Enabling restricted internet browsing for Amazon WorkSpaces Secure Browser

The recommended network setup of a WorkSpaces Secure Browser portal is to use private subnets with NAT gateway, so that the portal can browse both public internet and private content. For more information, see Enabling unrestricted internet browsing for Amazon WorkSpaces Secure Browser (recommended). However, you might be required to control outbound communication from a WorkSpaces Secure Browser portal to the internet by using a web proxy. For example, if you use a web proxy as the gateway to the internet, you can implement preventive security controls, such as domain allow-listing and content filtering. This can also reduce bandwidth usage and improve network performance by caching frequently accessed resources, such as web pages or software updates locally. For some use cases, you might have private content that is only accessible by using a web proxy.

You might already be familiar with configuring proxy settings on managed devices, or on the image of your virtual environments. But this poses challenges if you aren’t in control of the device (for example, when users are on devices not owned or managed by the enterprise), or if you need to manage the image for your virtual environment. With WorkSpaces Secure Browser, you can set proxy settings using Chrome’s policies built into the web browser. You can do this by setting up an HTTP outbound proxy for WorkSpaces Secure Browser.

This solution is based on a recommended outbound VPC proxy setup. The proxy solution is based on the open source HTTP proxy Squid. Then, it uses WorkSpaces Secure Browser browser settings to configure WorkSpaces Secure Browser portal to connect to the proxy endpoint. For more information, see How to set up an outbound VPC proxy with domain whitelisting and content filtering.

This solution provides you with the following benefits: