# Configure a VPC for WorkSpaces Applications
<a name="appstream-vpc"></a>

When you set up WorkSpaces Applications, you must specify the virtual private cloud (VPC) and at least one subnet in which to launch your fleet instances and image builders. A VPC is a virtual network in your own logically isolated area within the Amazon Web Services Cloud. A subnet is a range of IP addresses in your VPC.

When you configure your VPC for WorkSpaces Applications, you can specify either public or private subnets, or a mix of both types of subnets. A public subnet has direct access to the internet through an internet gateway. A private subnet, which doesn't have a route to an internet gateway, requires a Network Address Translation (NAT) gateway or NAT instance to provide access to the internet.

**Topics**
+ [

# VPC Setup Recommendations
](vpc-setup-recommendations.md)
+ [

# Configure a VPC with Private Subnets and a NAT Gateway
](managing-network-internet-NAT-gateway.md)
+ [

# Configure a New or Existing VPC with a Public Subnet
](managing-network-default-internet-access.md)
+ [

# Use the Default VPC, Public Subnet, and Security Group
](default-vpc-with-public-subnet.md)

# VPC Setup Recommendations
<a name="vpc-setup-recommendations"></a>

When you create a fleet, or launch an image builder or app block builder, you specify the VPC and one or more subnets to use. You can provide additional access control to your VPC by specifying security groups. 

The following recommendations can help you configure your VPC more effectively and securely. In addition, they can help you configure an environment that supports effective fleet scaling. With effective fleet scaling, you can meet current and anticipated WorkSpaces Applications user demand, while avoiding unecessary resource usage and associated costs. 

**Overall VPC Configuration**
+ Make sure that your VPC configuration can support your fleet scaling needs. 

  As you develop your plan for fleet scaling, keep in mind that one user requires one fleet instance. Therefore, the size of your fleet determines the number of users who can stream concurrently. For this reason, for each [instance type](instance-types.md) that you plan to use, make sure that the number of fleet instances that your VPC can support is greater than the number of anticipated concurrent users for the same instance type.
+ Make sure that your WorkSpaces Applications account quotas (also referred to as limits) are sufficient to support your anticipated demand. To request a quota increase, you can use the Service Quotas console at [https://console.aws.amazon.com/servicequotas/](https://console.aws.amazon.com/servicequotas/). For information about default WorkSpaces Applications quotas, see [Amazon WorkSpaces Applications Service Quotas](limits.md). 
+ If you plan to provide your streaming instances (fleet instances, app block builder, or image builders) with access to the internet, we recommend that you configure a VPC with two private subnets for your streaming instances and a NAT gateway in a public subnet.

  The NAT gateway lets the streaming instances in your private subnets connect to the internet or other AWS services. However, it prevents the internet from initiating a connection with those instances. In addition, unlike configurations that use the **Default Internet Access** option for enabling internet access, the NAT configuration supports more than 100 fleet instances. For more information, see [Configure a VPC with Private Subnets and a NAT Gateway](managing-network-internet-NAT-gateway.md).

**Elastic Network Interfaces**
+ WorkSpaces Applications creates as many [elastic network interfaces](https://docs.aws.amazon.com/vpc/latest/userguide/VPC_ElasticNetworkInterfaces.html) (network interfaces) as the maximum desired capacity of your fleet. By default, the limit for network interfaces per Region is 5000. 

  When planning capacity for very large deployments, for example, thousands of streaming instances, consider the number of EC2 instances that are also used in the same Region.

**Subnets**
+ If you are configuring more than one private subnet for your VPC, configure each in a different Availability Zone. Doing so increases fault tolerance and can help prevent insufficient capacity errors. If you use two subnets in the same AZ, you might run out of IP addresses, because WorkSpaces Applications will not use the second subnet.
+ Make sure that the network resources required for your applications are accessible through both of your private subnets. 
+ Configure each of your private subnets with a subnet mask that allows for enough client IP addresses to account for the maximum number of expected concurrent users. In addition, allow for additional IP addresses to account for anticipated growth. For more information, see [VPC and Subnet Sizing for IPv4](https://docs.aws.amazon.com/vpc/latest/userguide/VPC_Subnets.html#vpc-sizing-ipv4).
+ If you are using a VPC with NAT, configure at least one public subnet with a NAT Gateway for internet access, preferably two. Configure the public subnets in the same Availability Zones where your private subnets reside. 

