Connecting to Windows VMs

Windows VMs

This document describes how to connect to your Windows virtual machine (VM) instances running on Compute Engine. For other ways to connect to Windows VMs, see Connecting to Windows VMs using PowerShell.

Before you begin

If you want to use the command-line examples in this guide:
1. Install or update to the latest version of the gcloud command-line tool.
2. Set a default region and zone.
Your VM allows RDP access. By default, Compute Engine creates firewall rules that allow RDP access on TCP port 3389. You can verify that these firewall rules exist by visiting the firewall rules page in the Cloud Console and looking for firewall rules that allow tcp:3389 connections.

Connecting to VMs

Compute Engine supports multiple ways to connect to your Windows instances.

Connecting to Windows instances.

Remote Desktop

The best way to connect to the remote desktop of a Windows instance depends on multiple factors:

If you are connecting from anywhere over the public internet (Connecting from > Anywhere in the previous illustration), it's best to enable Identity-Aware Proxy TCP forwarding for your project. Then use IAP Desktop (on Windows) or the gcloud command-line tool in combination with a native RDP client to connect to the Windows instance. If you cannot use Identity-Aware Proxy TCP forwarding, use Chrome Remote Desktop.
If the VM instance has a public IP address and firewall rules permit RDP access, use the Chrome RDP for Google Cloud browser plugin or any native RDP client, such as the Microsoft Remote Desktop Connection app.
If the VM instance does not have a public IP and you are connecting by using Cloud VPN or Cloud Interconnect, you can connect to the VM's private IP address by using a native RDP client, such as the Microsoft Remote Desktop Connection app.

If you have difficulty connecting using RDP, see Troubleshooting RDP. If you can't connect to a Windows instance by using Remote Desktop, see Special Administrative Console (SAC), in this document.

To connect to the remote desktop of a Windows instance, use one of the following procedures.

IAP Desktop

IAP Desktop is a Windows application that lets you manage multiple Remote Desktop connections to Windows VM instances. IAP Desktop connects to VM instances by using Identity-Aware Proxy TCP forwarding and does not require VM instances to have a public IP address.

Before you connect by using IAP Desktop, make sure that the following prerequisites are met:

You've configured your VPC to allow IAP traffic to your VM instance.
You've downloaded and installed IAP Desktop on your local computer.

To connect to a VM instance by using IAP Desktop, do the following:

In IAP Desktop, select File > Add Google Cloud project.
Enter the ID or name of your project, and click OK.
In the Project Explorer window, right-click the VM instance you want to connect to and select Connect.

For more information about IAP Desktop, see the GitHub project page.

Remote Desktop Connection app

You can use the Microsoft Remote Desktop Connection app that is part of Windows to connect to Windows instances.

Before you connect using the Microsoft Remote Desktop Connection app, make sure that one of the following prerequisites is met:

Your VM instance has a public IP address and your firewall rules allow TCP ingress traffic from your client's public IP address to the instance by using port 3389.
Your local network is connected to your VPC by using Cloud VPN or Cloud Interconnect and your firewall rules allow TCP ingress traffic from your client's private IP address to the instance by using port 3389.

To connect with Microsoft Windows Remote Desktop, do the following:

Create a Windows account and password if you do not have one yet.
To connect over the internet, use the external IP address. To connect by using Cloud VPN or Cloud Interconnect, use the internal IP address.

Identify the external and internal IP addresses of your Windows instance by completing one of the following steps:
- In the Google Cloud Console, go to the VM instances page.
  
  Go to the VM instances page
- By using the gcloud tool, run gcloud compute instances list:
```
gcloud compute instances list
```
Open Microsoft Windows Remote Desktop Connection on your Windows machine. You can find the executable at %systemroot%\system32\mstsc.exe
In the Computer box, enter the IP address.

If you've configured your instance to use a different port number for RDP, add it after the IP address, for example: 1.2.3.4:3389.
Click Connect.
Enter your username and password, and click OK.

If you have forgotten your password, you can reset it.

Chrome Remote Desktop

Chrome Remote Desktop is a service that lets you remotely access another computer by using a web browser. Chrome Remote Desktop works on Windows, macOS, and Linux and does not require the VM instance to have a public IP address.

Before you connect by using Chrome Remote Desktop, make sure that the following prerequisites are met:

You've created a Windows account and password on the VM instance.
You've installed the Chrome Remote Desktop service on the VM instance.

To connect to a VM instance by using Chrome Remote Desktop, do the following:

On your local computer, go to the Chrome Remote Desktop website.
If you're not already signed in to Google, sign in with the same Google Account that you used to set up the Chrome Remote Desktop service.
Select the instance that you want to connect to.
When you're prompted, enter the PIN that you created when installing the Chrome Remote Desktop service, and click the arrow button to connect.

Chrome RDP plugin

Chrome RDP for Google Cloud is a third-party plugin that lets you connect to Windows instances by using the Chrome browser. The plugin is integrated with the Google Cloud Console. After you install the plugin, connect to any Windows Server instance by using the RDP button in the Cloud Console .

