IP address and port requirements for WorkSpaces Personal - Amazon WorkSpaces
Ports for client applicationsDomains and IP addresses to add to your allow listHealth check serversPCoIP gateway serversDCV gateway serversDCV gateway domain namesNetwork interfaces
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

IP address and port requirements for WorkSpaces Personal

To connect to your WorkSpaces, the network that your WorkSpaces clients are connected to must have certain ports open to the IP address ranges for the various Amazon services (grouped in subsets). These address ranges vary by Amazon Region. These same ports must also be open on any firewall running on the client. For more information about the Amazon IP address ranges for different Regions, see Amazon IP Address Ranges in the Amazon Web Services General Reference.

For additional architecture diagrams, see Best Practices for Deploying Amazon WorkSpaces.

Ports for client applications

The WorkSpaces client application requires outbound access on the following ports:

Port 53 (UDP)

This port is used to access DNS servers. It must be open to your DNS server IP addresses so that the client can resolve public domain names. This port requirement is optional if you are not using DNS servers for domain name resolution.

Port 443 (UDP and TCP)

This port is used for client application updates, registration, and authentication. The desktop client applications support the use of a proxy server for port 443 (HTTPS) traffic. To enable the use of a proxy server, open the client application, choose Advanced Settings, select Use Proxy Server, specify the address and port of the proxy server, and choose Save.

This port must be open to the following IP address ranges:

  • The AMAZON subset in the Region that the WorkSpace is in.

Port 4172 (UDP and TCP)

This port is used for streaming the WorkSpace desktop and health checks for PCoIP WorkSpaces. This port must be open to the PCoIP Gateway and to the health check servers in the Region that the WorkSpace is in. For more information, see Health check servers and PCoIP gateway servers.

For PCoIP WorkSpaces, the desktop client applications do not support the use of a proxy server nor TLS decryption and inspection for port 4172 traffic in UDP (for desktop traffic). They require a direct connection to ports 4172.

Port 4195 (UDP and TCP)

This port is used for streaming the WorkSpace desktop and health checks for DCV WorkSpaces. This port must be open to the DCV Gateway IP address ranges and the health check servers in the Region that the WorkSpace is in. For more information, see Health check servers and DCV gateway servers.

For DCV WorkSpaces, the WorkSpaces Windows client application (version 5.1 and above) and macOS client application (version 5.4 and above) support the use of HTTP proxy servers for port 4195 TCP traffic, but the use of a proxy is not recommended. TLS decryption and inspection are not supported. For more information, see Configure device proxy server settings for internet access for Windows WorkSpaces, Amazon Linux WorkSpaces, and Ubuntu WorkSpaces.

Note

  • If your firewall uses stateful filtering, ephemeral ports (also known as dynamic ports) are automatically opened to allow return communication. If your firewall uses stateless filtering, you must open ephemeral ports explicitly to allow return communication. The required ephemeral port range that you must open will vary depending on your configuration.

  • Proxy server function is not supported for UDP traffic. If you choose to use a proxy server, the API calls that the client application makes to the Amazon WorkSpaces services are also proxied. Both API calls and desktop traffic should pass through the same proxy server.

  • The WorkSpaces client application first attempts to stream using UDP (QUIC) for optimal performance. If the client network only allows TCP, then TCP will be used. The WorkSpaces web client will connect over TCP port 4195 or 443. If port 4195 is blocked, the client will only attempt to connect to over port 443.

Domains and IP addresses to add to your allow list

For the WorkSpaces client application to be able to access the WorkSpaces service, you must add the following domains and IP addresses to the allow list on the network from which the client is trying to access the service.

