Connect to an instance by using VNC - Elastic Compute Service

Virtual Network Computing (VNC) is a method used to connect to an Elastic Compute Service (ECS) instance. You can use VNC to connect to an ECS instance that is in the Running state even when the operating system is starting, or to an ECS instance that is in the Stopping state. If you cannot connect to an ECS instance by using other methods, you can connect to the instance by using VNC to perform emergency O&M and troubleshoot issues. This topic describes how to connect to an ECS instance by using VNC in the ECS console.

Important

Starting July 10, 2023, you can use the logon username and password of an ECS instance to securely connect to the instance by using VNC without the need to provide a VNC logon password.

On July 10, 2023, Alibaba Cloud performed a security upgrade on VNC. Starting July 10, 2023, Alibaba Cloud manages authentication credentials and performs end-to-end data encryption for VNC logon to instances. After the upgrade, you can enter instance usernames and passwords to log on to instances without the need to provide VNC logon passwords.

VNC connection

VNC is a method used to connect to an ECS instance. You can use VNC to connect to an ECS instance that is in the Running state even when the operating system is starting, or to an ECS instance that is in the Stopping state.

Characteristics: Before you can use VNC to connect to ECS instances, you must log on to the Alibaba Cloud Management Console by using an Alibaba Cloud account or a Resource Access Management (RAM) user. You cannot use VNC to connect to ECS instances that are in the Stopped state. You can use VNC to connect only to ECS instances in Alibaba Cloud.
Network: Internet connectivity is not required when you use VNC to connect to ECS instances.
Authentication method: Password-based authentication is used when you use VNC to connect to ECS instances.

VNC is not a remote connection method. After you use VNC to connect to an ECS instance, you directly view the real-time interface of the operating system in the instance. By default, Linux may not include a GUI. You can use VNC to troubleshoot the issues that occur when other connection methods are used, because VNC is not restricted by security group settings or the software running on the instance.

Most remote connection tools rely on services running in the operating system, such as SSH. If the services fail to start or are not started, normal remote access may be denied. In contrast, VNC is implemented based on the underlying layer and remains available even if the preceding issue occurs. This helps you troubleshoot and resolve the issue.

The VNC connection feature is named Rescue Logon in Simple Application Server. For more information, see Connect to a simple application server by using the rescue feature.

Prerequisites

The ECS instance to which you want to connect is in the Running or Stopping state.

When you use VNC to connect to an ECS instance, the instance must be in the Running or Stopping state. You can view the status of the instance on the Instance page in the ECS console. The following figure shows that the instance is in the Running state.

For information about how to check the status of an ECS instance, see View instance information.

The logon username and password of the ECS instance are obtained

When you connect to an ECS instance by using VNC, you are directed to the logon page of the operating system within the instance. On the logon page, you must provide the logon username and password of the instance to log on to the operating system.

Obtain the logon username and password that you configured when you created the ECS instance
If you did not change the logon username or password of the ECS instance after you created the instance, use the logon username and password that you configured when you created the instance, as shown in the following figures. By default, the logon username is root or ecs-user for a Linux instance and administrator for a Windows instance.
For information about different logon usernames, see Manage logon users for instances.
Configure the logon username and password when you create a Linux instance
Configure the logon username and password when you create a Windows instance

Obtain the initial logon username of the ECS instance when you forget your logon username

If you forget your logon username for the ECS instance, perform the following steps to go to the Instance page in the ECS console and view the initial logon username of the instance:

Go to the Instance page in the ECS console.

Find the instance to which you want to connect, click the icon, and then click Reset Instance Password.

The following figure shows the initial logon username.

Obtain the logon password of the ECS instance when you forget the logon password or no logon password is configured for the instance
If you forget the logon password of the ECS instance or specify an SSH key pair as the logon credential, you must reset the logon password of the instance. In the ECS console, find the instance whose logon password you want to reset, click the icon, and then click Reset Instance Password. Then, reset the logon password of the instance as prompted. For more information, see Reset the logon password of an instance.

The required permissions are granted to your RAM user

If you use a RAM user to connect to an ECS instance by using VNC, the following policy is attached to the RAM user to grant the required permissions based on the principle of least privilege. For information about how to grant permissions to a RAM user, see Grant permissions to a RAM user.

The following policy includes the permissions to perform the ecs:DescribeInstances action, which is used to query information about ECS instances, and the ecs:DescribeInstanceVncUrl action, which is used to query the VNC connection address of an ECS instance. In addition, you can use the Resource element to limit the ECS instances to which you can connect. For more information, see Resource.

