Make Amazon WorkSpaces API requests through a VPC interface endpoint - Amazon WorkSpaces
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Make Amazon WorkSpaces API requests through a VPC interface endpoint

You can connect directly to Amazon WorkSpaces API endpoints through an interface endpoint in your virtual private cloud (VPC) instead of connecting over the internet. When you use a VPC interface endpoint, communication between your VPC and the Amazon WorkSpaces API endpoint is conducted entirely and securely within the Amazon network.

Note

This feature can be used only for connecting to WorkSpaces API endpoints. To connect to WorkSpaces using the WorkSpaces clients, internet connectivity is required, as described in IP address and port requirements for WorkSpaces Personal.

The Amazon WorkSpaces API endpoints support Amazon Virtual Private Cloud (Amazon VPC) interface endpoints that are powered by Amazon PrivateLink. Each VPC endpoint is represented by one or more network interfaces (also known as elastic network interfaces, or ENIs) with private IP addresses in your VPC subnets.

The VPC interface endpoint connects your VPC directly to the Amazon WorkSpaces API endpoint without an internet gateway, NAT device, VPN connection, or Amazon Direct Connect connection. The instances in your VPC don't need public IP addresses to communicate with the Amazon WorkSpaces API endpoint.

You can create an interface endpoint to connect to Amazon WorkSpaces with either the Amazon Web Services Management Console or Amazon Command Line Interface (Amazon CLI) commands. For instructions, see Creating an Interface Endpoint.

After you have created a VPC endpoint, you can use the following example CLI commands that use the endpoint-url parameter to specify interface endpoints to the Amazon WorkSpaces API endpoint:

aws workspaces copy-workspace-image --endpoint-url VPC_Endpoint_ID.workspaces.Region.vpce.amazonaws.com

aws workspaces delete-workspace-image --endpoint-url VPC_Endpoint_ID.api.workspaces.Region.vpce.amazonaws.com

aws workspaces describe-workspace-bundles --endpoint-url VPC_Endpoint_ID.workspaces.Region.vpce.amazonaws.com  \
   --endpoint-name Endpoint_Name \
   --body "Endpoint_Body" \
   --content-type "Content_Type" \
       Output_File

If you enable private DNS hostnames for your VPC endpoint, you don't need to specify the endpoint URL. The Amazon WorkSpaces API DNS hostname that the CLI and Amazon WorkSpaces SDK use by default (https://api.workspaces.Region.amazonaws.com) resolves to your VPC endpoint.

The Amazon WorkSpaces API endpoint supports VPC endpoints in all Amazon Regions where both Amazon VPC and Amazon WorkSpaces are available. Amazon WorkSpaces supports making calls to all of its public APIs inside your VPC.

To learn more about Amazon PrivateLink, see the Amazon PrivateLink documentation. For the price of VPC endpoints, see VPC Pricing. To learn more about VPC and endpoints, see Amazon VPC.

To see a list of Amazon WorkSpaces API endpoints by Region, see WorkSpaces API Endpoints.

Note

Amazon WorkSpaces API endpoints with Amazon PrivateLink are not supported for Federal Information Processing Standard (FIPS) Amazon WorkSpaces API endpoints.