# Access APIs using an interface VPC endpoint (AWS PrivateLink)
<a name="private-link"></a>

You can directly call Amazon WorkSpaces Secure Browser API endpoint from within a private cloud (VPC), instead of connecting over the internet. You can do this without the use of an internet gateway, NAT device, VPN connection, or Direct Connect connection.

You establish this private connection by creating an *interface VPC endpoint* that's powered by [AWS PrivateLink](https://aws.amazon.com/privatelink). For each subnet that you specify from your VPC, we create an endpoint network interface in the subnet. An endpoint network interface is a requester-managed network interface that serves as the entry point for Amazon WorkSpaces Secure Browser API traffic.

For more information, see [Access AWS services through AWS PrivateLink](https://docs.aws.amazon.com/vpc/latest/privatelink/privatelink-access-aws-services.html).

**Topics**
+ [Considerations for Amazon WorkSpaces Secure Browser](vpc-endpoint-considerations.md)
+ [Creating an interface VPC endpoint for Amazon WorkSpaces Secure Browser](vpc-endpoint-create.md)
+ [Creating an endpoint policy for your interface VPC endpoint](vpc-endpoint-policy.md)
+ [Troubleshooting](privatelink-troubleshooting.md)

# Considerations for Amazon WorkSpaces Secure Browser
<a name="vpc-endpoint-considerations"></a>

Before you set up an interface VPC endpoint for Amazon WorkSpaces Secure Browser APIs, make sure to review the "Prerequisites" in [Access AWS services through AWS PrivateLink](https://docs.aws.amazon.com/vpc/latest/privatelink/create-interface-endpoint.html). Amazon WorkSpaces Secure Browser supports making calls to all of its API actions through the interface VPC endpoint. 

By default, full access to Amazon WorkSpaces Secure Browser is allowed through the endpoint. For more information, see [Controlling access to services with VPC endpoints](https://docs.aws.amazon.com/vpc/latest/userguide/vpc-endpoints-access.html) in the *Amazon VPC User Guide*.

# Creating an interface VPC endpoint for Amazon WorkSpaces Secure Browser
<a name="vpc-endpoint-create"></a>

You can create an interface VPC endpoint for the Amazon WorkSpaces Secure Browser service using either the Amazon VPC console or the AWS Command Line Interface (AWS CLI). For more information, see [Creating an interface endpoint](https://docs.aws.amazon.com/vpc/latest/userguide/vpce-interface.html#create-interface-endpoint) in the *Amazon VPC User Guide*.

Create an interface VPC endpoint for Amazon WorkSpaces Secure Browser using the following service name: 
+ com.amazonaws.*region*.workspaces-web

For FIPS-supported regions, create an interface VPC endpoint for Amazon WorkSpaces Secure Browser using the following service name: 
+ com.amazonaws.*region*.workspaces-web-fips

# Creating an endpoint policy for your interface VPC endpoint
<a name="vpc-endpoint-policy"></a>

An endpoint policy is an IAM resource that you can attach to an interface VPC endpoint. The default endpoint policy gives you full access to Amazon WorkSpaces Secure Browser APIs through the interface VPC endpoint. To control the access granted to Amazon WorkSpaces Secure Browser from your VPC, attach a custom endpoint policy to the interface VPC endpoint.

An endpoint policy specifies the following information:
+ The principals that can perform actions (AWS accounts, IAM users, and IAM roles).
+ The actions that can be performed.
+ The resources on which actions can be performed.

For more information, see [Controlling access to services with VPC endpoints](https://docs.aws.amazon.com/vpc/latest/userguide/vpc-endpoints-access.html) in the *Amazon VPC User Guide*. 

**Example: VPC endpoint policy for Amazon WorkSpaces Secure Browser actions**  
The following is an example of a custom endpoint policy. When you attach this policy to your interface VPC endpoint, it grants access to the listed Amazon WorkSpaces Secure Browser actions for all principals on all resources.

```
{
     "Statement": [
         {
             "Action": "workspaces-web:*",
             "Effect": "Allow",
             "Resource": "*",
             "Principal": "*"
         }
     ]
}
```

# Troubleshooting
<a name="privatelink-troubleshooting"></a>

If your calls to the Amazon WorkSpaces Secure Browser APIs are hanging, there is likely a misconfiguration in your VPC Endpoint Service security group or IAM role setup. To resolve this, try the following:
+ While creating your interface VPC endpoint, it might have automatically attached to your AWS account’s default security group. Try using a different security group, and make sure the inbound and outbound permissions allow you to transfer your data appropriately.
+ Make sure you are using an IAM role that allows you to call Amazon WorkSpaces Secure Browser APIs.

For more information, see [What is AWS PrivateLink?](https://docs.aws.amazon.com/vpc/latest/userguide/what-is-privatelink.html) in the *Amazon VPC User Guide*.