All Products
Search
Document Center

Elastic GPU Service:Connect to a Windows instance by using a password or key

Last Updated:Oct 13, 2023

Workbench is a more efficient and convenient connection tool than Virtual Network Computing (VNC) and allows multiple users to connect to a single Elastic Compute Service (ECS) instance at the same time. Workbench supports the following authentication methods for logons to instances: password-based authentication, key-based authentication, and credential-based authentication.

Prerequisites

  • A service-linked role for Workbench is created. The first time you use Workbench to connect to an instance, you are prompted to create a service-linked role for Workbench. For more information, see Workbench service-linked role.

    Important

    When you use Workbench to connect to an instance as a Resource Access Management (RAM) user, make sure that the AliyunECSWorkbenchFullAccess policy is attached to grant permissions to the RAM user, Otherwise, an error message is displayed and indicates that you do not have the required permissions. For information about how to grant permissions to a RAM user, see Grant permissions to RAM users.

  • A logon password is set for or a key pair is bound to the instance to which you want to connect. For information about how to set a logon password for an instance, see Reset the logon password of an instance.

    Note

    The ECS console cannot be used to bind key pairs to Windows instances. If you want to use a key pair to log on to a Windows instance, you can enable the sshd service (such as Cygwin SSHD or WinSSHD in Windows) and configure a key pair for the instance. For more information about how to enable the sshd service in Windows, see Get started with OpenSSH for Windows.

  • The instance is in the Running state.

  • Security group rules are added to allow the IP addresses related to the Workbench service to access the instance.

    Instance that resides in a virtual private network (VPC)

    If you want to connect to a Windows instance that resides in a VPC, find a security group of the instance, go to the Security Group Rules page, and then add a rule on the Inbound tab. The following table describes the parameters that must be configured for the rule.

    Action

    Priority

    Protocol Type

    Port Range

    Authorization Object

    Allow

    1

    Custom TCP

    • To open the default port 3389 on the Windows instance, select RDP (3389).

    • To open other ports on the Windows instance, specify a port range.

    • If you want to connect to the instance by using the auto-assigned public IP address or elastic IP address (EIP) that is associated with the instance, specify 161.117.90.22.

    • If you want to connect to the instance by using the private IP address of the instance, specify 100.104.0.0/16.

    Warning

    You can also specify 0.0.0.0/0 as the authorization object to allow inbound access from all IP addresses. However, this imposes security risks. Proceed with caution.

    Instance that resides in the classic network

    • If you want to connect to a Windows instance that resides in the classic network over the Internet, find a security group of the instance, go to the Security Group Rules page, and then add a rule on the Internet Ingress tab. The following table describes the parameters that must be configured for the rule.

      Action

      Priority

      Protocol Type

      Port Range

      Authorization Object

      Allow

      1

      Custom TCP

      • To open the default port 3389 on the Windows instance, select RDP (3389).

      • To open other ports on the Windows instance, specify a port range.

      If you want to connect to the instance by using the auto-assigned public IP address or EIP that is associated with the instance, specify 161.117.90.22.

      Warning

      You can also specify 0.0.0.0/0 as the authorization object to allow inbound access from all IP addresses. However, this imposes security risks. Proceed with caution.

    • If you want to connect to a Windows instance that resides in the classic network over the internal network, find a security group of the instance, go to the Security Group Rules page, and then add a rule on the Inbound tab. The following table describes the parameters that must be configured for the rule.

      Action

      Priority

      Protocol Type

      Port Range

      Authorization Object

      Allow

      1

      Custom TCP

      • To open the default port 3389 on the Windows instance, select RDP (3389).

      • To open other ports on the Windows instance, specify a port range.

      To connect to the instance that resides in the classic network by using the internal IP address of the instance, specify 161.117.90.22.

      Warning

      High security risks may arise if you specify 0.0.0.0/0 as the authorization object. We recommend that you do not specify 0.0.0.0/0.

Procedure

By default, a Workbench remote session persists for 6 hours. If you do not perform operations for 6 hours, the remote connection is closed. You must reconnect to the instance.

