Please configure your IP White List and Firewall services with the following;
Ports for Client Applications
The WorkSpaces client application requires outbound access on the following ports:
Port 443 (TCP)
This port is used for client application updates, registration, and authentication.
Port 4172 (TCP & UDP)
These ports are used for streaming the WorkSpace desktop and health checks.
Domains and IP addresses to add to your White List
Domain or IP address
Dynamic Messaging Service
WorkSpaces API Endpoints
Domains and IP addresses to add to your White List for WorkSpaces Streaming Protocol (WSP)
Domain or IP address
WSP Session Gateway (WSG)
Health Check Servers
The WorkSpaces client applications perform health checks over ports 4172 and 4195. These checks validate whether TCP or UDP traffic streams from the WorkSpaces servers to the client applications. For these checks to finish successfully, your firewall policies must allow outbound traffic to the IP addresses of the following Regional health check servers.
Health Check Hostname
WSP Gateway Servers
WorkSpaces uses a small range of Amazon EC2 public IPv4 addresses for its WSP gateway servers. This enables you to set more finely grained firewall policies for devices that access WorkSpaces. Note that the WorkSpaces clients do not support IPv6 addresses as a connectivity option at this time.
Public IP Address Range
Each WorkSpace has the following network interfaces:
The primary network interface (eth1) provides connectivity to the resources within your VPC and on the internet, and is used to join the WorkSpace to the directory.
The management network interface (eth0) is connected to a secure WorkSpaces management network. It is used for interactive streaming of the WorkSpace desktop to WorkSpaces clients, and to allow WorkSpaces to manage the WorkSpace.
WorkSpaces selects the IP address for the management network interface from various address ranges, depending on the Region that the WorkSpaces are created in. When a directory is registered, WorkSpaces tests the VPC CIDR and the route tables in your VPC to determine if these address ranges create a conflict. If a conflict is found in all available address ranges in the Region, an error message is displayed and the directory is not registered. If you change the route tables in your VPC after the directory is registered, you might cause a conflict.
Do not modify or delete any of the network interfaces that are attached to a WorkSpace.