# Configure a VPC with Private Subnets and a NAT Gateway
<a name="managing-network-internet-NAT-gateway"></a>

If you plan to provide your streaming instances (fleet instances, app block builders, and image builders) with access to the internet, we recommend that you configure a VPC with two private subnets for your streaming instances and a NAT gateway in a public subnet. You can create and configure a new VPC to use with a NAT gateway, or add a NAT gateway to an existing VPC. For additional VPC configuration recommendations, see [VPC Setup Recommendations](vpc-setup-recommendations.md).

The NAT gateway lets the streaming instances in your private subnets connect to the internet or other AWS services, but prevents the internet from initiating a connection with those instances. In addition, unlike configurations that use the **Default Internet Access** option for enabling internet access for WorkSpaces Applications streaming instances, this configuration is not limited to 100 fleet instances.

For information about using NAT Gateways and this configuration, see [NAT Gateways](https://docs.aws.amazon.com/vpc/latest/userguide/vpc-nat-gateway.html) and [VPC with Public and Private Subnets (NAT)](https://docs.aws.amazon.com/vpc/latest/userguide/VPC_Scenario2.html) in the *Amazon VPC User Guide*.

**Topics**
+ [Create and Configure a New VPC](create-configure-new-vpc-with-private-public-subnets-nat.md)
+ [Add a NAT Gateway to an Existing VPC](add-nat-gateway-existing-vpc.md)
+ [Enable Internet Access for Your Fleet, Image Builder, or App Block Builder in Amazon WorkSpaces Applications](managing-network-manual-enable-internet-access.md)

# Create and Configure a New VPC
<a name="create-configure-new-vpc-with-private-public-subnets-nat"></a>

This topic describes how to use the VPC wizard to create a VPC with a public subnet and one private subnet. As part of this process, the wizard creates an internet gateway and a NAT gateway. It also creates a custom route table associated with the public subnet and updates the main route table associated with the private subnet. The NAT gateway is automatically created in the public subnet of your VPC.

After you use the wizard to create the initial VPC configuration, you'll add a second private subnet. For more information about this configuration, see [VPC with Public and Private Subnets (NAT)](https://docs.aws.amazon.com/vpc/latest/userguide/VPC_Scenario2.html) in the *Amazon VPC User Guide*.

**Note**  
If you already have a VPC, complete the steps in [Add a NAT Gateway to an Existing VPC](add-nat-gateway-existing-vpc.md) instead.

**Topics**
+ [Step 1: Allocate an Elastic IP Address](#allocate-elastic-ip)
+ [Step 2: Create a New VPC](#vpc-with-private-and-public-subnets-nat)
+ [Step 3: Add a Second Private Subnet](#vpc-with-private-and-public-subnets-add-private-subnet-nat)
+ [Step 4: Verify and Name Your Subnet Route Tables](#verify-name-route-tables)

## Step 1: Allocate an Elastic IP Address
<a name="allocate-elastic-ip"></a>

Before you create your VPC, you must allocate an Elastic IP address in your WorkSpaces Applications Region. You must first allocate an Elastic IP address for use in your VPC, and then associate it with your NAT gateway. For more information, see [Elastic IP Addresses](https://docs.aws.amazon.com/vpc/latest/userguide/vpc-eips.html) in the *Amazon VPC User Guide*.

**Note**  
Charges may apply to Elastic IP addresses that you use. For more information, see [Elastic IP Addresses](https://aws.amazon.com/ec2/pricing/on-demand/#Elastic_IP_Addresses) on the Amazon EC2 pricing page.

Complete the following steps if you don't already have an Elastic IP address. If you want to use an existing Elastic IP address, verify that it's not currently associated with another instance or network interface.

**To allocate an Elastic IP address**

1. Open the Amazon EC2 console at [https://console.aws.amazon.com/ec2/](https://console.aws.amazon.com/ec2/).

1. In the navigation pane, under **Network & Security**, choose **Elastic IPs**.

1. Choose **Allocate New Address**, and then choose **Allocate**.

1. Note the Elastic IP address.

1. In the upper right of the **Elastic IPs** pane, click the X icon to close the pane.

## Step 2: Create a New VPC
<a name="vpc-with-private-and-public-subnets-nat"></a>

Complete the following steps to create a new VPC with a public subnet and one private subnet.

