IP address and port requirements for WorkSpaces Personal - Amazon WorkSpaces
Ports for client applicationsDomains and IP addresses to add to your allow listHealth check serversPCoIP gateway serversWSP gateway serversWSP gateway domain namesNetwork interfaces
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

IP address and port requirements for WorkSpaces Personal

To connect to your WorkSpaces, the network that your WorkSpaces clients are connected to must have certain ports open to the IP address ranges for the various Amazon services (grouped in subsets). These address ranges vary by Amazon Region. These same ports must also be open on any firewall running on the client. For more information about the Amazon IP address ranges for different Regions, see Amazon IP Address Ranges in the Amazon Web Services General Reference.

For an architecture diagram, see WorkSpaces Architecture. For additional architecture diagrams, see Best Practices for Deploying Amazon WorkSpaces.

Ports for client applications

The WorkSpaces client application requires outbound access on the following ports:

Port 53 (UDP)

This port is used to access DNS servers. It must be open to your DNS server IP addresses so that the client can resolve public domain names. This port requirement is optional if you are not using DNS servers for domain name resolution.

Port 443 (TCP)

This port is used for client application updates, registration, and authentication. The desktop client applications support the use of a proxy server for port 443 (HTTPS) traffic. To enable the use of a proxy server, open the client application, choose Advanced Settings, select Use Proxy Server, specify the address and port of the proxy server, and choose Save.

This port must be open to the following IP address ranges:

  • The AMAZON subset in the Region that the WorkSpace is in.

Port 4172 (UDP and TCP)

This port is used for streaming the WorkSpace desktop and health checks for PCoIP WorkSpaces. This port must be open to the PCoIP Gateway and to the health check servers in the Region that the WorkSpace is in. For more information, see Health check servers and PCoIP gateway servers.

For PCoIP WorkSpaces, the desktop client applications do not support the use of a proxy server nor TLS decryption and inspection for port 4172 traffic in UDP (for desktop traffic). They require a direct connection to ports 4172.

Port 4195 (UDP and TCP)

This port is used for streaming the WorkSpace desktop and health checks for WorkSpaces Streaming Protocol (WSP) WorkSpaces. This port must be open to the WSP Gateway IP address ranges and the health check servers in the Region that the WorkSpace is in. For more information, see Health check servers and WSP gateway servers.

For WSP WorkSpaces, the WorkSpaces Windows client application (version 5.1 and above) and macOS client application (version 5.4 and above) support the use of HTTP proxy servers for port 4195 TCP traffic, but the use of a proxy is not recommended. TLS decryption and inspection are not supported. For more information, see Configure device proxy server settings for internet access for Windows WorkSpaces, Amazon Linux WorkSpaces, and Ubuntu WorkSpaces.

Note

  • If your firewall uses stateful filtering, ephemeral ports (also known as dynamic ports) are automatically opened to allow return communication. If your firewall uses stateless filtering, you must open ephemeral ports explicitly to allow return communication. The required ephemeral port range that you must open will vary depending on your configuration.

  • Proxy server function is not supported for UDP traffic. If you choose to use a proxy server, the API calls that the client application makes to the Amazon WorkSpaces services are also proxied. Both API calls and desktop traffic should pass through the same proxy server.

Domains and IP addresses to add to your allow list

For the WorkSpaces client application to be able to access the WorkSpaces service, you must add the following domains and IP addresses to the allow list on the network from which the client is trying to access the service.

Domains and IP addresses to add to your allow list
Category Domain or IP address
Client Auto-update

  • In the China (Ningxia) Region:

    https://workspaces-client-updates.s3.cn-northwest-1.amazonaws.com.cn
Connectivity Check

https://connectivity.amazonworkspaces.awsapps.cn
Client Metrics (for 3.0+ WorkSpaces client applications)

Domains:

