Connecting to instances

Linux VMs Windows VMs

This document describes some basic ways to connect to your Linux instances or to your Windows instances running on Compute Engine.

For advanced ways to connect to instances, such as using third-party tools, see Connecting to instances using advanced methods.

Before you begin

If you want to use the command-line examples in this document, do the following:

Install or update to the latest version of the gcloud command-line tool.
Set a default region and zone.

Connecting to Linux instances

Before you connect, review the following notes:

Your VM instance allows SSH access. By default, Compute Engine creates firewall rules that allow TCP connections through port 22. You can verify that these firewall rules exist by visiting the firewall rules page in the Cloud Console and looking for firewall rules that allow tcp:22 connections.
Optionally, as an added layer of security, you can store your host keys as guest attributes on your Linux instances. For more information, see Storing host keys by enabling guest attributes, in this document.

To connect to Linux instances through the Google Cloud Console or the gcloud command-line tool, complete the steps in one of the following tabs.

Console

In the Cloud Console, go to the VM instances page.
Go to the VM instances page
In the list of virtual machine instances, click SSH in the row of the instance that you want to connect to.

gcloud

Use the gcloud compute ssh command to connect to instances that you have permission to access.

gcloud compute ssh --project=PROJECT_ID --zone=ZONE VM_NAME

Replace the following:

PROJECT_ID: the ID of the project that contains the instance
ZONE: the name of the zone in which the instance is located
VM_NAME: the name of the instance

If you have set default properties for the gcloud command-line tool, you can omit the --project and --zone flags from this command. For example:

gcloud compute ssh VM_NAME

After you connect, use the terminal to run commands on your Linux instance. When you have finished, disconnect from the instance by using the exit command.

Where SSH keys are stored

When you connect to a VM instance for the first time, Compute Engine generates an SSH key pair for you and stores it in one of the following locations:

By default, Compute Engine adds the generated key pair to project or instance metadata.
If your account is configured to use OS Login, Compute Engine stores the generated key pair with your user account.

You do not need to know where your SSH key pairs are stored if you're connecting in the ways described in this document, but you might need to know where your SSH key pairs are stored if you want to connect using the advanced methods.

Storing host keys by enabling guest attributes

A host key is a key pair that identifies a particular host or machine. When you connect to a remote host, the host key is used to verify that you're connecting to the intended machine.

If you use gcloud compute ssh to connect to your Linux instances, you can add a layer of security by enabling storing your host keys as guest attributes.

Storing SSH host keys as guest attributes improves the security of your connections by helping to protect against vulnerabilities such as man-in-the-middle (MITM) attacks. On the initial boot of a VM instance, if guest attributes are enabled, Compute Engine stores your generated host keys as guest attributes. After that, Compute Engine uses these stored host keys to verify all subsequent connections to the VM instance.

Host keys can be stored as guest attributes on the following public operating system images:

Debian
Ubuntu
Red Hat Enterprise Linux (RHEL)
CentOS
SUSE Linux Enterprise Server (SLES)

To write host keys to guest attributes, you must enable guest attributes before you boot the VM instance for the first time. You can enable guest attributes either on select VM instances during instance creation or on your entire project.

After you enable guest attributes for a project or VM, the Guest OS agent automatically publishes the host key as a guest attribute. If you use gcloud compute ssh instead of a plain SSH client, then the gcloud tool automatically reads the attributes and updates the known_hosts file the next time you connect.

To store host keys as guest attributes, complete the following steps:

Before you boot your VM instance for the first time, enable guest attributes either on select VM instances during instance creation or on your entire project.
Connect to your instance by using gcloud compute ssh.
1. Ensure that you have the latest version of the gcloud command-line tool:
```
gcloud components update
```
2. Connect to the instance:
```
gcloud compute ssh --project=PROJECT_ID --zone=ZONE VM_NAME
```
  Replace the following:
  - PROJECT_ID: the ID of the project that contains the instance
  - ZONE: the name of the zone in which the instance is located
  - VM_NAME: the name of the instance
  If you have set default properties for the gcloud command-line tool, you can omit the --project and --zone flags from this command. For example:
```
gcloud compute ssh VM_NAME
```
3. Review the startup message. For example, a Debian operating system might display the following message:
```
Writing 3 keys to YOUR_HOME_DIRECTORY/.ssh/google_compute_known_hosts
Linux host-key-2 4.9.0-9-amd64 #1 SMP Debian 4.9.168-1+deb9u3 (2019-06-16) x86_64
```

