Controlling Network Traffic

When you launch an Amazon AppStream streaming instance, you launch it into a subnet in your VPC. You can deploy streaming instances in a private subnet if they should not be accessible from the internet.

To provide internet access to your streaming instances in a private subnet, use a NAT gateway. For more information, see Configure a VPC with Private Subnets and a NAT Gateway.

Security groups that belong to your VPC let you control the network traffic between AppStream 2.0 streaming instances and VPC resources such as license servers, file servers, and database servers. Security groups also isolate traffic between your streaming instances and AppStream 2.0 management services.

Use security groups to restrict access to your streaming instances. For example, you can allow traffic only from the address ranges for your corporate network. For more information, see Security Groups in Amazon AppStream 2.0.

You can stream from AppStream 2.0 streaming instances in your VPC without going through the public internet. To do so, use an interface VPC endpoint (interface endpoint). For more information, see Tutorial: Creating and Streaming from Interface VPC Endpoints.

You can also call AppStream 2.0 API operations from your VPC without sending traffic over the public internet by using an interface endpoint. For more information, see Access AppStream 2.0 API Operations and CLI Commands Through an Interface VPC Endpoint.

Use IAM roles and policies to manage administrator access to AppStream 2.0, Application Auto Scaling, and Amazon S3 buckets. For more information, see the following topics:

You can use SAML 2.0 to federate authentication to AppStream 2.0. For more information, see Amazon AppStream 2.0 Service Quotas.