AWS Logo
Menu

Ports and Protocols Required for AppStream 2.0

Network and OS rules that need to be in place for successful connectivity to AppStream 2.0

Asriel A.
Amazon Employee
Published Oct 9, 2024
Last Modified Dec 12, 2024
As an AWS EUC Specialist Solutions Architect, I'm often asked by customers about the best practices for configuring networking, security, and Active Directory for their Amazon AppStream 2.0 deployments. In this post, I'll provide a comprehensive guide to help you properly set up these critical elements to ensure a seamless and secure user experience.
We'll cover the key considerations for your endpoint network configuration, the optimal setup for your AppStream 2.0 fleet instances, the requirements for domain-joined fleets, and the necessary configurations for the Streaming VPC Endpoint. By the end, you'll have a clear understanding of the steps needed to get your AppStream 2.0 environment up and running smoothly.

Endpoint Network Configuration

Customers often have outbound firewall restrictions from their offices. AppStream 2.0 requires certain ports and protocols to be allowlisted through those devices for connectivity. If your users are connecting to AppStream 2.0 from an unrestricted network, you can skip this section. You must ensure access to the following from the network the endpoint devices will be connecting. If the rules are not configured as stateful, you will also need to add the ephemeral port range inbound to the endpoints (TCP 1024-65535).
Port/ProtocolURL (if required)Notes
TCP 443Port 443 is used for HTTPS communication between AppStream 2.0 users' devices and streaming instances when using the internet endpoints. Typically, when end users browse the web during streaming sessions, the web browser randomly selects a source port in the high range for streaming traffic. You must ensure that return traffic to this port is allowed.
UDP 53Port 53 is used for communication between AppStream 2.0 users' devices and your DNS servers. The port must be open to the IP addresses for your DNS servers so that public domain names can be resolved. This port is optional if you are not using DNS servers for domain name resolution.
UDP 8433UDP HTTPS communication between AppStream 2.0 users' devices and streaming instances when using the internet endpoints. This is currently only supported in the Windows native client. UDP is not supported if you are using VPC endpoints.
TCP 443*.amazonappstream.com
TCP 443*.appstream2.<region>.aws.amazon.comOne or more of these domains must be allowed to enable user authentication. You must allow the domains and subdomains that correspond to the Regions where AppStream 2.0 is deployed. See Allowed Domains for the full list of domains.
TCP 1400-1499IP address of the streaming endpointOnly required if using the Streaming Endpoint
If your users use a network proxy to access streaming instances, disable any proxy caching for the user auth domains in the table and the session gateway, *.amazonappstream.com.

Fleet Instance Configuration

AppStream 2.0 fleet instances are ephemeral, adding antivirus adds overhead to virtualized instances, making it is a best practice to mitigate unnecessary activities. For example, scanning the system volume (which is ephemeral) at boot, for instance, does not add to the overall security of AppStream 2.0. . If you opt to add antivirus or other security software to your AppStream 2.0 fleet instances, you need to ensure the following.

Management Network Interface

The management network interface IP address range is 198.19.0.0/16. Do not disable IPv6 on this interface. In general all streaming instances require that port 80 (HTTP) be open to IP address 169.254.169.254 to allow access to the EC2 metadata service. The IP address range 169.254.0.0/16 is reserved for AppStream 2.0 service usage for management traffic.
Direction/Port/IPNotes
Inbound TCP 8300, TCP 3128This is used for establishment of the streaming connection.
Inbound TCP 8000 and TCP 8443These are used for management of the streaming instance by AppStream 2.0
169.254.169.123NTP
169.254.169.249NVIDIA GRID License Service
169.254.169.250KMS
169.254.169.251KMS
169.254.169.253DNS
169.254.169.254Metadata
Within the security software, ensure that it does not interfere with the following processes.
ServiceProcesses
AmazonCloudWatchAgent"C:\Program Files\Amazon\AmazonCloudWatchAgent\start-amazon- cloudwatch-agent.exe"
AmazonSSMAgent"C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe"
Amazon DCV"C:\Program Files\NICE\DCV\Server\bin\dcvserver.exe" "C:\Program Files\NICE\DCV\Server\bin\dcvagent.exe"
AppStream 2.0"C:\ProgramFiles\Amazon\AppStream2\StorageConnector\StorageConnector.exe"
AppStream 2.0"C:\Program Files\Amazon\Photon\Agent\PhotonAgent.exe"
AppStream 2.0"C:\Program Files\Amazon\Photon\Agent\s5cmd.exe"
AppStream 2.0"C:\Program Files\Amazon\Photon\WebServer\PhotonAgentWebServer.exe"
AppStream 2.0"C:\Program Files\Amazon\Photon\CustomShell\PhotonWindowsAppSwitcher.exe"
AppStream 2.0"C:\Program Files\Amazon\Photon\CustomShell\PhotonWindowsCustomShell.exe"
AppStream 2.0"C:\Program Files\Amazon\Photon\CustomShell\PhotonWindowsCustomShellBackground.exe"
Within the security software, ensure that it does not interfere with the following folders
Folder
C:\Program Files\Amazon\*
C:\ProgramData\Amazon\*
C:\Program Files (x86)\AWS Tools\*
C:\Program Files (x86)\AWS SDK for .NET\*
C:\Program Files\NICE\*
C:\ProgramData\NICE\*
C:\AppStream\*
C:\Program Files\Internet Explorer\*