  To enhance fault tolerance and reduce the chance of insufficient capacity errors for large WorkSpaces Applications fleet deployments, consider extending your VPC configuration into a third Availability Zone. Include a private subnet, public subnet, and NAT gateway in this additional Availability Zone.
+ If you enable auto assign IPV6 option for your subnet then Elastic Network Interface for your instances will be auto assigned with a global IPV6 address. For more information, see [modify-subnet](https://docs.aws.amazon.com/cli/latest/reference/ec2/modify-subnet-attribute.html).
+ Enabling default internet access is only applicable for IPV4 addresses in IPv4 only or dual-stack subnets. To allow internet access for IPV6 addresses add an internet gateway or egress only gateway. For more information, see [egress-only-internet-gateway](https://docs.aws.amazon.com/vpc/latest/userguide/egress-only-internet-gateway.html).
**Note**  
By default IPV6 addresses are globally addressable. If your subnet has an internet gateway and appropriate subnet groups and acl allowing IPV6 traffic rules your streaming instances can be connected to the internet with IPV6 address.

**Security Groups**
+ Use security groups to provide additional access control to your VPC. 

  Security groups that belong to your VPC let you control the network traffic between WorkSpaces Applications streaming instances and network resources required by applications. These resources may include other AWS services such as Amazon RDS or Amazon FSx, license servers, database servers, file servers, and application servers.
+ Make sure that the security groups provide access to the network resources that your applications require.

  For more information about configuring security groups for WorkSpaces Applications, see [Security Groups in Amazon WorkSpaces Applications](managing-network-security-groups.md). For general information about security groups, see [Security Groups for Your VPC](https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups) in the *Amazon VPC User Guide*.

# Configure a VPC with Private Subnets and a NAT Gateway
<a name="managing-network-internet-NAT-gateway"></a>

If you plan to provide your streaming instances (fleet instances, app block builders, and image builders) with access to the internet, we recommend that you configure a VPC with two private subnets for your streaming instances and a NAT gateway in a public subnet. You can create and configure a new VPC to use with a NAT gateway, or add a NAT gateway to an existing VPC. For additional VPC configuration recommendations, see [VPC Setup Recommendations](vpc-setup-recommendations.md).

The NAT gateway lets the streaming instances in your private subnets connect to the internet or other AWS services, but prevents the internet from initiating a connection with those instances. In addition, unlike configurations that use the **Default Internet Access** option for enabling internet access for WorkSpaces Applications streaming instances, this configuration is not limited to 100 fleet instances.

For information about using NAT Gateways and this configuration, see [NAT Gateways](https://docs.aws.amazon.com/vpc/latest/userguide/vpc-nat-gateway.html) and [VPC with Public and Private Subnets (NAT)](https://docs.aws.amazon.com/vpc/latest/userguide/VPC_Scenario2.html) in the *Amazon VPC User Guide*.

**Topics**
+ [

# Create and Configure a New VPC
](create-configure-new-vpc-with-private-public-subnets-nat.md)
+ [

# Add a NAT Gateway to an Existing VPC
](add-nat-gateway-existing-vpc.md)
+ [

# Enable Internet Access for Your Fleet, Image Builder, or App Block Builder in Amazon WorkSpaces Applications
](managing-network-manual-enable-internet-access.md)

# Create and Configure a New VPC
<a name="create-configure-new-vpc-with-private-public-subnets-nat"></a>

This topic describes how to use the VPC wizard to create a VPC with a public subnet and one private subnet. As part of this process, the wizard creates an internet gateway and a NAT gateway. It also creates a custom route table associated with the public subnet and updates the main route table associated with the private subnet. The NAT gateway is automatically created in the public subnet of your VPC.

After you use the wizard to create the initial VPC configuration, you'll add a second private subnet. For more information about this configuration, see [VPC with Public and Private Subnets (NAT)](https://docs.aws.amazon.com/vpc/latest/userguide/VPC_Scenario2.html) in the *Amazon VPC User Guide*.

**Note**  
If you already have a VPC, complete the steps in [Add a NAT Gateway to an Existing VPC](add-nat-gateway-existing-vpc.md) instead.