Domains and IP addresses to add to your allow list
Category Domain or IP address
Client Auto-update

  • In the China (Ningxia) Region:

    https://workspaces-client-updates.s3.cn-northwest-1.amazonaws.com.cn
Connectivity Check

https://connectivity.amazonworkspaces.awsapps.cn
Client Metrics (for 3.0+ WorkSpaces client applications)

Domains (IPv4):

  • https://skylight-client-ds.us-east-1.amazonaws.com

  • https://skylight-client-ds.us-west-2.amazonaws.com

  • https://skylight-client-ds.ap-south-1.amazonaws.com

  • https://skylight-client-ds.ap-northeast-2.amazonaws.com

  • https://skylight-client-ds.ap-southeast-1.amazonaws.com

  • https://skylight-client-ds.ap-southeast-2.amazonaws.com

  • https://skylight-client-ds.ap-northeast-1.amazonaws.com

  • https://skylight-client-ds.ca-central-1.amazonaws.com

  • https://skylight-client-ds.eu-central-1.amazonaws.com

  • https://skylight-client-ds.eu-west-1.amazonaws.com

  • https://skylight-client-ds.eu-west-2.amazonaws.com

  • https://skylight-client-ds.eu-west-3.amazonaws.com

  • https://skylight-client-ds.sa-east-1.amazonaws.com

  • https://skylight-client-ds.af-south-1.amazonaws.com

  • https://skylight-client-ds.il-central-1.amazonaws.com

  • In the Amazon GovCloud (US-West) Region:

    https://skylight-client-ds.us-gov-west-1.amazonaws.com

  • In the Amazon GovCloud (US-East) Region:

    https://skylight-client-ds.us-gov-east-1.amazonaws.com

  • In the Amazon GovCloud (US-West) Region:

    https://skylight-client-ds.us-gov-west-1.amazonaws.com

  • In the Amazon GovCloud (US-East) Region:

    https://skylight-client-ds.us-gov-east-1.amazonaws.com

  • In the China (Ningxia) Region:

    https://skylight-client-ds.cn-northwest-1.amazonaws.com.cn

Domains (IPv6):

  • https://skylight-client-ds.eu-west-2.api.aws

  • https://skylight-client-ds.eu-west-1.api.aws

  • https://skylight-client-ds.us-east-1.api.aws

  • https://skylight-client-ds.ap-southeast-1.api.aws

  • https://skylight-client-ds.sa-east-1.api.aws

  • https://skylight-client-ds.ap-northeast-1.api.aws

  • https://skylight-client-ds.us-west-2.api.aws

  • https://skylight-client-ds.ap-southeast-2.api.aws

  • https://skylight-client-ds.ap-south-1.api.aws

  • https://skylight-client-ds.af-south-1.api.aws

  • https://skylight-client-ds.eu-central-1.api.aws

  • https://skylight-client-ds.ap-northeast-2.api.aws

  • https://skylight-client-ds.il-central-1.api.aws

  • https://skylight-client-ds.ca-central-1.api.aws

  • https://skylight-client-ds.us-gov-east-1.api.aws

  • https://skylight-client-ds.us-gov-west-1.api.aws
Dynamic Messaging Service (for 3.0+ WorkSpaces client applications)

Domains (IPv4):

  • https://ws-client-service.us-east-1.amazonaws.com

  • https://ws-client-service.us-west-2.amazonaws.com

  • https://ws-client-service.ap-south-1.amazonaws.com

  • https://ws-client-service.ap-northeast-2.amazonaws.com

  • https://ws-client-service.ap-southeast-1.amazonaws.com

  • https://ws-client-service.ap-southeast-2.amazonaws.com

  • https://ws-client-service.ap-northeast-1.amazonaws.com

  • https://ws-client-service.ca-central-1.amazonaws.com

  • https://ws-client-service.eu-central-1.amazonaws.com

  • https://ws-client-service.eu-west-1.amazonaws.com

  • https://ws-client-service.eu-west-2.amazonaws.com

  • https://ws-client-service.eu-west-3.amazonaws.com

  • https://ws-client-service.sa-east-1.amazonaws.com

  • https://ws-client-service.af-south-1.amazonaws.com

  • https://ws-client-service.il-central-1.amazonaws.com

  • In the Amazon GovCloud (US-West) Region:

    https://ws-client-service.us-gov-west-1.amazonaws.com

  • In the Amazon GovCloud (US-East) Region:

    https://ws-client-service.us-gov-east-1.amazonaws.com

  • In the China (Ningxia) Region:

    https://ws-client-service.cn-northwest-1.amazonaws.com.cn

Domains (IPv6):