To confirm that host keys are stored as guest attributes for this instance, either review the serial port for the presence of host keys (Option 1), or review the host key values to verify that SSH keys are written to guest attributes for the instance (Option 2):

Option 1: Review the serial port

View the serial port output.
Select serial port 1.
Search for the following message:
```
INFO Wrote ssh-rsa host key to guest attributes
```
If your image uses a supported operating system but the guest attributes setting wasn't enabled before the first VM boot, you might see the following message:
```
Unable to write ssh-rsa host key to guest attributes
```
This means that host keys aren't stored as guest attributes for this instance. If you want to store host keys for additional instances that you plan to create, enable guest attributes before the first boot of the instance.

Option 2: Review the host key values

You can use the gcloud command-line tool to verify that SSH keys are written to guest attributes:

gcloud compute instances get-guest-attributes VM_NAME \
    --query-path="hostkeys/" \
    --zone=ZONE

Replace the following:

VM_NAME: the name of the instance
ZONE: the name of the zone in which the instance is located

The output is similar to the following:

NAMESPACE  KEY                  VALUE
hostkeys   ecdsa-sha2-nistp256  AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBBJAGpTm
                                V3mFxBTHK1NIu9a7kVQWaHsZVaFUsqF8cLxQRQ+N96/Djiiuz1tucHQ8vBTJI=
hostkeys   ssh-ed25519          AAAAC3NzaC1lZDI1NTE5AAAAIM/WYBn3jIEW5t3BZumx0X/Htm61J6S9FcU8L
hostkeys   ssh-rsa              AAAAB3NzaC1yc2EAAAADAQABAAABAQDU3jReR/MoSttlWYfauW6qEqS2dhe5
                                Zdd3guYk2H7ZyxblNuP56nOl/IMuniVmsFa9v8W6MExViu6G5Cy4iIesot09
                                1hsgkG0U7sbWrXM10PQ8pnpI3B5arplCiEMhRtXy64rlW3Nx156bLdcxv5l+
                                7Unu4IviKlY43uqqwSyTv+V8q4ThpQ9dNbk1Gg838+KzazljzHahtbIaE1rm
                                I0L1lUqKiKLSLKuBgrI2Y/WSuqvqGEz+bMH7Ri4ht+7sAwykph6FbOgKqoBI
                                hVWBo38/Na/gEuvtmgULUwK+xy9zWg9k8k/Qtihc6El9GD9y

Connecting to Windows instances

Before you connect, review the following note:

Your VM instance allows RDP access. By default, Compute Engine creates firewall rules that allow RDP access on TCP port 3389. You can verify that these firewall rules exist by visiting the firewall rules page in the Cloud Console and looking for firewall rules that allow tcp:3389 connections.

Compute Engine supports multiple ways to connect to your Windows instances.

Connecting to Windows instances.

Remote Desktop

The best way to connect to the remote desktop of a Windows instance depends on multiple factors:

If you are connecting from anywhere over the public internet (Connecting from > Anywhere in the previous illustration), it's best to enable Identity-Aware Proxy TCP forwarding for your project. Then use IAP Desktop (on Windows) or the gcloud command-line tool in combination with a native RDP client to connect to the Windows instance. If you cannot use Identity-Aware Proxy TCP forwarding, use Chrome Remote Desktop.
If the VM instance has a public IP address and firewall rules permit RDP access, use the Chrome RDP for Google Cloud browser plugin or any native RDP client, such as the Microsoft Remote Desktop Connection app.
If the VM instance does not have a public IP and you are connecting by using Cloud VPN or Cloud Interconnect, you can connect to the VM's private IP address by using a native RDP client, such as the Microsoft Remote Desktop Connection app.

If you have difficulty connecting using RDP, see Troubleshooting RDP. If you can't connect to a Windows instance by using Remote Desktop, see Special Administrative Console (SAC), in this document.