Domain Joined Fleets

If you are using a Domain Joined Fleet, additional ports and protocols are required to allow for Active Directory. The following ports must be open between your AppStream 2.0 VPC and your domain controllers. For a complete list of ports, see Active Directory and Active Directory Domain Services Port Requirements in the Microsoft documentation.
Protocol/PortNotes
TCP/UDP 53DNS
TCP/UDP 88Kerberos authentication
UDP 123NTP
TCP 135RPC
UDP 137-138Netlogon
TCP 139Netlogon
TCP/UDP 389LDAP
TCP/UDP 445SMB
TCP 1024-65535Dynamic ports for RPC

Group Policy

If you are using domain joined fleets, or customizing local group policy on the image builder, it is important to ensure these settings are specified. If they are not, you may see an error when trying to logon.
  • Computer Configuration > Administrative Templates > Windows Components > Windows Logon Options > Disable or Enable software Secure Attention Sequence — Set this to Enabled for Services.
  • Computer Configuration > Administrative Templates > System > Logon > Exclude credential providers — Ensure that the following CLSID is not listed: e7c1bab5-4b49-4e64-a966-8d99686f8c7c
  • Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies > Security Options > Interactive Logon > Interactive Logon: Message text for users attempting to log on — Set this to Not defined.
  • Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies > Security Options > Interactive Logon > Interactive Logon: Message title for users attempting to log on — Set this to Not defined.

Streaming VPC Endpoint

If you are using the Streaming Interface VPC Endpoint, there are some additional configuration that needs to be done with respect to the security group and network access control list (NACL) configuration. Streaming traffic includes pixel, USB, user input, audio, clipboard, file upload and download, and printer traffic.
  • The network to which your users' devices are connected must be able to route traffic to the interface endpoint.
  • The security groups that are associated with the interface endpoint must allow inbound access to port 443 (TCP) and ports 1400-1499 (TCP) from the IP address range from which your users connect.
  • The network access control list for the subnets must allow outbound traffic from ephemeral network ports 1024-65535 (TCP) to the IP address range from which your users connect.

Summary

Properly configuring your networking, security, and Active Directory settings is crucial for a successful Amazon AppStream 2.0 deployment. By following the guidelines I've outlined in this post, you can ensure your users can reliably connect to their AppStream 2.0 environments and maintain the security and integrity of your overall infrastructure.
Remember to carefully review your endpoint firewall rules, configure your fleet instances to minimize unnecessary overhead, set up the appropriate Active Directory integration, and properly configure your Streaming VPC Endpoint. Taking the time to get these foundational elements right will pay dividends in the long run by providing a seamless user experience and reducing troubleshooting down the line.
As with any complex cloud deployment, it's important to thoroughly test your configurations in a non-production environment before rolling them out to your end-users. This will help you identify and address any issues ahead of time. And don't hesitate to reach out to AWS Support or the broader AWS community if you run into any roadblocks - there are many experts out there who can offer guidance and best practices.
By following the steps outlined in this post, you'll be well on your way to a successful and secure AppStream 2.0 deployment. For more detailed information, be sure to check out the AppStream 2.0 Administration Guide, the Amazon VPC documentation, and the wealth of resources available in the AWS re:Invent sessions and the AWS Desktop and Application Streaming blog channel.

About the Author

Asriel is a Senior End User Computing Solutions Architect. He works with Federal customers designing and architecting EUC solutions on AWS. He has been with AWS since 2017. In his free time, you can find Asriel scuba diving, traveling, or playing chess.

 

Any opinions in this post are those of the individual author and may not reflect the opinions of AWS.

1 Comment