Please configure your IP White List and Firewall services with the following;

Ports for Client Applications

The WorkSpaces client application requires outbound access on the following ports:

Port 443 (TCP)

This port is used for client application updates, registration, and authentication.

Port 4172 (TCP & UDP)

These ports are used for streaming the WorkSpace desktop and health checks.

Domains and IP addresses to add to your White List

Category	Domain or IP address
CAPTCHA	https://opfcaptcha-prod.s3.amazonaws.com/
Client Auto-update	https://d2td7dqidlhjx7.cloudfront.net/
Connectivity Check	https://connectivity.amazonworkspaces.com/
Client Metrics	https://skylight-client-ds.eu-west-2.amazonaws.com
Dynamic Messaging Service	https://ws-client-service.eu-west-2.amazonaws.com
Directory Settings	https://d32i4gd7pg4909.cloudfront.net/prod/ https://d21ui22avrxoh6.cloudfront.net/prod/ https://d1cbg795sa4g1u.cloudfront.net/prod/ https://d3s98kk2h6f4oh.cloudfront.net/ https://dyqsoz7pkju4e.cloudfront.net/ https://d16q6638mh01s7.cloudfront.net/
WS Broker	https://ws-broker-service.eu-west-2.amazonaws.com
WorkSpaces API Endpoints	https://workspaces.eu-west-2.amazonaws.com

Domains and IP addresses to add to your White List for WorkSpaces Streaming Protocol (WSP)

Category	Domain or IP address
WSP Session Gateway (WSG)	18.134.68.0/22

Health Check Servers

The WorkSpaces client applications perform health checks over ports 4172 and 4195. These checks validate whether TCP or UDP traffic streams from the WorkSpaces servers to the client applications. For these checks to finish successfully, your firewall policies must allow outbound traffic to the IP addresses of the following Regional health check servers.

Region	Health Check Hostname	IP Addresses
Europe (London)	drp-lhr.amazonworkspaces.com	35.176.62.54 35.177.255.44 52.56.46.102 52.56.111.36

WSP Gateway Servers

WorkSpaces uses a small range of Amazon EC2 public IPv4 addresses for its WSP gateway servers. This enables you to set more finely grained firewall policies for devices that access WorkSpaces. Note that the WorkSpaces clients do not support IPv6 addresses as a connectivity option at this time.

Region	Public IP Address Range
Europe (London)	18.134.68.0/22

Network Interfaces

Each WorkSpace has the following network interfaces:

The primary network interface (eth1) provides connectivity to the resources within your VPC and on the internet, and is used to join the WorkSpace to the directory.
The management network interface (eth0) is connected to a secure WorkSpaces management network. It is used for interactive streaming of the WorkSpace desktop to WorkSpaces clients, and to allow WorkSpaces to manage the WorkSpace.

WorkSpaces selects the IP address for the management network interface from various address ranges, depending on the Region that the WorkSpaces are created in. When a directory is registered, WorkSpaces tests the VPC CIDR and the route tables in your VPC to determine if these address ranges create a conflict. If a conflict is found in all available address ranges in the Region, an error message is displayed and the directory is not registered. If you change the route tables in your VPC after the directory is registered, you might cause a conflict.

Warning

Do not modify or delete any of the network interfaces that are attached to a WorkSpace.