To connect to the remote desktop of a Windows instance, use one of the following procedures.

IAP Desktop

IAP Desktop is a Windows application that lets you manage multiple Remote Desktop connections to Windows VM instances. IAP Desktop connects to VM instances by using Identity-Aware Proxy TCP forwarding and does not require VM instances to have a public IP address.

Before you connect by using IAP Desktop, make sure that the following prerequisites are met:

You've configured your VPC to allow IAP traffic to your VM instance.
You've downloaded and installed IAP Desktop on your local computer.

To connect to a VM instance by using IAP Desktop, do the following:

In IAP Desktop, select File > Add Google Cloud project.
Enter the ID or name of your project, and click OK.
In the Project Explorer window, right-click the VM instance you want to connect to and select Connect.

For more information about IAP Desktop, see the GitHub project page.

Remote Desktop Connection app

You can use the Microsoft Remote Desktop Connection app that is part of Windows to connect to Windows instances.

Before you connect using the Microsoft Remote Desktop Connection app, make sure that one of the following prerequisites is met:

Your VM instance has a public IP address and your firewall rules allow TCP ingress traffic from your client's public IP address to the instance by using port 3389.
Your local network is connected to your VPC by using Cloud VPN or Cloud Interconnect and your firewall rules allow TCP ingress traffic from your client's private IP address to the instance by using port 3389.

To connect with Microsoft Windows Remote Desktop, do the following:

Create a Windows account and password if you do not have one yet.
To connect over the internet, use the external IP address. To connect by using Cloud VPN or Cloud Interconnect, use the internal IP address.

Identify the external and internal IP addresses of your Windows instance by completing one of the following steps:
- In the Google Cloud Console, go to the VM instances page.
  
  Go to the VM instances page
- By using the gcloud tool, run gcloud compute instances list:
```
gcloud compute instances list
```
Open Microsoft Windows Remote Desktop Connection on your Windows machine. You can find the executable at %systemroot%\system32\mstsc.exe
In the Computer box, enter the IP address.

If you've configured your instance to use a different port number for RDP, add it after the IP address, for example: 1.2.3.4:3389.
Click Connect.
Enter your username and password, and click OK.

If you have forgotten your password, you can reset it.

Chrome Remote Desktop

Chrome Remote Desktop is a service that lets you remotely access another computer by using a web browser. Chrome Remote Desktop works on Windows, macOS, and Linux and does not require the VM instance to have a public IP address.

Before you connect by using Chrome Remote Desktop, make sure that the following prerequisites are met:

You've created a Windows account and password on the VM instance.
You've installed the Chrome Remote Desktop service on the VM instance.

To connect to a VM instance by using Chrome Remote Desktop, do the following:

On your local computer, go to the Chrome Remote Desktop website.
If you're not already signed in to Google, sign in with the same Google Account that you used to set up the Chrome Remote Desktop service.
Select the instance that you want to connect to.
When you're prompted, enter the PIN that you created when installing the Chrome Remote Desktop service, and click the arrow button to connect.

Chrome RDP plugin

Chrome RDP for Google Cloud is a third-party plugin that lets you connect to Windows instances by using the Chrome browser. The plugin is integrated with the Google Cloud Console. After you install the plugin, connect to any Windows Server instance by using the RDP button in the Cloud Console.

Before you connect using the Chrome RDP for Google Cloud, make sure that the following prerequisites are met:

Your VM instance has a public IP address.
Your firewall rules allow TCP ingress traffic from your client's public IP address to the instance by using port 3389.
You've installed the Chrome RDP for Google Cloud extension.
If you are connecting to a Windows VM from Chrome OS, set the Chromebook's Display Size to 100%.

To connect using the Chrome RDP plugin, do the following:

In Cloud Console, go to the VM instances page and find the Windows instance you want to connect to.

Go to the VM instances page
Click the RDP button for the instance you want to connect to. The Chrome RDP extension opens.
Enter the domain, your username, and password, and click OK to connect.

If your instance does not have a domain configured, you can leave the Domain field blank.
If prompted, press Continue to accept the certificate.

