[Windows Client] AWS WorkSpaces Pools terminates 20 minutes after starting Twingate

Last updated: April 3, 2026

Applicable to:
  • Twingate Component: Windows Client
  • Environment: AWS WorkSpaces Pools when running Twingate

Overview

AWS WorkSpaces Pool instances may terminate approximately 20 minutes after launch due to failing heartbeats. This occurs because the WorkSpaces management service attempts to resolve squid-proxy.appstream.local but fails when the system is connected to Twingate.

Cause

The underlying cause is due to a known limitation, for further information, reference KB article [Windows Client] Limitations with Multiple NICs and Split-Horizon DNS.

The WorkSpaces Pools management service performs a health check that requires resolving squid-proxy.appstream.local

  • When not connected to Twingate, the DNS resolution follows the standard query order:

    1. The frontend NIC's DNS servers do not return an A record.

    2. The backend NIC's DNS servers successfully return an A record.

  • When connected to Twingate, the query is forwarded to Twingate’s DNS servers and follows this order:

    1. Query is sent to frontend DNS servers (10.30.51.4, 10.30.50.4), which do not return an A record.

    2. The query is not forwarded to the backend DNS servers (198.19.0.2), causing resolution failure.

    3. As a result, the WorkSpaces heartbeat check fails, leading AWS to terminate the instance.

Troubleshooting

To confirm this issue:

  • While NOT connected to Twingate, run the below command in command prompt or PowerShell:
    nslookup squid-proxy.appstream.local
    • We should see IPs returned with the A record
    • If the command returns multiple IPs, note down all the IP addresses.
  • While connected to Twingate, run the below command in command prompt or PowerShell:
    nslookup squid-proxy.appstream.local
    • We should NOT have any IPs returned as no A record is found

Workaround

Method 1 - Manual hosts file update

  • Make a backup of C:\Windows\System32\drivers\etc\hosts prior to proceeding.

  • Retrieve the correct IPs: Run nslookup (as shown above) while not connected to Twingate and copy the returned A records.

  • Edit the hosts file:

    • Open Notepad as Administrator.

    • Navigate to: C:\Windows\System32\drivers\etc\hosts

    • At the very bottom of the file, add a new line for each A record retrieved via nslookup:

       squid-proxy.appstream.local
       squid-proxy.appstream.local
       squid-proxy.appstream.local

      (Replace , , etc., with the actual A records retrieved via nslookup.)

  • Save the file and close Notepad.

Method 2 - Scripted hosts file update

Note: this method should only be ran once and not after method 1. If you already performed method 1 or run this multiple times, you will need to manually remove all entries of squid-proxy.appstream.local in the hosts file (perform the opposite of method 1 above).

  • While NOT connected to Twingate, open PowerShell as Administrator.
  • Copy the below command and press enter to run.
Copy-Item -Path "C:\Windows\System32\drivers\etc\hosts" -Destination "C:\Windows\System32\drivers\etc\hosts.bak" -Force
Add-Content -Path "C:\Windows\System32\drivers\etc\hosts" -Value "`r`n" -Encoding ASCII

Resolve-DnsName squid-proxy.appstream.local | 
    Where-Object QueryType -eq "A" | 
    ForEach-Object { "{0} {1}" -f $_.IPAddress, "squid-proxy.appstream.local" } | 
    Add-Content -Path "C:\Windows\System32\drivers\etc\hosts" -Encoding ASCII

Verify the Workaround

After performing either of the above methods, verify the file has been updated correctly. After updated, it should look something like the below when opened by Notepad.

Note:, , etc., will be the real IPs retrieved via nslookup, and will be the hostname of your desktop.

# Copyright (c) 1993-2009 Microsoft Corp.
#
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
#
# This file contains the mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host name.
# The IP address and the host name should be separated by at least one
# space.
#
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a '#' symbol.
#
# For example:
#
#      102.54.94.97     rhino.acme.com          # source server
#       38.25.63.10     x.acme.com              # x client host

# localhost name resolution is handled within DNS itself.
#	127.0.0.1       localhost
#	::1             localhost

127.0.0.1    

 squid-proxy.appstream.local 
 squid-proxy.appstream.local 
 squid-proxy.appstream.local

Limitation of the Workaround

  • This forces local name resolution, ensuring the hostname resolves correctly while connected to Twingate.

  • Since WorkSpaces Pool instances are ephemeral, this modification should be applied at image creation or automated via a script.

  • The WorkSpaces backend host squid-proxy.appstream.local will have different IPs environment to environment.
  • The WorkSpaces backend host squid-proxy.appstream.local's IPs are subject to change, thus a scripted method to dynamically update the hosts file when Twingate is not running would be ideal.