Before you connect using the Chrome RDP for Google Cloud, make sure that the following prerequisites are met:

Your VM instance has a public IP address.
Your firewall rules allow TCP ingress traffic from your client's public IP address to the instance by using port 3389.
You've installed the Chrome RDP for Google Cloud extension.
If you are connecting to a Windows VM from Chrome OS, set the Chromebook's Display Size to 100%.

To connect using the Chrome RDP plugin, do the following:

In Cloud Console, go to the VM instances page and find the Windows instance you want to connect to.

Go to the VM instances page
Click the RDP button for the instance you want to connect to. The Chrome RDP extension opens.
Enter the domain, your username, and password, and click OK to connect.

If your instance does not have a domain configured, you can leave the Domain field blank.
If prompted, press Continue to accept the certificate.

Other

You can connect to your Windows VM instances by using other RDP clients, such as clients developed for Android, iOS, Mac, and others. For a list of officially supported clients, see Microsoft's Remote Desktop Clients document.

Before you connect, make sure that one of the following prerequisites is met:

Your VM instance has a public IP address and your firewall rules allow TCP ingress traffic from your client's public IP address to the instance by using port 3389.
Your local network is connected to your VPC by using VPN or Cloud Interconnect and your firewall rules allow TCP ingress traffic from your client's private IP address to the instance by using port 3389.

To connect using other RDP clients, do the following:

To connect over the internet, use the external IP address. To connect by using Cloud VPN or Cloud Interconnect, use the internal IP address.

Identify the external and internal IP addresses of your Windows instance by completing one of the following steps:
- In the Google Cloud Console, go to the VM instances page.
  
  Go to the VM instances page
- By using the gcloud tool, run gcloud compute instances list:
```
gcloud compute instances list
```
Install the supported client according to the client's installation instructions.
Connect using the IP address of your instance, and authenticate with your username and password for the instance.

For a list of officially supported clients, see Microsoft's Remote Desktop Clients article.

If you have difficulty connecting using RDP, see the Troubleshooting RDP page. For information about RDP licensing, see the FAQ about Microsoft licenses.

Special Administrative Console

This section describes how to use the interactive serial console to connect to the Windows Special Administrative Console (SAC) of your Windows instance. You can use the SAC to troubleshoot a Windows instance if you can't connect to it by using Remote Desktop.

Before you connect, make sure you have created a Windows instance password and have it ready.

To connect to your Windows instance using an interactive serial console, complete the steps in one of the following tabs.

Console

In the Cloud Console, go to the VM instances page.

Go to the VM instances page
Click the name of your instance. The VM instance details page opens.
Click Edit. Under Remote access, select Enable connecting to serial ports. This enables the interactive serial console for this instance.

For more information about updating instance metadata, see Storing and retrieving instance metadata.

If you want these settings to apply to all instances in your project, set project-wide custom metadata instead.
Click Save, then return to the top of the page.
Under Remote access, click the drop-down list next to Connect to serial console, and select Serial port 2. A SAC opens.
At the SAC> prompt, run cmd to create a new channel. The SAC returns the channel name, for example, Cmd001.

Run ch -sn CHANNEL_NAME and press any key to connect to the channel. For example:

SAC> cmd
The Command Prompt session was successfully launched.
SAC>
EVENT:   A new channel has been created.  Use "ch -?" for channel help.
Channel: Cmd0001
SAC> ch -sn cmd0001
Press any key to confirm connection to the channel.

Enter the username, domain, and password of the instance to connect.

Note: If the instance does not have a domain configured, don't input anything at the domain prompt. Press Enter to continue.

gcloud

If you haven't done so already, download and install the Cloud SDK for your local operating system.
Run the following command to configure your instance to enable connecting to serial ports:
```
gcloud compute instances add-metadata VM_NAME \
   --zone=ZONE \
   --metadata=serial-port-enable=1
```
Replace the following:
- VM_NAME: the name of the VM instance
- ZONE: the zone where the VM instance is
Note: You can also configure your instance's metadata by clicking the Edit button for your instance on the VM instance page.

For more information about updating instance metadata, see Updating instance metadata.

Optional: If you want the settings to apply to all instances in your project, run the following Cloud SDK command instead:
```
gcloud compute project-info add-metadata \
    --metadata=serial-port-enable=1
```
For more information about project-wide custom metadata, see Setting project-wide custom metadata.
Run the following gcloud command to enter an interactive session:
```
gcloud compute connect-to-serial-port VM_NAME \
    --port=2
```
Replace VM_NAME with the name of your instance.
At the SAC> prompt, run cmd to create a new channel. SAC returns the channel name, for example, Cmd001.

Run ch -sn CHANNEL_NAME and press any key to connect to the channel. For example:

SAC> cmd
The Command Prompt session was successfully launched.
SAC>
EVENT:   A new channel has been created.  Use "ch -?" for channel help.
Channel: Cmd0001
SAC> ch -sn cmd0001
Press any key to confirm connection to the channel.

To connect, enter the username, domain, and password of the instance.

Note: If the instance does not have a domain configured, don't input anything at the domain prompt, and press Enter to continue.

What's next

Learn how to Connect to Linux VMs using the Cloud Console and the gcloud tool.
Learn how to manage access to instances.
Learn how to connect to instances using advanced methods.
Learn how to transfer files to instances.