  • https://ws-client-service.eu-west-2.api.aws

  • https://ws-client-service.eu-west-1.api.aws

  • https://ws-client-service.us-east-1.amazonaws.com

  • https://ws-client-service.ap-southeast-1.api.aws

  • https://ws-client-service.sa-east-1.api.aws

  • https://ws-client-service.ap-northeast-1.api.aws

  • https://ws-client-service.us-west-2.api.aws

  • https://ws-client-service.ap-southeast-2.api.aws

  • https://ws-client-service.ap-south-1.api.aws

  • https://ws-client-service.af-south-1.api.aws

  • https://ws-client-service.eu-central-1.api.aws

  • https://ws-client-service.ap-northeast-2.api.aws

  • https://ws-client-service.il-central-1.api.aws

  • https://ws-client-service.ca-central-1.api.aws

  • https://ws-client-service.us-gov-east-1.api.aws

  • https://ws-client-service.us-gov-west-1.api.aws
Directory Settings

In the China (Ningxia) Region:

  • Customer directory settings:

    https://workspaces-clients-properties.s3.cn-northwest-1.amazonaws.com.cn

  • Login page graphics for customer directory level co-branding:

    https://workspaces-client-assets.s3.cn-northwest-1.amazonaws.com.cn

  • CSS file to style the login pages:

    https://workspaces-clients-css.s3.cn-northwest-1.amazonaws.com.cn/workspaces_v3.css
Health Check (DRP) Servers Health check servers
User Login Pages

