Connect to Windows VMs using RDP


This document describes how to connect to Windows virtual machine (VM) instances using RDP. For other ways to connect to Windows VMs, see the following guides:

Before you begin

  • Be sure the VM allows access through Remote Desktop Protocol (RDP). By default, Compute Engine creates firewall rules that allow RDP access on TCP port 3389. Verify that these firewall rules exist by visiting the firewall rules page in the Google Cloud console and looking for firewall rules that allow tcp:3389 connections.
  • If you haven't already, set up authentication. Authentication is the process by which your identity is verified for access to Google Cloud services and APIs. To run code or samples from a local development environment, you can authenticate to Compute Engine as follows.

    Select the tab for how you plan to use the samples on this page:

    Console

    When you use the Google Cloud console to access Google Cloud services and APIs, you don't need to set up authentication.

    gcloud

    1. Install the Google Cloud CLI, then initialize it by running the following command:

      gcloud init
    2. Set a default region and zone.

Connect to Windows VMs by using RDP

Compute Engine supports multiple ways to connect to your Windows instances.

Connecting to Windows instances.

The best way to connect to the remote desktop of a Windows instance depends on multiple factors:

If you have difficulty connecting using RDP, see Troubleshooting RDP. If you can't connect to a Windows instance by using Remote Desktop, see Connect to Windows VMs using the SAC.

To connect to the remote desktop of a Windows instance, use one of the following procedures.

IAP Desktop

IAP Desktop is a Windows application that lets you manage multiple Remote Desktop connections to Windows VM instances. IAP Desktop connects to VM instances by using Identity-Aware Proxy TCP forwarding and does not require VM instances to have a public IP address.

Before you connect by using IAP Desktop, make sure that the following prerequisites are met:

To connect to a VM instance by using IAP Desktop, do the following:

  1. In IAP Desktop, select Profile > Add project.

  2. Enter the ID or name of your project, and click OK.

  3. In the Project Explorer window, right-click the VM instance you want to connect to and select Connect.

    IAP Desktop.

For more information about IAP Desktop, see the GitHub project page.

Remote Desktop Connection app

You can use the Microsoft Remote Desktop Connection app that is part of Windows to connect to Windows instances.

Before you connect using the Microsoft Remote Desktop Connection app, make sure that one of the following prerequisites is met:

  • Your VM instance has a public IP address and your firewall rules allow TCP ingress traffic from your client's public IP address to the instance by using port 3389.
  • Your local network is connected to your VPC by using Cloud VPN or Cloud Interconnect and your firewall rules allow TCP ingress traffic from your client's private IP address to the instance by using port 3389.

To connect with Microsoft Windows Remote Desktop, do the following:

  1. Create a Windows account and password if you do not have one yet.

  2. To connect over the internet, use the external IP address. To connect by using Cloud VPN or Cloud Interconnect, use the internal IP address.

    Identify the external and internal IP addresses of your Windows instance by completing one of the following steps:

    • In the Google Cloud console, go to the VM instances page.

      Go to the VM instances page

    • By using the gcloud CLI, run gcloud compute instances list:

      gcloud compute instances list
  3. Open Microsoft Windows Remote Desktop Connection on your Windows machine. You can find the executable at %systemroot%\system32\mstsc.exe

    The Remote Desktop Connection dialog.

  4. In the Computer box, enter the IP address.

    If you've configured your instance to use a different port number for RDP, add it after the IP address, for example: 1.2.3.4:3389.

  5. Click Connect.

  6. Enter your username and password, and click OK.

    If you have forgotten your password, you can reset it.

Chrome Remote Desktop

Chrome Remote Desktop is a service that lets you remotely access another computer by using a web browser. Chrome Remote Desktop works on Windows, macOS, and Linux and does not require the VM instance to have a public IP address.

Before you connect by using Chrome Remote Desktop, make sure that the following prerequisites are met:

To connect to a VM instance by using Chrome Remote Desktop, do the following:

  1. On your local computer, go to the Chrome Remote Desktop website.

  2. If you're not already signed in to Google, sign in with the same Google Account that you used to set up the Chrome Remote Desktop service.

  3. Select the instance that you want to connect to.

  4. When you're prompted, enter the PIN that you created when installing the Chrome Remote Desktop service, and click the arrow button to connect.

Other

You can connect to your Windows VM instances by using other RDP clients, such as clients developed for Android, iOS, Mac, and others. For a list of officially supported clients, see Microsoft Remote Desktop clients.

Before you connect, make sure that one of the following prerequisites is met:

  • Your VM instance has a public IP address and your firewall rules allow TCP ingress traffic from your client's public IP address to the instance by using port 3389.
  • Your local network is connected to your VPC by using VPN or Cloud Interconnect and your firewall rules allow TCP ingress traffic from your client's private IP address to the instance by using port 3389.

To connect using other RDP clients, do the following:

  1. To connect over the internet, use the external IP address. To connect by using Cloud VPN or Cloud Interconnect, use the internal IP address.

    Identify the external and internal IP addresses of your Windows instance by completing one of the following steps:

    • In the Google Cloud console, go to the VM instances page.

      Go to the VM instances page

    • By using the gcloud CLI, run gcloud compute instances list:

      gcloud compute instances list
  2. Install the supported client according to the client's installation instructions.

  3. Connect using the IP address of your instance, and authenticate with your username and password for the instance.

If you have difficulty connecting using RDP, see the Troubleshooting RDP page. For information about RDP licensing, see the FAQ about Microsoft licenses.

Verify the RDP certificate

Verify the RDP certificate by viewing the serial port output from the initial boot of the VM or by using the appropriate PowerShell command from the SAC.

Serial port

  1. Verify the RDP certificate by viewing the output from serial port 1 during the initial boot of the Windows VM.

  2. Examine the output of serial port 1 during the initial boot of the Windows VM for the following:

    Serial port 1 (console) output for rdp-test
    ...
    ...
    2021/03/31 15:53:58 GCEInstanceSetup: RDP certificate details: Subject: CN=rdp-test, Thumbprint: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
    ...
    ...
    

PowerShell from the SAC

  1. Connect to the Windows SAC.

  2. Run the following PowerShell commands:

    # WinRM Cert
    Write-Host 'WinRM certificate details:'; Get-ChildItem 'Cert:\LocalMachine\My' | Where-Object { $_.Subject -like "CN=$env:COMPUTERNAME*" -and $_.NotAfter -gt $(Get-Date) -and $_.HasPrivateKey} |  Select-Object Subject, Thumbprint | Format-List
    # RDP Cert
    Write-Host 'RDP certificate details:'; Get-ChildItem 'Cert:\LocalMachine\Remote Desktop\' | Where-Object { $_.Subject -like "CN=$env:COMPUTERNAME*" -and $_.NotAfter -gt $(Get-Date) -and $_.HasPrivateKey} |  Select-Object Subject, Thumbprint | Format-List
    

    What's next