What are the port requirements for Amazon Workspace?

No matter which type of directory you have, the following ports must be open on the primary network interface of all WorkSpaces:

For Internet connectivity, the following ports must be open outbound to all destinations and inbound from the WorkSpaces VPC. You need to add these manually to the security group for your WorkSpaces if you want them to have Internet access.

TCP 80 (HTTP)
TCP 443 (HTTPS)

‍

To communicate with the directory controllers, the following ports must be open between your WorkSpaces VPC and your directory controllers. For a Simple AD directory, the security group created by AWS Directory Service will have these ports configured correctly. For an AD Connector directory, you may need to adjust the default security group for the VPC to open these ports.

• TCP/UDP 53 - DNS
• TCP/UDP 88 - Kerberos authentication
• UDP 123 - NTP
• TCP 135 - RPC
• UDP 137-138 - Netlogon
• TCP 139 - Netlogon
• TCP/UDP 389 - LDAP
• TCP/UDP 445 - SMB
• TCP 1024-65535 - Dynamic ports for RPC

If any security or firewall software is installed on a WorkSpace that blocks any of these ports, the WorkSpace may not function correctly or may be unreachable.