  • https://skylight-client-ds.us-east-1.amazonaws.com

  • https://skylight-client-ds.us-west-2.amazonaws.com

  • https://skylight-client-ds.ap-south-1.amazonaws.com

  • https://skylight-client-ds.ap-northeast-2.amazonaws.com

  • https://skylight-client-ds.ap-southeast-1.amazonaws.com

  • https://skylight-client-ds.ap-southeast-2.amazonaws.com

  • https://skylight-client-ds.ap-northeast-1.amazonaws.com

  • https://skylight-client-ds.ca-central-1.amazonaws.com

  • https://skylight-client-ds.eu-central-1.amazonaws.com

  • https://skylight-client-ds.eu-west-1.amazonaws.com

  • https://skylight-client-ds.eu-west-2.amazonaws.com

  • https://skylight-client-ds.sa-east-1.amazonaws.com

  • https://skylight-client-ds.af-south-1.amazonaws.com

  • https://skylight-client-ds.il-central-1.amazonaws.com

  • In the Amazon GovCloud (US-West) Region:

    https://skylight-client-ds.us-gov-west-1.amazonaws.com

  • In the Amazon GovCloud (US-East) Region:

    https://skylight-client-ds.us-gov-east-1.amazonaws.com

  • In the China (Ningxia) Region:

    https://skylight-client-ds.cn-northwest-1.amazonaws.com.cn
Dynamic Messaging Service (for 3.0+ WorkSpaces client applications)

Domains:

  • https://ws-client-service.us-east-1.amazonaws.com

  • https://ws-client-service.us-west-2.amazonaws.com

  • https://ws-client-service.ap-south-1.amazonaws.com

  • https://ws-client-service.ap-northeast-2.amazonaws.com

  • https://ws-client-service.ap-southeast-1.amazonaws.com

  • https://ws-client-service.ap-southeast-2.amazonaws.com

  • https://ws-client-service.ap-northeast-1.amazonaws.com

  • https://ws-client-service.ca-central-1.amazonaws.com

  • https://ws-client-service.eu-central-1.amazonaws.com

  • https://ws-client-service.eu-west-1.amazonaws.com

  • https://ws-client-service.eu-west-2.amazonaws.com

  • https://ws-client-service.sa-east-1.amazonaws.com

  • https://ws-client-service.af-south-1.amazonaws.com

  • https://ws-client-service.il-central-1.amazonaws.com

  • In the Amazon GovCloud (US-West) Region:

    https://ws-client-service.us-gov-west-1.amazonaws.com

  • In the Amazon GovCloud (US-East) Region:

    https://ws-client-service.us-gov-east-1.amazonaws.com

  • In the China (Ningxia) Region:

    https://ws-client-service.cn-northwest-1.amazonaws.com.cn
Directory Settings

In the China (Ningxia) Region:

  • Customer directory settings:

    https://workspaces-clients-properties.s3.cn-northwest-1.amazonaws.com.cn

  • Login page graphics for customer directory level co-branding:

    https://workspaces-client-assets.s3.cn-northwest-1.amazonaws.com.cn

  • CSS file to style the login pages:

    https://workspaces-clients-css.s3.cn-northwest-1.amazonaws.com.cn/workspaces_v3.css
Health Check (DRP) Servers Health check servers
User Login Pages

https://warpspeed.cn-northwest-1.amazonaws.com.cn/
WS Broker

  • China (Ningxia) Region: https://ws-broker-service.cn-northwest-1.amazonaws.com.cn
WorkSpaces API Endpoints

  • China (Ningxia) Region: https:// workspaces.cn-northwest-1.amazonaws.com.cn
WorkSpaces Endpoints for SAML Single Sign-On (SSO)

Domains:

