There are two common workflows for Twingate with AWS Workspaces:

• Using Twingate inside an AWS Workspace to provide access to sensitive Resources inside the Workspace
• Using Twingate to protect access to an AWS Workspace

Providing Access to Protected Resources In AWS Workspaces

For the first workflow, you’d install Twingate inside the Workspace normally, and that may include deploying the Twingate Client using an MDM platform.

Protecting AWS Workspaces Access with Twingate

For the second workflow (Protecting access to an AWS Workspace with Twingate), you’ll need to create applicable Resources in Twingate to ensure traffic is routed through a Twingate tunnel when bound for AWS Workspaces, and you’ll need to restrict access to Twingate egress IP addresses by following these steps:

In Twingate:

• Choose the applicable Remote Network for access to AWS Workspaces
• You’ll need to create Twingate Resources for the following (and provide access to users via Group Membership):
• The private AWS IPv4 CIDR block used when the VPC was created as part of the AWS Workspaces setup process
• AWS Workspaces Endpoints
• AWS Workspaces Auth Service
• AWS Workspaces Broker Service (e.g.: ws-broker-service.us-east-1.amazonaws.com) To find the applicable Resources, we recommend checking out the AWS IP address and port requirements documentation as it provides applicable IP and DNS info.

In AWS:

• Create IP Group
• Add Rule to IP Group
• Add IP address for Internet egress used by Twingate Connectors associated with the Remote Network