**Topics**
+ [

## Step 1: Allocate an Elastic IP Address
](#allocate-elastic-ip)
+ [

## Step 2: Create a New VPC
](#vpc-with-private-and-public-subnets-nat)
+ [

## Step 3: Add a Second Private Subnet
](#vpc-with-private-and-public-subnets-add-private-subnet-nat)
+ [

## Step 4: Verify and Name Your Subnet Route Tables
](#verify-name-route-tables)

## Step 1: Allocate an Elastic IP Address
<a name="allocate-elastic-ip"></a>

Before you create your VPC, you must allocate an Elastic IP address in your WorkSpaces Applications Region. You must first allocate an Elastic IP address for use in your VPC, and then associate it with your NAT gateway. For more information, see [Elastic IP Addresses](https://docs.aws.amazon.com/vpc/latest/userguide/vpc-eips.html) in the *Amazon VPC User Guide*.

**Note**  
Charges may apply to Elastic IP addresses that you use. For more information, see [Elastic IP Addresses](https://aws.amazon.com/ec2/pricing/on-demand/#Elastic_IP_Addresses) on the Amazon EC2 pricing page.

Complete the following steps if you don't already have an Elastic IP address. If you want to use an existing Elastic IP address, verify that it's not currently associated with another instance or network interface.

**To allocate an Elastic IP address**

1. Open the Amazon EC2 console at [https://console.aws.amazon.com/ec2/](https://console.aws.amazon.com/ec2/).

1. In the navigation pane, under **Network & Security**, choose **Elastic IPs**.

1. Choose **Allocate New Address**, and then choose **Allocate**.

1. Note the Elastic IP address.

1. In the upper right of the **Elastic IPs** pane, click the X icon to close the pane.

## Step 2: Create a New VPC
<a name="vpc-with-private-and-public-subnets-nat"></a>

Complete the following steps to create a new VPC with a public subnet and one private subnet.

**To create a new VPC**

1. Open the Amazon VPC console at [https://console.aws.amazon.com/vpc/](https://console.aws.amazon.com/vpc/).

1. In the navigation pane, choose **VPC Dashboard**.

1. Choose **Launch VPC Wizard**.

1. In **Step 1: Select a VPC Configuration**, choose **VPC with Public and Private Subnets**, and then choose **Select**.

1. In **Step 2: VPC with Public and Private Subnets**, configure the VPC as follows:
   + For **IPv4 CIDR block**, specify an IPv4 CIDR block for the VPC.
   + For **IPv6 CIDR block**, keep the default value, **No IPv6 CIDR Block**.
   + For **VPC name**, type a unique name for the VPC.

1. Configure the public subnet as follows:
   + For **Public subnet's IPv4 CIDR**, specify the CIDR block for the subnet.
   + For **Availability Zone**, keep the default value, **No Preference**.
   + For **Public subnet name**, type a name for the subnet; for example, `AppStream2 Public Subnet`.

1. Configure the first private subnet as follows:
   + For **Private subnet's IPv4 CIDR**, specify the CIDR block for the subnet. Make a note of the value that you specify.
   + For **Availability Zone**, select a specific zone and make a note of the zone that you select.
   + For **Private subnet name**, type a name for the subnet; for example, `AppStream2 Private Subnet1`.
   + For the remaining fields, where applicable, keep the default values.

1. For **Elastic IP Allocation ID**, click in the text box and select the value that corresponds to the Elastic IP address that you created. This address is assigned to the NAT gateway. If you don't have an Elastic IP address, create one by using the Amazon VPC console at [https://console.aws.amazon.com/vpc/](https://console.aws.amazon.com/vpc/).

1. For **Service endpoints**, if an Amazon S3 endpoint is required for your environment, specify one. An S3 endpoint is required to provide users with access to [home folders](home-folders.md) or to enable [application settings persistence](app-settings-persistence.md) for your users in a private network.

   To specify an Amazon S3 endpoint, do the following:

   1. Choose **Add Endpoint**.

   1. For **Service**, select the entry in the list that ends with "s3" (the `com.amazonaws.`*region*`.s3` entry that corresponds to the Region in which the VPC is being created).