  • https://euc-sso-sm.us-east-1.amazonaws.com/v1/report-heartbeat

  • https://euc-sso-sm-fips.us-east-1.amazonaws.com/v1/report-heartbeat

  • https://euc-sso-sm.us-west-2.amazonaws.com/v1/report-heartbeat

  • https://euc-sso-sm-fips.us-west-2.amazonaws.com/v1/report-heartbeat

  • https://euc-sso-sm.ap-south-1.amazonaws.com/v1/report-heartbeat

  • https://euc-sso-sm.ap-northeast-2.amazonaws.com/v1/report-heartbeat

  • https://euc-sso-sm.ap-southeast-1.amazonaws.com/v1/report-heartbeat

  • https://euc-sso-sm.ap-southeast-2.amazonaws.com/v1/report-heartbeat

  • https://euc-sso-sm.ap-northeast-1.amazonaws.com/v1/report-heartbeat

  • https://euc-sso-sm.eu-central-1.amazonaws.com/v1/report-heartbeat

  • https://euc-sso-sm.eu-west-2.amazonaws.com/v1/report-heartbeat

  • https://euc-sso-sm.af-south-1.amazonaws.com/v1/report-heartbeat

  • https://euc-sso-sm.il-central-1.amazonaws.com/v1/report-heartbeat

  • https://euc-sso-sm.us-gov-west-1.amazonaws.com/v1/report-heartbeat

  • https://euc-sso-sm-fips.us-gov-west-1.amazonaws.com/v1/report-heartbeat

  • https://euc-sso-sm.us-gov-east-1.amazonaws.com/v1/report-heartbeat

  • https://euc-sso-sm-fips.us-gov-east-1.amazonaws.com/v1/report-heartbeat
Domains and IP addresses to add to your allow list for PCoIP
Category Domain or IP address
PCoIP Session Gateway (PSG) PCoIP gateway servers
Session Broker (PCM)

  • China (Ningxia) Region: https://skylight-cm.cn-northwest-1.amazonaws.com.cn

Health check servers

The WorkSpaces client applications perform health checks over ports 4172 and 4195. These checks validate whether TCP or UDP traffic streams from the WorkSpaces servers to the client applications. For these checks to finish successfully, your firewall policies must allow outbound traffic to the IP addresses of the following Regional health check servers.

Region Health check hostname IP addresses
China (Ningxia) drp-zhy.amazonworkspaces.com

52.82.90.186

52.83.43.32

52.83.110.158

52.83.248.61

PCoIP gateway servers

WorkSpaces uses PCoIP to stream the desktop session to clients over port 4172. For its PCoIP gateway servers, WorkSpaces uses a small range of Amazon EC2 public IPv4 addresses. This enables you to set more finely grained firewall policies for devices that access WorkSpaces. Note that the WorkSpaces clients do not support IPv6 addresses as a connectivity option at this time.

Region Public IP address range
China (Ningxia)

52.83.58.0 - 52.83.58.255

69.235.162.0 - 69.235.162.255

WSP gateway servers

Important

Starting in June 2020, WorkSpaces streams the desktop session for WSP WorkSpaces to clients over port 4195 instead of port 4172. If you want to use WSP WorkSpaces, make sure that port 4195 is open to traffic.

WorkSpaces uses a small range of Amazon EC2 public IPv4 addresses for its WSP gateway servers. This enables you to set more finely grained firewall policies for devices that access WorkSpaces. Note that the WorkSpaces clients do not support IPv6 addresses as a connectivity option at this time.

Region Public IP address range
China (Ningxia) 140.65.96.0/22

WSP gateway domain names

The following table lists the WSP WorkSpace gateway domain names. These domains must be contactable, for the WorkSpaces client application to be able to access the WorkSpace WSP service.

Region Domain
China (Ningxia) This Region is not supported for WSP.

Network interfaces

Each WorkSpace has the following network interfaces:

  • The primary network interface (eth1) provides connectivity to the resources within your VPC and on the internet, and is used to join the WorkSpace to the directory.

  • The management network interface (eth0) is connected to a secure WorkSpaces management network. It is used for interactive streaming of the WorkSpace desktop to WorkSpaces clients, and to allow WorkSpaces to manage the WorkSpace.

WorkSpaces selects the IP address for the management network interface from various address ranges, depending on the Region that the WorkSpaces are created in. When a directory is registered, WorkSpaces tests the VPC CIDR and the route tables in your VPC to determine if these address ranges create a conflict. If a conflict is found in all available address ranges in the Region, an error message is displayed and the directory is not registered. If you change the route tables in your VPC after the directory is registered, you might cause a conflict.

Warning

Do not modify or delete any of the network interfaces that are attached to a WorkSpace. Doing so might cause the WorkSpace to become unreachable or lose internet access. For example, if you have enabled automatic assignment of Elastic IP addresses at the directory level, an Elastic IP address (from the Amazon-provided pool) is assigned to your WorkSpace when it is launched. However, if you associate an Elastic IP address that you own to a WorkSpace, and then you later disassociate that Elastic IP address from the WorkSpace, the WorkSpace loses its public IP address, and it doesn't automatically get a new one from the Amazon-provided pool.