  • https://af-south-1.signin.aws

  • https://af-south-1.signin.aws.amazon.com

  • https://af-south-1.sso.signin.aws

  • https://af-south-1.apps.signin.aws

  • https://ap-south-1.signin.aws

  • https://ap-south-1.signin.aws.amazon.com

  • https://ap-south-1.sso.signin.aws

  • https://ap-south-1.apps.signin.aws

  • https://ap-southeast-1.signin.aws

  • https://ap-southeast-1.signin.aws.amazon.com

  • https://ap-southeast-1.sso.signin.aws

  • https://ap-southeast-1.apps.signin.aws

  • https://ap-southeast-2.signin.aws

  • https://ap-southeast-2.signin.aws.amazon.com

  • https://ap-southeast-2.sso.signin.aws

  • https://ap-southeast-2.apps.signin.aws

  • https://ap-northeast-1.signin.aws

  • https://ap-northeast-1.signin.aws.amazon.com

  • https://ap-northeast-1.sso.signin.aws

  • https://ap-northeast-1.apps.signin.aws

  • https://ap-northeast-2.signin.aws

  • https://ap-northeast-2.signin.aws.amazon.com

  • https://ap-northeast-2.sso.signin.aws

  • https://ap-northeast-2.apps.signin.aws

  • https://ca-central-1.signin.aws

  • https://ca-central-1.signin.aws.amazon.com

  • https://ca-central-1.sso.signin.aws

  • https://ca-central-1.apps.signin.aws

  • https://eu-central-1.signin.aws

  • https://eu-central-1.signin.aws.amazon.com

  • https://eu-central-1.sso.signin.aws

  • https://eu-central-1.apps.signin.aws

  • https://eu-west-1.signin.aws

  • https://eu-west-1.signin.aws.amazon.com

  • https://eu-west-1.sso.signin.aws

  • https://eu-west-1.apps.signin.aws

  • https://eu-west-2.signin.aws

  • https://eu-west-2.signin.aws.amazon.com

  • https://eu-west-2.sso.signin.aws

  • https://eu-west-2.apps.signin.aws

  • https://eu-west-3.signin.aws

  • https://eu-west-3.signin.aws.amazon.com

  • https://eu-west-3.sso.signin.aws

  • https://eu-west-3.apps.signin.aws

  • https://il-central-1.signin.aws

  • https://il-central-1.signin.aws.amazon.com

  • https://il-central-1.sso.signin.aws

  • https://il-central-1.apps.signin.aws

  • https://sa-east-1.signin.aws

  • https://sa-east-1.signin.aws.amazon.com

  • https://sa-east-1.sso.signin.aws

  • https://sa-east-1.apps.signin.aws

  • https://us-east-1.signin.aws

  • https://us-east-1.signin.aws.amazon.com

  • https://us-east-1.sso.signin.aws

  • https://us-east-1.apps.signin.aws

  • https://us-west-2.signin.aws

  • https://us-west-2.signin.aws.amazon.com

  • https://us-west-2.sso.signin.aws

  • https://us-west-2.apps.signin.aws

  • https://us-gov-east-1.signin-fips.amazonaws-us-gov.com

  • https://us-gov-east-1.sso.signin-fips.aws-us-gov.com

  • https://us-gov-east-1.apps.signin-fips.aws-us-gov.com

  • https://us-gov-west-1.signin.amazonaws-us-gov.com

  • https://us-gov-west-1.sso.signin.aws-us-gov.com

  • https://us-gov-west-1.apps.signin.aws-us-gov.com

https://directory_id.awsapps.com/

Note

directory id is the customer's domain.

In the Amazon GovCloud (US-West) and Amazon GovCloud (US-East) Regions:

https://login.us-gov-home.awsapps.com/directory/directory id/

Note

directory id is the customer's domain.
WS Broker
WorkSpaces API Endpoints

  • China (Ningxia) Region: https:// workspaces.cn-northwest-1.amazonaws.com.cn
WorkSpaces Endpoints for SAML Single Sign-On (SSO)

Domains:

  • https://euc-sso-sm.us-east-1.amazonaws.com/v1/report-heartbeat

  • https://euc-sso-sm-fips.us-east-1.amazonaws.com/v1/report-heartbeat

  • https://euc-sso-sm.us-west-2.amazonaws.com/v1/report-heartbeat

  • https://euc-sso-sm-fips.us-west-2.amazonaws.com/v1/report-heartbeat

  • https://euc-sso-sm.ap-south-1.amazonaws.com/v1/report-heartbeat

  • https://euc-sso-sm.ap-northeast-2.amazonaws.com/v1/report-heartbeat

  • https://euc-sso-sm.ap-southeast-1.amazonaws.com/v1/report-heartbeat

  • https://euc-sso-sm.ap-southeast-2.amazonaws.com/v1/report-heartbeat

  • https://euc-sso-sm.ap-northeast-1.amazonaws.com/v1/report-heartbeat

  • https://euc-sso-sm.eu-central-1.amazonaws.com/v1/report-heartbeat

  • https://euc-sso-sm.eu-west-2.amazonaws.com/v1/report-heartbeat

  • https://euc-sso-sm.eu-west-3.amazonaws.com/v1/report-heartbeat

  • https://euc-sso-sm.af-south-1.amazonaws.com/v1/report-heartbeat

  • https://euc-sso-sm.il-central-1.amazonaws.com/v1/report-heartbeat

  • https://euc-sso-sm.us-gov-west-1.amazonaws.com/v1/report-heartbeat

  • https://euc-sso-sm-fips.us-gov-west-1.amazonaws.com/v1/report-heartbeat

  • https://euc-sso-sm.us-gov-east-1.amazonaws.com/v1/report-heartbeat

  • https://euc-sso-sm-fips.us-gov-east-1.amazonaws.com/v1/report-heartbeat
Domains and IP addresses to add to your allow list for PCoIP
Category Domain or IP address
PCoIP Session Gateway (PSG) PCoIP gateway servers
Session Broker (PCM)

  • China (Ningxia) Region: https://skylight-cm.cn-northwest-1.amazonaws.com.cn

Health check servers

The WorkSpaces client applications perform health checks over ports 4172 and 4195. These checks validate whether TCP or UDP traffic streams from the WorkSpaces servers to the client applications. For these checks to finish successfully, your firewall policies must allow outbound traffic to the IP addresses of the following Regional health check servers.