   1. For **Subnet**, choose **Private subnet**.

   1. For **Policy**, keep the default value, **Full Access**.

1. For **Enable DNS hostnames**, keep the default value, **Yes**.

1. For **Hardware tenancy**, keep the default value, **Default**.

1. Choose **Create VPC**.

1. Note that it takes several minutes to set up your VPC. After the VPC is created, choose **OK**.

## Step 3: Add a Second Private Subnet
<a name="vpc-with-private-and-public-subnets-add-private-subnet-nat"></a>

In the previous step ([Step 2: Create a New VPC](#vpc-with-private-and-public-subnets-nat)), you created a VPC with one public subnet and one private subnet. Perform the following steps to add a second private subnet. We recommend that you add a second private subnet in a different Availability Zone than your first private subnet. 

1. In the navigation pane, choose **Subnets**.

1. Select the first private subnet that you created in the previous step. On the **Description** tab, below the list of subnets, make a note of the Availability Zone for this subnet.

1. On the upper left of the subnets pane, choose **Create Subnet**.

1. For **Name tag**, type a name for the private subnet; for example, `AppStream2 Private Subnet2`. 

1. For **VPC**, select the VPC that you created in the previous step.

1. For **Availability Zone**, select an Availability Zone other than the one you are using for your first private subnet. Selecting a different Availability Zone increases fault tolerance and helps prevent insufficient capacity errors.

1. For **IPv4 CIDR block**, specify a unique CIDR block range for the new subnet. For example, if your first private subnet has an IPv4 CIDR block range of `10.0.1.0/24`, you could specify a CIDR block range of `10.0.2.0/24` for the new private subnet.

1. Choose **Create**.

1. After your subnet is created, choose **Close**.

## Step 4: Verify and Name Your Subnet Route Tables
<a name="verify-name-route-tables"></a>

After you've created and configured your VPC, complete the following steps to specify a name for your route tables, and to verify that:
+ The route table associated with the subnet in which your NAT gateway resides includes a route that points internet traffic to an internet gateway. This ensures that your NAT gateway can access the internet.
+ The route tables associated with your private subnets are configured to point internet traffic to the NAT gateway. This enables the streaming instances in your private subnets to communicate with the internet.

1. In the navigation pane, choose **Subnets**, and select the public subnet that you created; for example, `WorkSpaces Applications Public Subnet`.

   1. On the **Route Table** tab, choose the ID of the route table; for example, `rtb-12345678`.

   1. Select the route table. Under **Name**, choose the edit icon (the pencil), and type a name (for example, `appstream2-public-routetable`), and then select the check mark to save the name.

   1. With the public route table still selected, on the **Routes** tab, verify that there is one route for local traffic and another route that sends all other traffic to the internet gateway for the VPC. The following table describes these two routes:    
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/appstream2/latest/developerguide/create-configure-new-vpc-with-private-public-subnets-nat.html)

1. In the navigation pane, choose **Subnets**, and select the first private subnet that you created (for example, `AppStream2 Private Subnet1`).

   1. On the **Route Table** tab, choose the ID of the route table.

   1. Select the route table. Under **Name**, choose the edit icon (the pencil), and enter a name (for example, `appstream2-private-routetable`), and then choose the check mark to save the name.

   1. On the **Routes** tab, verify that the route table includes the following routes:    
[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/appstream2/latest/developerguide/create-configure-new-vpc-with-private-public-subnets-nat.html)

1. In the navigation pane, choose **Subnets**, and select the second private subnet that you created (for example, `AppStream2 Private Subnet2`). 

1. On the **Route Table** tab, verify that the route table is the private route table (for example, `appstream2-private-routetable`). If the route table is different, choose **Edit** and select this route table.

**Next Steps**

To enable your fleet instances, app block builders, and image builders to access the internet, complete the steps in [Enable Internet Access for Your Fleet, Image Builder, or App Block Builder in Amazon WorkSpaces Applications](managing-network-manual-enable-internet-access.md).

# Add a NAT Gateway to an Existing VPC
<a name="add-nat-gateway-existing-vpc"></a>

If you have already configured a VPC, complete the following steps to add a NAT gateway to your VPC. If you need to create a new VPC, see [Create and Configure a New VPC](create-configure-new-vpc-with-private-public-subnets-nat.md).

**To add a NAT gateway to an existing VPC**

1. To create your NAT gateway, complete the steps in [Creating a NAT Gateway](https://docs.aws.amazon.com/vpc/latest/userguide/vpc-nat-gateway.html#nat-gateway-creating) in the *Amazon VPC User Guide*.