  1. Log on to the ECS console.

  2. In the left-side navigation pane, choose Instances & Images > Instances.

  3. In the upper-left corner of the top navigation bar, select a region. 地域

  4. On the Actions page, find the instance to which you want to connect, and click Remote connection in the Actions column.

  5. In the Remote connection dialog box, click Sign in now in the Workbench section.

  6. In the Instance Login dialog box, configure parameters.

    Configure the required parameters that are described in the following table.

    Parameter

    Description

    Instance

    The information about the current instance is automatically populated. You can also enter the IP address or the name of another instance.

    Connection

    • To connect to an instance that reside in a VPC, use the public or private IP address of the instance.

    • To connect to an instance that resides in the classic network, use the public or internal IP address of the instance.

    For information about different network types, see Overview and IP addresses of ECS instances in the classic network.

    Authentication

    Select an authentication method. The following authentication methods are supported:

    • Password-based: Enter a username, such as Administrator, and a password.

    • Credential-based: Select or create a credential.

      Credentials are used to store instance information such as usernames, passwords, and keys. You can use credentials to log on to instances in a secure manner without the need to enter usernames and passwords. For more information, see the Create a credential in Workbench section of this topic.

    In the lower part of the dialog box, click More Options to show the optional parameters. The following table describes the parameters.

    Parameter

    Description

    Resource Group

    By default, All is selected. You can select a resource group from the drop-down list.

    Region

    By default, All is selected. You can select a region from the drop-down list.

    Protocol

    By default, Remote Desktop (RDP) is selected.

    Note

    If you want to use SSH to connect a Windows instance, install the Cygwin SSHD or WinSSHD service on the instance. For information about how to enable the sshd service in Windows, see Get started with OpenSSH for Windows.

    Port

    When Protocol is set to Remote Desktop (RDP), this parameter is automatically set to 3389.

    If you have specified a different port as the remote desktop port, enter the port number.

    Note

    When Protocol is set to Terminal Connection (SSH), this parameter is automatically set to 22.

  7. Click OK.

If all the prerequisites are met but the instance cannot be connected, perform the following operations on the instance:

  • Check whether a remote desktop service (such as Remote Desktop Services in Windows) is enabled. If not, enable a remote desktop service.

  • Check whether the required remote desktop port is enabled. If not, enable the port. The default remote desktop port is port 3389.

  • If you log on to the Windows instance as a non-administrator user, the user must belong to the Remote Desktop Users group.

Create a credential in Workbench

This section describes how to create a credential for an instance in Workbench. After the credential is created, you can use the credential for authentication when you log on to the instance.

  1. Log on to the ECS console.

  2. In the left-side navigation pane, choose Instances & Images > Instances.

  3. In the upper-left corner of the top navigation bar, select a region. 地域

  4. On the Actions page, find the instance to which you want to connect, and click Remote connection in the Actions column.

  5. In the Remote connection dialog box, click Sign in now in the Workbench section.

  6. In the Instance Login dialog box, configure parameters.

  7. Create a credential.

    1. Configure the required parameters that are described in the following table.

      Parameter

      Description

      Instance

      The information of the current instance is automatically populated. You can also select another instance from the drop-down list.

      Connection

      • To connect to an instance that reside in a VPC, use the public or private IP address of the instance.

      • To connect to an instance that resides in the classic network, use the public or internal IP address of the instance.

      Authentication

      1. Select Credential-based.

      2. Select Create Credential from the Credential drop-down list.

    2. In the Add Credential dialog box, configure the parameters that are described in the following table.

      Parameter

      Description

      Credential Name

      Enter a name for the credential.

      Username

      Enter a username. Example: Administrator.

      Credential Type

      Only Password is available for Windows instances.

      Material Name

      Enter a name for the authentication material.

      Password

      Enter the logon password of the instance.

      Fingerprint

      The fingerprint is automatically generated based on the authentication material.

    3. Click OK.

  8. In the Instance Login dialog box, select the credential that you created from the Credential drop-down list and click OK.