Region Health check hostname IP addresses
China (Ningxia) drp-zhy.amazonworkspaces.com

52.82.90.186

52.83.43.32

52.83.110.158

52.83.248.61

PCoIP gateway servers

WorkSpaces uses PCoIP to stream the desktop session to clients over port 4172. For its PCoIP gateway servers, WorkSpaces uses a small range of Amazon EC2 public IPv4 and IPv6 addresses. This enables you to set more finely grained firewall policies for devices that access WorkSpaces. Note that the WorkSpaces client prioritizes IPv6 connections when IPv6 is supported and gateways are reachable. If IPv6 is unavailable, it falls back to IPv4.

Region Region code Public IP address range
China (Ningxia)

52.83.58.0 - 52.83.58.255

69.235.162.0 - 69.235.162.255

DCV gateway servers

Important

Starting in June 2020, WorkSpaces streams the desktop session for DCV WorkSpaces to clients over port 4195 instead of port 4172. If you want to use DCV WorkSpaces, make sure that port 4195 is open to traffic.

Note

For non-BYOL WorkSpaces Pools, IP address ranges are not guaranteed. Instead, you must allowlist the DCV gateway domain names. For more information, see DCV gateway domain names.

WorkSpaces uses a small range of Amazon EC2 public IPv4 and IPv6 addresses for its DCV gateway servers. This enables you to set more finely grained firewall policies for devices that access WorkSpaces. WorkSpaces use a separate range of public IPv4 addresses for the dedicated Amazon Global Accelerator (AGA) endpoints. Make sure to configure your firewall policies to allowlist the IP ranges if you plan to enable AGA for your WorkSpaces. Note that the WorkSpaces client prioritizes IPv6 connections when IPv6 is supported and gateways are reachable. If IPv6 is unavailable, it falls back to IPv4.

Region Region code Public IP address range
China (Ningxia) 140.65.96.0/22

DCV gateway domain names

The following table lists the DCV WorkSpace gateway domain names. These domains must be contactable, for the WorkSpaces client application to be able to access the WorkSpace DCV service.

Region Domain
China (Ningxia) This Region is not supported for DCV.

Network interfaces

Each WorkSpace has the following network interfaces:

  • The primary network interface (eth1) provides connectivity to the resources within your VPC and on the internet, and is used to join the WorkSpace to the directory.

  • The management network interface (eth0) is connected to a secure WorkSpaces management network. It is used for interactive streaming of the WorkSpace desktop to WorkSpaces clients, and to allow WorkSpaces to manage the WorkSpace.

WorkSpaces selects the IP address for the management network interface from various address ranges, depending on the Region that the WorkSpaces are created in. When a directory is registered, WorkSpaces tests the VPC CIDR and the route tables in your VPC to determine if these address ranges create a conflict. If a conflict is found in all available address ranges in the Region, an error message is displayed and the directory is not registered. If you change the route tables in your VPC after the directory is registered, you might cause a conflict.

Warning

Do not modify or delete any of the network interfaces that are attached to a WorkSpace. Doing so might cause the WorkSpace to become unreachable or lose internet access. For example, if you have enabled automatic assignment of Elastic IP addresses at the directory level, an Elastic IP address (from the Amazon-provided pool) is assigned to your WorkSpace when it is launched. However, if you associate an Elastic IP address that you own to a WorkSpace, and then you later disassociate that Elastic IP address from the WorkSpace, the WorkSpace loses its public IP address, and it doesn't automatically get a new one from the Amazon-provided pool.

To associate a new public IP address from the Amazon-provided pool with the WorkSpace, you must rebuild the WorkSpace. If you don't want to rebuild the WorkSpace, you must associate another Elastic IP address that you own to the WorkSpace.