1. Verify that your VPC has at least one private subnet. We recommend that you specify two private subnets from different Availability Zones for high availability and fault tolerance. For information about how to create a second private subnet, see [Step 3: Add a Second Private Subnet](create-configure-new-vpc-with-private-public-subnets-nat.md#vpc-with-private-and-public-subnets-add-private-subnet-nat).

1. Update the route table associated with one or more of your private subnets to point internet-bound traffic to the NAT gateway. This enables the streaming instances in your private subnets to communicate with the internet. To do so, complete the steps in [Configure route tables](https://docs.aws.amazon.com/vpc/latest/userguide/VPC_Route_Tables.html).

**Next Steps**

To enable your fleet instances, app block builders, and image builders to access the internet, complete the steps in [Enable Internet Access for Your Fleet, Image Builder, or App Block Builder in Amazon WorkSpaces Applications](managing-network-manual-enable-internet-access.md).

# Enable Internet Access for Your Fleet, Image Builder, or App Block Builder in Amazon WorkSpaces Applications
<a name="managing-network-manual-enable-internet-access"></a>

After your NAT gateway is available on a VPC, you can enable internet access for your fleet, image builder, and app block builder.

**Note**  
When working with IPv6 only subnets, default internet access cannot be enabled. You'll need to set up an Egress-Only Internet Gateway and configure route table to allow outbound internet traffic. For more information check the [steps](https://docs.aws.amazon.com/vpc/latest/userguide/egress-only-internet-gateway.html). You also need to enable auto-assign IPv6 addresses for your subnets. The Egress-Only gateway handles outbound internet traffic only so if you need inbound access, you'll still need a regular internet gateway. You can find more details about this in [egress only internet gateway documentation](https://docs.aws.amazon.com/vpc/latest/userguide/egress-only-internet-gateway.html). Ensure appropriate security and networking controls exist to prevent accidental inbound/outbound access for your subnets.

**Topics**
+ [

# Enable Internet Access for Your Fleet in Amazon WorkSpaces Applications
](managing-network-manual-fleet-enable-internet-access-fleet.md)
+ [

# Enable Internet Access for Your Image Builder in Amazon WorkSpaces Applications
](managing-network-manual-enable-internet-access-image-builder.md)
+ [

# Enable Internet Access for Your App Block Builder in Amazon WorkSpaces Applications
](managing-network-enable-internet-access-app-block-builder.md)

# Enable Internet Access for Your Fleet in Amazon WorkSpaces Applications
<a name="managing-network-manual-fleet-enable-internet-access-fleet"></a>

You can enable internet access either when you create the fleet or later.

**To enable internet access at fleet creation**

1. Complete the steps in [Create a Fleet in Amazon WorkSpaces Applications](set-up-stacks-fleets-create.md) up to **Step 4: Configure Network**.

1. Choose a VPC with a NAT gateway.

1. If the subnet fields are empty, select a private subnet for **Subnet 1** and, optionally, another private subnet for **Subnet 2**. If you don't already have a private subnet in your VPC, you may need to create a second private subnet.

1. Continue with the steps in [Create a Fleet in Amazon WorkSpaces Applications](set-up-stacks-fleets-create.md).

**To enable internet access after fleet creation by using a NAT gateway**

1. In the navigation pane, choose **Fleets**.

1. Select a fleet and verify that the state is **Stopped**.

1. Choose **Fleet Details**, **Edit**, and choose a VPC with a NAT gateway.

1. Choose a private subnet for **Subnet 1** and, optionally, another private subnet for **Subnet 2**. If you don't already have a private subnet in your VPC, you may need to [create a second private subnet](create-configure-new-vpc-with-private-public-subnets-nat.md#vpc-with-private-and-public-subnets-add-private-subnet-nat). 

1. Choose **Update**.

You can test your internet connectivity by starting your fleet, and then connecting to your streaming instance and browsing to the internet. 

# Enable Internet Access for Your Image Builder in Amazon WorkSpaces Applications
<a name="managing-network-manual-enable-internet-access-image-builder"></a>

If you plan to enable internet access for your image builder, you must do so when you create the image builder.

**To enable internet access for an image builder**

1. Complete the steps in [Launch an Image Builder to Install and Configure Streaming Applications](tutorial-image-builder-create.md), up to **Step 3: Configure Network**.