**To create a new VPC**

1. Open the Amazon VPC console at [https://console.aws.amazon.com/vpc/](https://console.aws.amazon.com/vpc/).

1. In the navigation pane, choose **VPC Dashboard**.

1. Choose **Launch VPC Wizard**.

1. In **Step 1: Select a VPC Configuration**, choose **VPC with Public and Private Subnets**, and then choose **Select**.

1. In **Step 2: VPC with Public and Private Subnets**, configure the VPC as follows:
   + For **IPv4 CIDR block**, specify an IPv4 CIDR block for the VPC.
   + For **IPv6 CIDR block**, keep the default value, **No IPv6 CIDR Block**.
   + For **VPC name**, type a unique name for the VPC.

1. Configure the public subnet as follows:
   + For **Public subnet's IPv4 CIDR**, specify the CIDR block for the subnet.
   + For **Availability Zone**, keep the default value, **No Preference**.
   + For **Public subnet name**, type a name for the subnet; for example, `AppStream2 Public Subnet`.

1. Configure the first private subnet as follows:
   + For **Private subnet's IPv4 CIDR**, specify the CIDR block for the subnet. Make a note of the value that you specify.
   + For **Availability Zone**, select a specific zone and make a note of the zone that you select.
   + For **Private subnet name**, type a name for the subnet; for example, `AppStream2 Private Subnet1`.
   + For the remaining fields, where applicable, keep the default values.

1. For **Elastic IP Allocation ID**, click in the text box and select the value that corresponds to the Elastic IP address that you created. This address is assigned to the NAT gateway. If you don't have an Elastic IP address, create one by using the Amazon VPC console at [https://console.aws.amazon.com/vpc/](https://console.aws.amazon.com/vpc/).

1. For **Service endpoints**, if an Amazon S3 endpoint is required for your environment, specify one. An S3 endpoint is required to provide users with access to [home folders](home-folders.md) or to enable [application settings persistence](app-settings-persistence.md) for your users in a private network.

   To specify an Amazon S3 endpoint, do the following:

   1. Choose **Add Endpoint**.

   1. For **Service**, select the entry in the list that ends with "s3" (the `com.amazonaws.`*region*`.s3` entry that corresponds to the Region in which the VPC is being created).

   1. For **Subnet**, choose **Private subnet**.

   1. For **Policy**, keep the default value, **Full Access**.

1. For **Enable DNS hostnames**, keep the default value, **Yes**.

1. For **Hardware tenancy**, keep the default value, **Default**.

1. Choose **Create VPC**.

1. Note that it takes several minutes to set up your VPC. After the VPC is created, choose **OK**.

## Step 3: Add a Second Private Subnet
<a name="vpc-with-private-and-public-subnets-add-private-subnet-nat"></a>

In the previous step ([Step 2: Create a New VPC](#vpc-with-private-and-public-subnets-nat)), you created a VPC with one public subnet and one private subnet. Perform the following steps to add a second private subnet. We recommend that you add a second private subnet in a different Availability Zone than your first private subnet. 

1. In the navigation pane, choose **Subnets**.

1. Select the first private subnet that you created in the previous step. On the **Description** tab, below the list of subnets, make a note of the Availability Zone for this subnet.

1. On the upper left of the subnets pane, choose **Create Subnet**.

1. For **Name tag**, type a name for the private subnet; for example, `AppStream2 Private Subnet2`. 

1. For **VPC**, select the VPC that you created in the previous step.

1. For **Availability Zone**, select an Availability Zone other than the one you are using for your first private subnet. Selecting a different Availability Zone increases fault tolerance and helps prevent insufficient capacity errors.

1. For **IPv4 CIDR block**, specify a unique CIDR block range for the new subnet. For example, if your first private subnet has an IPv4 CIDR block range of `10.0.1.0/24`, you could specify a CIDR block range of `10.0.2.0/24` for the new private subnet.