To associate a new public IP address from the Amazon-provided pool with the WorkSpace, you must rebuild the WorkSpace. If you don't want to rebuild the WorkSpace, you must associate another Elastic IP address that you own to the WorkSpace.

Management interface IP ranges

The following table lists the IP address ranges used for the management network interface.

Region IP address range
China (Ningxia)

198.19.0.0/16

Management interface ports

The following ports must be open on the management network interface of all WorkSpaces:

  • Inbound TCP on port 4172. This is used for establishment of the streaming connection on the PCoIP protocol.

  • Inbound UDP on port 4172. This is used for streaming user input on the PCoIP protocol.

  • Inbound TCP on port 4489. This is used for access using the web client.

  • Inbound TCP on port 8200. This is used for management and configuration of the WorkSpace.

  • Inbound TCP on ports 8201-8250. These ports are used for establishment of the streaming connection and for streaming user input on the WSP protocol.

  • Inbound UDP on port 8220. This port is used for establishment of the streaming connection and for streaming user input on the WSP protocol

  • Outbound TCP on ports 8443 and 9997. This is used for access using the web client.

  • Outbound UDP on ports 3478, 4172, and 4195. This is used for access using the web client.

  • Outbound UDP on ports 50002 and 55002. This is used for streaming. If your firewall uses stateful filtering, the ephemeral ports 50002 and 55002 are automatically opened to allow return communication. If your firewall uses stateless filtering, you must open ephemeral ports 49152 - 65535 to allow return communication.

  • Outbound TCP on port 80, as defined in Management interface IP ranges, to IP address 169.254.169.254 for access to the EC2 metadata service. Any HTTP proxy assigned to your WorkSpaces must also exclude 169.254.169.254.

  • Outbound TCP on port 1688 to IP addresses 169.254.169.250 and 169.254.169.251 to allow access to Microsoft KMS for Windows activation for Workspaces that are based on public bundles. If you're using Bring Your Own License (BYOL) Windows WorkSpaces, you must allow access to your own KMS servers for Windows activation.

  • Outbound TCP on port 1688 to IP address 54.239.236.220 to allow access to Microsoft KMS for Office activation for BYOL WorkSpaces.

    If you're using Office through one of the WorkSpaces public bundles, the IP address for Microsoft KMS for Office activation varies. To determine that IP address, find the IP address for the management interface of the WorkSpace, and then replace the last two octets with 64.250. For example, if the IP address of the management interface is 192.168.3.5, the IP address for Microsoft KMS Office activation is 192.168.64.250.

  • Outbound TCP to IP address 127.0.0.2 for WSP WorkSpaces when the WorkSpace host is configured to use a proxy server.

  • Communications originating from loopback address 127.0.01.

Under normal circumstances, the WorkSpaces service configures these ports for your WorkSpaces. If any security or firewall software is installed on a WorkSpace that blocks any of these ports, the WorkSpace may not function correctly or may be unreachable.

Primary interface ports

No matter which type of directory you have, the following ports must be open on the primary network interface of all WorkSpaces:

  • For internet connectivity, the following ports must be open outbound to all destinations and inbound from the WorkSpaces VPC. You need to add these manually to the security group for your WorkSpaces if you want them to have internet access.

    • TCP 80 (HTTP)

    • TCP 443 (HTTPS)

  • To communicate with the directory controllers, the following ports must be open between your WorkSpaces VPC and your directory controllers. For a Simple AD directory, the security group created by Amazon Directory Service will have these ports configured correctly. For an AD Connector directory, you might need to adjust the default security group for the VPC to open these ports.

    • TCP/UDP 53 - DNS

    • TCP/UDP 88 - Kerberos authentication

    • UDP 123 - NTP

    • TCP 135 - RPC

    • UDP 137-138 - Netlogon

    • TCP 139 - Netlogon

    • TCP/UDP 389 - LDAP

    • TCP/UDP 445 - SMB

    • TCP/UDP 636 - LDAPS (LDAP over TLS/SSL)

    • TCP 1024-65535 - Dynamic ports for RPC

    If any security or firewall software is installed on a WorkSpace that blocks any of these ports, the WorkSpace may not function correctly or may be unreachable.