1. Choose the VPC with a NAT gateway.

1. If **Subnet** is empty, select a subnet.

1. Continue with the steps in [Launch an Image Builder to Install and Configure Streaming Applications](tutorial-image-builder-create.md).

# Enable Internet Access for Your App Block Builder in Amazon WorkSpaces Applications
<a name="managing-network-enable-internet-access-app-block-builder"></a>

If you plan to enable internet access for your app block builder, you must do so when you create the app block builder.

**To enable internet access for an app block builder**

1. Complete the steps in [Create an App Block Builder](create-app-block-builder.md) up to **Step 2: Configure Network**.

1. Choose the VPC with a NAT gateway.

1. If **Subnet** is empty, select a subnet.

1. Continue with the steps in [Create an App Block Builder](create-app-block-builder.md).

# Configure a New or Existing VPC with a Public Subnet
<a name="managing-network-default-internet-access"></a>

If you created your Amazon Web Services account after 2013-12-04, you have a [default VPC](default-vpc-with-public-subnet.md) in each AWS Region that includes default public subnets. However, you may want to create your own nondefault VPC or configure an existing VPC to use with WorkSpaces Applications. This topic describes how to configure a nondefault VPC and public subnet to use with WorkSpaces Applications.

After you configure your VPC and public subnet, you can provide your streaming instances (fleet instances and image builders) with access to the internet by enabling the **Default Internet Access** option. When you enable this option, WorkSpaces Applications enables internet connectivity by associating an [Elastic IP address](https://docs.aws.amazon.com/AWSEC2/latest/WindowsGuide/elastic-ip-addresses-eip.html) to the network interface that is attached from the streaming instance to your public subnet. An Elastic IP address is a public IPv4 address that is reachable from the internet. For this reason, we recommend that you instead use a NAT gateway to provide internet access to your WorkSpaces Applications instances. In addition, when **Default Internet Access** is enabled, a maximum of 100 fleet instances is supported. If your deployment must support more than 100 concurrent users, use the [NAT gateway configuration](managing-network-internet-NAT-gateway.md) instead.

For more information, see the steps in [Configure a VPC with Private Subnets and a NAT Gateway](managing-network-internet-NAT-gateway.md). For additional VPC configuration recommendations, see [VPC Setup Recommendations](vpc-setup-recommendations.md).

**Topics**
+ [

## Step 1: Configure a VPC with a Public Subnet
](#vpc-with-public-subnet)
+ [

## Step 2: Enable Default Internet Access Your Fleet, Image Builder, or App Block Builder
](#managing-network-enable-default-internet-access)

## Step 1: Configure a VPC with a Public Subnet
<a name="vpc-with-public-subnet"></a>

You can configure your own non-default VPC with a public subnet by using either of the following methods:
+ [Create a New VPC with a Single Public Subnet](#new-vpc-with-public-subnet)
+ [Configure an Existing VPC](#existing-vpc-with-public-subnet)

**Note**  
When working with IPv6 only subnets, default internet access cannot be enabled. You'll need to set up an Egress-Only Internet Gateway and configure route table to allow outbound internet traffic. For more information check the [steps](https://docs.aws.amazon.com/vpc/latest/userguide/egress-only-internet-gateway.html). You also need to enable auto-assign IPv6 addresses for your subnets. The Egress-Only gateway handles outbound internet traffic only so if you need inbound access, you'll still need a regular internet gateway. You can find more details about this in [egress only internet gateway documentation](https://docs.aws.amazon.com/vpc/latest/userguide/egress-only-internet-gateway.html).

### Create a New VPC with a Single Public Subnet
<a name="new-vpc-with-public-subnet"></a>

When you use the VPC wizard to create a new VPC, the wizard creates an internet gateway and a custom route table that is associated with the public subnet. The route table routes all traffic destined for an address outside the VPC to the internet gateway. For more information about this configuration, see [VPC with a Single Public Subnet](https://docs.aws.amazon.com/vpc/latest/userguide/VPC_Scenario1.html) in the* Amazon VPC User Guide*.

1. Complete the steps in [Step 1: Create the VPC](https://docs.aws.amazon.com/vpc/latest/userguide/getting-started-ipv4.html#getting-started-create-vpc) in the *Amazon VPC User Guide* to create your VPC.

1. To enable your fleet instances and image builders to access the internet, complete the steps in [Step 2: Enable Default Internet Access Your Fleet, Image Builder, or App Block Builder](#managing-network-enable-default-internet-access).