1. Choose **Create**.

1. After your subnet is created, choose **Close**.

## Step 4: Verify and Name Your Subnet Route Tables
<a name="verify-name-route-tables"></a>

After you've created and configured your VPC, complete the following steps to specify a name for your route tables, and to verify that:
+ The route table associated with the subnet in which your NAT gateway resides includes a route that points internet traffic to an internet gateway. This ensures that your NAT gateway can access the internet.
+ The route tables associated with your private subnets are configured to point internet traffic to the NAT gateway. This enables the streaming instances in your private subnets to communicate with the internet.

1. In the navigation pane, choose **Subnets**, and select the public subnet that you created; for example, `WorkSpaces Applications Public Subnet`.

   1. On the **Route Table** tab, choose the ID of the route table; for example, `rtb-12345678`.

   1. Select the route table. Under **Name**, choose the edit icon (the pencil), and type a name (for example, `appstream2-public-routetable`), and then select the check mark to save the name.

   1. With the public route table still selected, on the **Routes** tab, verify that there is one route for local traffic and another route that sends all other traffic to the internet gateway for the VPC. The following table describes these two routes:    
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/appstream2/latest/developerguide/create-configure-new-vpc-with-private-public-subnets-nat.html)

1. In the navigation pane, choose **Subnets**, and select the first private subnet that you created (for example, `AppStream2 Private Subnet1`).

   1. On the **Route Table** tab, choose the ID of the route table.

   1. Select the route table. Under **Name**, choose the edit icon (the pencil), and enter a name (for example, `appstream2-private-routetable`), and then choose the check mark to save the name.

   1. On the **Routes** tab, verify that the route table includes the following routes:    
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/appstream2/latest/developerguide/create-configure-new-vpc-with-private-public-subnets-nat.html)

1. In the navigation pane, choose **Subnets**, and select the second private subnet that you created (for example, `AppStream2 Private Subnet2`). 

1. On the **Route Table** tab, verify that the route table is the private route table (for example, `appstream2-private-routetable`). If the route table is different, choose **Edit** and select this route table.

**Next Steps**

To enable your fleet instances, app block builders, and image builders to access the internet, complete the steps in [Enable Internet Access for Your Fleet, Image Builder, or App Block Builder in Amazon WorkSpaces Applications](managing-network-manual-enable-internet-access.md).

# Add a NAT Gateway to an Existing VPC
<a name="add-nat-gateway-existing-vpc"></a>

If you have already configured a VPC, complete the following steps to add a NAT gateway to your VPC. If you need to create a new VPC, see [Create and Configure a New VPC](create-configure-new-vpc-with-private-public-subnets-nat.md).

**To add a NAT gateway to an existing VPC**

1. To create your NAT gateway, complete the steps in [Creating a NAT Gateway](https://docs.aws.amazon.com/vpc/latest/userguide/vpc-nat-gateway.html#nat-gateway-creating) in the *Amazon VPC User Guide*.

1. Verify that your VPC has at least one private subnet. We recommend that you specify two private subnets from different Availability Zones for high availability and fault tolerance. For information about how to create a second private subnet, see [Step 3: Add a Second Private Subnet](create-configure-new-vpc-with-private-public-subnets-nat.md#vpc-with-private-and-public-subnets-add-private-subnet-nat).

1. Update the route table associated with one or more of your private subnets to point internet-bound traffic to the NAT gateway. This enables the streaming instances in your private subnets to communicate with the internet. To do so, complete the steps in [Configure route tables](https://docs.aws.amazon.com/vpc/latest/userguide/VPC_Route_Tables.html).

**Next Steps**

To enable your fleet instances, app block builders, and image builders to access the internet, complete the steps in [Enable Internet Access for Your Fleet, Image Builder, or App Block Builder in Amazon WorkSpaces Applications](managing-network-manual-enable-internet-access.md).

