Why do I get the error "Internet Gateway not attached to your Amazon VPC" when I try to enable internet access for Amazon WorkSpaces?

Last updated: 2020-12-14

When I try to enable internet access for Amazon WorkSpaces using the AWS Management Console, I get the following error:

"The Amazon VPC does not have an Internet Gateway associated with it. Create and attach an Internet Gateway to the VPC, and configure routes to the Internet Gateway from subnets in your VPC before continuing."

I created an internet gateway, and attached the gateway to the Amazon Virtual Private Cloud (Amazon VPC) of the WorkSpace. Why am I receiving this error, and how can I fix this issue?

Resolution

In addition to attaching the internet gateway to the WorkSpace VPC, the route tables of all WorkSpace subnets must route to the internet gateway. If any of the WorkSpace subnets aren’t public, you receive the “Internet Gateway not attached to your Amazon VPC” error.

Identify WorkSpaces subnets

The Amazon WorkSpaces console displays only the subnets used to create the WorkSpaces directory. You can use the AWS Command Line Interface (AWS CLI) to view the subnets used to create WorkSpaces. If necessary, install and configure the AWS CLI.

Note: If you receive errors when running AWS CLI commands, make sure that you’re using the most recent version of the AWS CLI.

Run the following command to retrieve the WorkSpaces SubnetIds. Replace REGIONCODE and d-directoryID with your environment details.

aws workspaces describe-workspace-directories --region REGIONCODE --directory-ids d-directoryID

Verify subnet route tables

For each SubnetId, verify the subnet route table. The subnets must be public. This means that the route table used by both subnets must have an entry for 0.0.0.0/0 traffic using an internet gateway.

Note: If both subnets use different route tables, verify that both route tables have the entry for 0.0.0.0/0 traffic using an internet gateway

For more information, see Adding and removing routes from a route table.

Note: If both subnets use a NAT gateway in their route table configuration, you don’t need to enable the Access to Internet setting. Instead, the WorkSpaces access the internet using the configured NAT gateway.

If the WorkSpace already existed before enabling Access to Internet, you must rebuild the WorkSpace before an Elastic IP address is automatically assigned.