### Configure an Existing VPC
<a name="existing-vpc-with-public-subnet"></a>

If you want to use an existing VPC that does not have a public subnet, you can add a new public subnet. In addition to a public subnet, you must also have an internet gateway attached to your VPC and a route table that routes all traffic destined for an address outside the VPC to the internet gateway. To configure these components, complete the following steps.

1. To add a public subnet, complete the steps in [Creating a Subnet in Your VPC](https://docs.aws.amazon.com/vpc/latest/userguide/working-with-vpcs.html#AddaSubnet). Use the existing VPC that you plan to use with WorkSpaces Applications.

   If your VPC is configured to support IPv6 addressing, the **IPv6 CIDR block** list displays. Select **Don't assign Ipv6**.

1. To create and attach an internet gateway to your VPC, complete the steps in [Creating and Attaching an Internet Gateway](https://docs.aws.amazon.com/vpc/latest/userguide/VPC_Internet_Gateway.html#Add_IGW_Attach_Gateway). 

1. To configure your subnet to route internet traffic through the internet gateway, complete the steps in [Creating a Custom Route Table](https://docs.aws.amazon.com/vpc/latest/userguide/VPC_Internet_Gateway.html#Add_IGW_Routing). In step 5, for **Destination**, use IPv4 format (`0.0.0.0/0`).

1. To enable your fleet instances and image builders to access the internet, complete the steps in [Step 2: Enable Default Internet Access Your Fleet, Image Builder, or App Block Builder](#managing-network-enable-default-internet-access).

## Step 2: Enable Default Internet Access Your Fleet, Image Builder, or App Block Builder
<a name="managing-network-enable-default-internet-access"></a>

After you configure a VPC that has a public subnet, you can enable the **Default Internet Access** option for your fleet and image builder.

### Enable Default Internet Access for a Fleet
<a name="managing-network-internet-dia-fleet"></a>

You can enable the **Default Internet Access** option when you create the fleet, or later.

**Note**  
For fleet instances that have the **Default Internet Access** option enabled, the limit is 100.

**To enable internet access at fleet creation**

1. Complete the steps in [Create a Fleet in Amazon WorkSpaces Applications](set-up-stacks-fleets-create.md) up to **Step 4: Configure Network**.

1. Select the **Default Internet Access** check box.

1. If the subnet fields are empty, select a subnet for **Subnet 1** and, optionally, **Subnet 2**.

1. Continue with the steps in [Create a Fleet in Amazon WorkSpaces Applications](set-up-stacks-fleets-create.md).

**To enable internet access after fleet creation**

1. In the navigation pane, choose **Fleets**.

1. Select a fleet and verify that its state is **Stopped**.

1. Choose **Fleet Details**, **Edit**, then select the **Default Internet Access** check box.

1. Choose a subnet for **Subnet 1** and, optionally, **Subnet 2**. Choose **Update**.

You can test internet connectivity by starting your fleet, creating a stack, associating the fleet with a stack, and browsing the internet within a streaming session for stack. For more information, see [Create an Amazon WorkSpaces Applications Fleet and Stack](set-up-stacks-fleets.md).

### Enable Default Internet Access for an Image Builder
<a name="managing-network-internet-dia-image-builder"></a>

After you configure a VPC that has a public subnet, you can enable the **Default Internet Access** option for your image builder. You can do so when you create the image builder.

**To enable internet access for an image builder**

1. Complete the steps in [Launch an Image Builder to Install and Configure Streaming Applications](tutorial-image-builder-create.md) up to **Step 3: Configure Network**.

1. Select the **Default Internet Access** check box.

1. If **Subnet 1** is empty, select a subnet.

1. Continue with the steps in [Launch an Image Builder to Install and Configure Streaming Applications](tutorial-image-builder-create.md).

### Enable Default Internet Access for an App Block Builder
<a name="managing-network-internet-app-block-builder"></a>

After you configure a VPC that has a public subnet, you can enable the **Default Internet Access** option for your app block builder. You can do so when you create the app block builder.