{
  "Version": "1",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "ecs:DescribeInstances",
        "ecs:DescribeInstanceVncUrl"
      ],
      "Resource": "*"
    }
  ]
}

Procedure

Important

By default, a VNC connection session lasts for approximately 300 seconds. If you do not perform operations within 300 seconds, the VNC connection to the instance is automatically closed and you must reconnect to the instance.

The following figure shows the VNC connection procedure.

Step 1: Find the ECS instance to which you want to connect

To find the ECS instance to which you want to connect in the ECS console, perform the following steps:

Log on to the ECS console.
In the left-side navigation pane, choose Instances & Images > Instances.
In the top navigation bar, select the region and resource group to which the resource belongs.
On the Instance page, find the ECS instance to which you want to connect.

Step 2: Open the VNC connection page

To open the VNC connection page of the ECS instance to which you want to connect, perform the following steps:

In the Actions column that corresponds to the instance, click Connect.
In the Remote connection dialog box, click Show Other Logon Methods. Then, click Sign in now in the VNC section.
The following figure shows the VNC connection page.
Important
If the "You do not have the permissions to perform this operation. Ask the Alibaba Cloud account to grant the permissions in the RAM console and try again later." message appears when you open the VNC connection page, check whether you have the permissions to connect to the instance by using VNC. For information about the required permissions, see the The required permissions are granted to your RAM user section of this topic.
Linux instance
In this example, an instance that runs Alibaba Cloud Linux 3 is used.
Windows instance
In this example, an instance that runs Windows Server 2025 is used.

Step 3: Log on to the operating system of the ECS instance

The VNC connection page displays the operating system interface of the instance. You must log on to the operating system by using the logon username and password. By default, Linux does not have a GUI.

Note

If you do not know your logon username or password, obtain the logon username or password as described in the The logon username and password of the ECS instance are obtained section of this topic. If you forget your password, perform the operations described in Reset the logon password of an instance.

Linux instance

Enter a username, such as root or ecs-user, and press the Enter key.
Enter the password that corresponds to the username and press the Enter key.
Important
The password characters are hidden when you enter the password to log on to the operating system of a Linux instance. Make sure that the password you enter is correct.
If you do not know your logon password or the Login Incorrect error occurs when you connect to the instance, reset the logon password of the instance and try again. For more information, see Reset the logon password of an instance.
Check whether you can log on to the operating system.
The following figure shows that you are logged on to the operating system.

Important

A persistent black screen indicates that the instance is in sleep mode. Press a key to wake up the instance.
You can switch between up to 10 different VNC management terminals when you connect to the Linux instance. The default terminal is CTRL+ALT+F1. For example, you can choose Send Remote Commands > CTRL+ALT+F2 to switch to the second VNC management terminal.

Windows instance

In the upper-left corner of the VNC connection page, choose Send Remote Commands > CTRL+ALT+DELETE to unlock the Windows operating system.
Select a username, enter the password, and then press the Enter key to log on to the operating system of the instance. The default username is Administrator.

More features

Copy and paste content (Enter Copy Commands)

Important

The content that you want to copy and paste can be up to 2,000 characters in length. Special characters, such as Chinese characters, are not allowed.

You cannot directly copy and paste a long text or command from your on-premises computer to an ECS instance. To copy and paste a long text or command from your on-premises computer to an ECS instance, use the Enter Copy Commands feature by performing the following steps:

Connect to the ECS instance by using VNC.
Move the pointer to the location in which you want to paste content in the instance.
In the upper-left corner of the VNC connection page, click Enter Copy Commands.
In the Copy and Paste Commands dialog box, enter the content that you want to copy to the instance and click OK.

Send remote commands

You can send remote commands to disconnect from and connect to an ECS instance by using VNC. For a Linux instance, you can select an option from CTRL+ALT+F1 to CTRL+ALT+F10 to switch to different VNC management terminals of the instance. For a Windows instance, you can press CTRL+ALT+DELETE to unlock the Windows operating system.

Connect to the ECS instance by using VNC.
In the upper-left corner of the VNC connection page, click Send Remote Commands and select a command from the drop-down list.
In this example, Windows is used.

FAQ

For information about the issues that may occur when you connect to an ECS instance by using VNC, see VNC connection issues.

References

When you use custom code to connect to an ECS instance that serves as a client, you can call the DescribeInstanceVncUrl operation to obtain the VNC logon URL that is used to connect to the instance.