# Enable Internet Access for Your Fleet, Image Builder, or App Block Builder in Amazon WorkSpaces Applications
<a name="managing-network-manual-enable-internet-access"></a>

After your NAT gateway is available on a VPC, you can enable internet access for your fleet, image builder, and app block builder.

**Note**  
When working with IPv6 only subnets, default internet access cannot be enabled. You'll need to set up an Egress-Only Internet Gateway and configure route table to allow outbound internet traffic. For more information check the [steps](https://docs.aws.amazon.com/vpc/latest/userguide/egress-only-internet-gateway.html). You also need to enable auto-assign IPv6 addresses for your subnets. The Egress-Only gateway handles outbound internet traffic only so if you need inbound access, you'll still need a regular internet gateway. You can find more details about this in [egress only internet gateway documentation](https://docs.aws.amazon.com/vpc/latest/userguide/egress-only-internet-gateway.html). Ensure appropriate security and networking controls exist to prevent accidental inbound/outbound access for your subnets.

**Topics**
+ [Enable Internet Access for Your Fleet in Amazon WorkSpaces Applications](managing-network-manual-fleet-enable-internet-access-fleet.md)
+ [Enable Internet Access for Your Image Builder in Amazon WorkSpaces Applications](managing-network-manual-enable-internet-access-image-builder.md)
+ [Enable Internet Access for Your App Block Builder in Amazon WorkSpaces Applications](managing-network-enable-internet-access-app-block-builder.md)

# Enable Internet Access for Your Fleet in Amazon WorkSpaces Applications
<a name="managing-network-manual-fleet-enable-internet-access-fleet"></a>

You can enable internet access either when you create the fleet or later.

**To enable internet access at fleet creation**

1. Complete the steps in [Create a Fleet in Amazon WorkSpaces Applications](set-up-stacks-fleets-create.md) up to **Step 4: Configure Network**.

1. Choose a VPC with a NAT gateway.

1. If the subnet fields are empty, select a private subnet for **Subnet 1** and, optionally, another private subnet for **Subnet 2**. If you don't already have a private subnet in your VPC, you may need to create a second private subnet.

1. Continue with the steps in [Create a Fleet in Amazon WorkSpaces Applications](set-up-stacks-fleets-create.md).

**To enable internet access after fleet creation by using a NAT gateway**

1. In the navigation pane, choose **Fleets**.

1. Select a fleet and verify that the state is **Stopped**.

1. Choose **Fleet Details**, **Edit**, and choose a VPC with a NAT gateway.

1. Choose a private subnet for **Subnet 1** and, optionally, another private subnet for **Subnet 2**. If you don't already have a private subnet in your VPC, you may need to [create a second private subnet](create-configure-new-vpc-with-private-public-subnets-nat.md#vpc-with-private-and-public-subnets-add-private-subnet-nat). 

1. Choose **Update**.

You can test your internet connectivity by starting your fleet, and then connecting to your streaming instance and browsing to the internet. 

# Enable Internet Access for Your Image Builder in Amazon WorkSpaces Applications
<a name="managing-network-manual-enable-internet-access-image-builder"></a>

If you plan to enable internet access for your image builder, you must do so when you create the image builder.

**To enable internet access for an image builder**

1. Complete the steps in [Launch an Image Builder to Install and Configure Streaming Applications](tutorial-image-builder-create.md), up to **Step 3: Configure Network**.

1. Choose the VPC with a NAT gateway.

1. If **Subnet** is empty, select a subnet.

1. Continue with the steps in [Launch an Image Builder to Install and Configure Streaming Applications](tutorial-image-builder-create.md).

# Enable Internet Access for Your App Block Builder in Amazon WorkSpaces Applications
<a name="managing-network-enable-internet-access-app-block-builder"></a>

If you plan to enable internet access for your app block builder, you must do so when you create the app block builder.

**To enable internet access for an app block builder**

1. Complete the steps in [Create an App Block Builder](create-app-block-builder.md) up to **Step 2: Configure Network**.

1. Choose the VPC with a NAT gateway.

1. If **Subnet** is empty, select a subnet.

1. Continue with the steps in [Create an App Block Builder](create-app-block-builder.md).