Other

You can connect to your Windows VM instances by using other RDP clients, such as clients developed for Android, iOS, Mac, and others. For a list of officially supported clients, see Microsoft's Remote Desktop Clients document.

Before you connect, make sure that one of the following prerequisites is met:

Your VM instance has a public IP address and your firewall rules allow TCP ingress traffic from your client's public IP address to the instance by using port 3389.
Your local network is connected to your VPC by using VPN or Cloud Interconnect and your firewall rules allow TCP ingress traffic from your client's private IP address to the instance by using port 3389.

To connect using other RDP clients, do the following:

To connect over the internet, use the external IP address. To connect by using Cloud VPN or Cloud Interconnect, use the internal IP address.

Identify the external and internal IP addresses of your Windows instance by completing one of the following steps:
- In the Google Cloud Console, go to the VM instances page.
  
  Go to the VM instances page
- By using the gcloud tool, run gcloud compute instances list:
```
gcloud compute instances list
```
Install the supported client according to the client's installation instructions.
Connect using the IP address of your instance, and authenticate with your username and password for the instance.

Special Administrative Console

This section describes how to use the interactive serial console to connect to the Windows Special Administrative Console (SAC) of your Windows instance. You can use the SAC to troubleshoot a Windows instance if you can't connect to it by using Remote Desktop.

Before you connect, make sure you have created a Windows instance password and have it ready.

To connect to your Windows instance using an interactive serial console, complete the steps in one of the following tabs.

Console

In the Cloud Console, go to the VM instances page.

Go to the VM instances page
Click the name of your instance. The VM instance details page opens.
Click Edit. Under Remote access, select Enable connecting to serial ports. This enables the interactive serial console for this instance.

For more information about updating instance metadata, see Storing and retrieving instance metadata.

If you want these settings to apply to all instances in your project, set project-wide custom metadata instead.
Click Save, then return to the top of the page.
Under Remote access, click the drop-down list next to Connect to serial console, and select Serial port 2. A SAC opens.
At the SAC> prompt, run cmd to create a new channel. The SAC returns the channel name, for example, Cmd001.

Run ch -sn CHANNEL_NAME and press any key to connect to the channel. For example:

SAC> cmd
The Command Prompt session was successfully launched.
SAC>
EVENT:   A new channel has been created.  Use "ch -?" for channel help.
Channel: Cmd0001
SAC> ch -sn cmd0001
Press any key to confirm connection to the channel.

Enter the username, domain, and password of the instance to connect.

Note: If the instance does not have a domain configured, don't input anything at the domain prompt. Press Enter to continue.

gcloud

If you haven't done so already, download and install the Cloud SDK for your local operating system.
Run the following command to configure your instance to enable connecting to serial ports:
```
gcloud compute instances add-metadata VM_NAME \
   --zone=ZONE \
   --metadata=serial-port-enable=1
```
Replace the following:
- VM_NAME: the name of the VM instance
- ZONE: the zone where the VM instance is
Note: You can also configure your instance's metadata by clicking the Edit button for your instance on the VM instance page.

For more information about updating instance metadata, see Updating instance metadata.

Optional: If you want the settings to apply to all instances in your project, run the following Cloud SDK command instead:
```
gcloud compute project-info add-metadata \
    --metadata=serial-port-enable=1
```
For more information about project-wide custom metadata, see Setting project-wide custom metadata.
Run the following gcloud command to enter an interactive session:
```
gcloud compute connect-to-serial-port VM_NAME \
    --port=2
```
Replace VM_NAME with the name of your instance.
At the SAC> prompt, run cmd to create a new channel. SAC returns the channel name, for example, Cmd001.

Run ch -sn CHANNEL_NAME and press any key to connect to the channel. For example:

SAC> cmd
The Command Prompt session was successfully launched.
SAC>
EVENT:   A new channel has been created.  Use "ch -?" for channel help.
Channel: Cmd0001
SAC> ch -sn cmd0001
Press any key to confirm connection to the channel.

To connect, enter the username, domain, and password of the instance.

Note: If the instance does not have a domain configured, don't input anything at the domain prompt, and press Enter to continue.

What's next

Learn how to manage access to instances.
Learn how to connect to instances using advanced methods.
Learn how to transfer files to instances.