.amazonaws.com

  • https://ws-broker-service-fips.us-gov-west-1.amazonaws.com

WorkSpaces API Endpoints

Domain:

  • https://workspaces.us-gov-west-1.amazonaws.com

  • https://workspaces-fips.us-gov-west-1.amazonaws.com

Session Broker (PCM)

Domain:

  • https://skylight-cm.us-gov-west-1.amazonaws.com

  • https://skylight-cm-fips.us-gov-west-1.amazonaws.com

Health check hostname drp-pdt.amazonworkspaces.com
Health check IP addresses
  • 52.61.60.65

  • 52.61.65.14

  • 52.61.88.170

  • 52.61.137.87

  • 52.61.155.110

  • 52.222.20.88

PCoIP gateway servers public IP address ranges
  • 52.61.193.0 - 52.61.193.255

WSP gateway servers IP address range
  • 3.32.139.0/24

  • 3.30.129.0/24

  • 3.30.130.0/23

WSP gateway domain name *.prod.us-gov-west-1.highlander.aws.a2z.com
Management interface IP address ranges
  • 198.19.0.0/16

  • WSP: 10.0.0.0/8 and 192.169.0.0/16

Domains and IP Addresses to add to your allowlist
Category Details
CAPTCHA https://opfcaptcha-prod.s3.amazonaws.com/
Client Auto-update

https://s3.amazonaws.com/workspaces-client-updates/prod/osu/windows/WorkSpacesAppCast.xml

Connectivity Check

https://connectivity.amazonworkspaces.com/

Client Metrics (for 3.0+ WorkSpaces client applications)

Domain:

hhttps://skylight-client-ds.us-gov-east-1.amazonaws.com

Dynamic Messaging Service (for 3.0+ WorkSpaces client applications)

Domain:

https://ws-client-service.us-gov-east-1.amazonaws.com

Directory Settings

Authentication from the client to the customer directory before login to the WorkSpace:

  • https://d32i4gd7pg4909.cloudfront.net/prod/<region>/<directory ID>

Connections from macOS clients:

  • https://d32i4gd7pg4909.cloudfront.net/

Customer directory settings:

  • https://s3.amazonaws.com/workspaces-client-properties/prod/osu/<directory ID>

Login page graphics for customer directory level co-branding:

  • https://s3.amazonaws.com/workspaces-client-assets/prod/osu/<directory ID>

CSS file to style the login pages:

  • https://s3.amazonaws.com/workspaces-clients-css/workspaces_v2.css

JavaScript file for the login pages:

  • Not applicable

Forrester Log Service https://fls-na.amazon.com/
Health Check (DRP) Servers Health check servers
Pre-session Smart Card Authentication Endpoints https://smartcard.signin.amazonaws-us-gov.com
Registration Dependency (for Web Access and Teradici PCoIP Zero Clients) https://s3.amazonaws.com
User Login Pages

https://login.us-gov-home.awsapps.com/directory/<directory id>/ (where <directory id> is the customer's domain)

WS Broker

Domain:

  • https://ws-broker-service.us-gov-east-1.amazonaws.com

  • https://ws-broker-service-fips.us-gov-east-1.amazonaws.com

WorkSpaces API Endpoints

Domain:

  • https://workspaces.us-gov-east-1.amazonaws.com

  • https://workspaces-fips.us-gov-east-1.amazonaws.com

Session Broker (PCM)

Domain:

  • https://skylight-cm.us-gov-east-1.amazonaws.com

  • https://skylight-cm-fips.us-gov-east-1.amazonaws.com

Health check hostname drp-osu.amazonworkspaces.com
Health check IP addresses
  • 18.253.251.70

  • 18.254.0.118

PCoIP gateway servers public IP address ranges
  • 18.254.140.0 - 18.254.143.255

WSP gateway servers IP address range 18.254.148.0/22
WSP gateway domain name *.prod.us-gov-east-1.highlander.aws.a2z.com
Management interface IP address ranges
  • 198.19.0.0/16

  • WSP: 10.0.0.0/8