**To enable internet access for an app block builder**

1. Follow the steps in [Create an App Block Builder](create-app-block-builder.md), up to **Step 2: Configure Network**.

1. Select the **Default Internet Access** check box.

1. If **Subnet** is empty, select a subnet.

1. Continue with the steps in [Create an App Block Builder](create-app-block-builder.md).

# Use the Default VPC, Public Subnet, and Security Group
<a name="default-vpc-with-public-subnet"></a>

Your Amazon Web Services account, if it was created after 2013-12-04, has a default VPC in each AWS Region. The default VPC includes a default public subnet in each Availability Zone and an internet gateway that is attached to your VPC. The VPC also includes a default security group. If you are new to WorkSpaces Applications and want to get started using the service, you can keep the default VPC and security group selected when you create a fleet, create an app block builder, or launch an image builder. Then, you can select at least one default subnet.

**Note**  
If your Amazon Web Services account was created before 2013-12-04, you must create a new VPC or configure an existing one to use with WorkSpaces Applications. We recommend that you manually configure a VPC with two private subnets for your fleets, app block builders, and image builders and a NAT gateway in a public subnet. For more information, see [Configure a VPC with Private Subnets and a NAT Gateway](managing-network-internet-NAT-gateway.md). Alternatively, you can configure a non-default VPC with a public subnet. For more information, see [Configure a New or Existing VPC with a Public Subnet](managing-network-default-internet-access.md).

**To use the default VPC, subnet, and security group for a fleet**

1. Complete the steps in [Create a Fleet in Amazon WorkSpaces Applications](set-up-stacks-fleets-create.md) up to **Step 4: Configure Network**.

1. In **Step 4: Configure Network**, do the following:
   + To enable your fleet instances to access the internet, select the **Default Internet Access** check box.
**Note**  
For fleet instances that have the **Default Internet Access** option enabled, the limit is 100.
   + For **VPC**, choose the default VPC for your AWS Region.

     The default VPC name uses the following format: `vpc-`*vpc-id*` (No_default_value_Name)`.
   + For **Subnet 1**, choose a default public subnet and make a note of the Availability Zone. 

     The default subnet names use the following format: `subnet-`*subnet-id*` | (`*IPv4 CIDR block*`) | Default in` *availability-zone*.
   + Optionally, for **Subnet 2**, choose a default subnet in a different Availability Zone.
   + For **Security groups**, select the default security group.

     The default security group name uses the following format: `sg-`*security-group-id*`-default`

1. Continue with the steps in [Create a Fleet in Amazon WorkSpaces Applications](set-up-stacks-fleets-create.md).

Complete the following steps to use the default VPC, subnet, and security group for an image builder.

**To use the default VPC, subnet, and security group for an image builder**

1. Follow the steps in [Launch an Image Builder to Install and Configure Streaming Applications](tutorial-image-builder-create.md) up to **Step 3: Configure Network**.

1. In **Step 4: Configure Network**, do the following:
   + To enable your image builder to access the internet, select the **Default Internet Access** check box.
   + For **VPC**, choose the default VPC for your AWS Region.

     The default VPC name uses the following format: `vpc-`*vpc-id*` (No_default_value_Name)`.
   + For **Subnet 1**, choose a default public subnet.

     The default subnet names use the following format: `subnet-`*subnet-id*` | (`*IPv4 CIDR block*`) | Default in` *availability-zone*.
   + For **Security groups**, select the default security group.

     The default security group name uses the following format: `sg-`*security-group-id*`-default`

1. Continue with the steps in [Launch an Image Builder to Install and Configure Streaming Applications](tutorial-image-builder-create.md).

Complete the following steps to use the default VPC, subnet, and security group for an app block builder.

**To use the default VPC, subnet, and security group for an app block builder**

1. Follow the steps in [Create an App Block Builder](create-app-block-builder.md), up to **Step 2: Configure Network**.

1. In **Step 2: Configure Network**, do the following:
   + To enable your image builder to access the internet, select the **Default Internet Access** check box.
   + For **VPC**, choose the default VPC for your AWS Region.

     The default VPC name uses the following format: `vpc-`*vpc-id*` (No_default_value_Name)`.
   + For **Subnet 1**, choose a default public subnet.

     The default subnet names use the following format: `subnet-`*subnet-id*` | (`*IPv4 CIDR block*`) | Default in` *availability-zone*.
   + For **Security groups**, select the default security group.

     The default security group name uses the following format: `sg-`*security-group-id*`-default`

1. Continue with the steps in [Create an App Block Builder](create-app-block-builder.md).