AWS WorkSpaces Pool instances may terminate approximately 20 minutes after launch due to failing heartbeats. This occurs because the WorkSpaces management service attempts to resolve squid-proxy.appstream.local but fails when the system is connected to Twingate.
The underlying cause is due to a known limitation, for further information, reference KB article [Windows Client] Limitations with Multiple NICs and Split-Horizon DNS.
The WorkSpaces Pools management service performs a health check that requires resolving squid-proxy.appstream.local.
When not connected to Twingate, the DNS resolution follows the standard query order:
The frontend NIC's DNS servers do not return an A record.
The backend NIC's DNS servers successfully return an A record.
When connected to Twingate, the query is forwarded to Twingate’s DNS servers and follows this order:
Query is sent to frontend DNS servers (10.30.51.4, 10.30.50.4), which do not return an A record.
The query is not forwarded to the backend DNS servers (198.19.0.2), causing resolution failure.
As a result, the WorkSpaces heartbeat check fails, leading AWS to terminate the instance.
To confirm this issue:
nslookup squid-proxy.appstream.local
nslookup squid-proxy.appstream.local
C:\Windows\System32\drivers\etc\hosts prior to proceeding.Retrieve the correct IPs: Run nslookup (as shown above) while not connected to Twingate and copy the returned A records.
Edit the hosts file:
Open Notepad as Administrator.
Navigate to: C:\Windows\System32\drivers\etc\hosts
At the very bottom of the file, add a new line for each A record retrieved via nslookup:
squid-proxy.appstream.local squid-proxy.appstream.local squid-proxy.appstream.local
(Replace
Save the file and close Notepad.
Note: this method should only be ran once and not after method 1. If you already performed method 1 or run this multiple times, you will need to manually remove all entries of squid-proxy.appstream.local in the hosts file (perform the opposite of method 1 above).
Copy-Item -Path "C:\Windows\System32\drivers\etc\hosts" -Destination "C:\Windows\System32\drivers\etc\hosts.bak" -Force
Add-Content -Path "C:\Windows\System32\drivers\etc\hosts" -Value "`r`n" -Encoding ASCII
Resolve-DnsName squid-proxy.appstream.local |
Where-Object QueryType -eq "A" |
ForEach-Object { "{0} {1}" -f $_.IPAddress, "squid-proxy.appstream.local" } |
Add-Content -Path "C:\Windows\System32\drivers\etc\hosts" -Encoding ASCIIAfter performing either of the above methods, verify the file has been updated correctly. After updated, it should look something like the below when opened by Notepad.
Note:
# Copyright (c) 1993-2009 Microsoft Corp.
#
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
#
# This file contains the mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host name.
# The IP address and the host name should be separated by at least one
# space.
#
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a '#' symbol.
#
# For example:
#
# 102.54.94.97 rhino.acme.com # source server
# 38.25.63.10 x.acme.com # x client host
# localhost name resolution is handled within DNS itself.
# 127.0.0.1 localhost
# ::1 localhost
127.0.0.1
squid-proxy.appstream.local
squid-proxy.appstream.local
squid-proxy.appstream.local This forces local name resolution, ensuring the hostname resolves correctly while connected to Twingate.
Since WorkSpaces Pool instances are ephemeral, this modification should be applied at image creation or automated via a script.
squid-proxy.appstream.local will have different IPs environment to environment.squid-proxy.appstream.local's IPs are subject to change, thus a scripted method to dynamically update the hosts file when Twingate is not running would be ideal.