Management interface IP ranges

The following table lists the IP address ranges used for the management network interface.

Region IP address range
China (Ningxia)

198.19.0.0/16

Management interface ports

The following ports must be open on the management network interface of all WorkSpaces:

  • Inbound TCP on port 4172. This is used for establishment of the streaming connection on the PCoIP protocol.

  • Inbound UDP on port 4172. This is used for streaming user input on the PCoIP protocol.

  • Inbound TCP on port 4489. This is used for access using the web client.

  • Inbound TCP on port 8200. This is used for management and configuration of the WorkSpace.

  • Inbound TCP on ports 8201-8250. These ports are used for establishment of the streaming connection and for streaming user input on the DCV protocol.

  • Inbound UDP on port 8220. This port is used for establishment of the streaming connection and for streaming user input on the DCV protocol

  • Outbound TCP on ports 8443 and 9997. This is used for access using the web client.

  • Outbound UDP on ports 3478, 4172, and 4195. This is used for access using the web client.

  • Outbound UDP on ports 50002 and 55002. This is used for streaming. If your firewall uses stateful filtering, the ephemeral ports 50002 and 55002 are automatically opened to allow return communication. If your firewall uses stateless filtering, you must open ephemeral ports 49152 - 65535 to allow return communication.

  • Outbound TCP on port 80, as defined in Management interface IP ranges, to IP address 169.254.169.254 for access to the EC2 metadata service. Any HTTP proxy assigned to your WorkSpaces must also exclude 169.254.169.254.

  • Outbound TCP on port 1688 to IP addresses 169.254.169.250 and 169.254.169.251 to allow access to Microsoft KMS for Windows activation for Workspaces that are based on public bundles. If you're using Bring Your Own License (BYOL) Windows WorkSpaces, you must allow access to your own KMS servers for Windows activation.

  • Outbound TCP on port 1688 to IP address 54.239.236.220 to allow access to Microsoft KMS for Office activation for BYOL WorkSpaces.

    If you're using Office through one of the WorkSpaces public bundles, the IP address for Microsoft KMS for Office activation varies. To determine that IP address, find the IP address for the management interface of the WorkSpace, and then replace the last two octets with 64.250. For example, if the IP address of the management interface is 192.168.3.5, the IP address for Microsoft KMS Office activation is 192.168.64.250.

  • Outbound TCP to IP address 127.0.0.2 for DCV WorkSpaces when the WorkSpace host is configured to use a proxy server.

  • Communications originating from loopback address 127.0.01.

Under normal circumstances, the WorkSpaces service configures these ports for your WorkSpaces. If any security or firewall software is installed on a WorkSpace that blocks any of these ports, the WorkSpace may not function correctly or may be unreachable.

Primary interface ports

No matter which type of directory you have, the following ports must be open on the primary network interface of all WorkSpaces:

  • For internet connectivity, the following ports must be open outbound to all destinations and inbound from the WorkSpaces VPC. You need to add these manually to the security group for your WorkSpaces if you want them to have internet access.

    • TCP 80 (HTTP)

    • TCP 443 (HTTPS)

  • To communicate with the directory controllers, the following ports must be open between your WorkSpaces VPC and your directory controllers. For a Simple AD directory, the security group created by Amazon Directory Service will have these ports configured correctly. For an AD Connector directory, you might need to adjust the default security group for the VPC to open these ports.

    • TCP/UDP 53 - DNS

    • TCP/UDP 88 - Kerberos authentication

    • UDP 123 - NTP

    • TCP 135 - RPC

    • UDP 137-138 - Netlogon

    • TCP 139 - Netlogon

    • TCP/UDP 389 - LDAP

    • TCP/UDP 445 - SMB

    • TCP/UDP 636 - LDAPS (LDAP over TLS/SSL)

    • TCP 1024-65535 - Dynamic ports for RPC

    • TTCP 3268-3269 - Global Catalog

    If any security or firewall software is installed on a WorkSpace that blocks any of these ports, the WorkSpace may not function correctly or may be unreachable.