This topic describes how to configure a VPN on an Elastic Compute Service (ECS) instance that runs Windows Server.
Prerequisites
An ECS instance is created and runs Windows Server 2025, Windows Server 2022, Windows Server 2019, or Windows Server 2016.
In this example, a VPN is built on an ECS instance that runs Windows Server 2022. For information about how to create an ECS instance, see Create an instance on the Custom Launch tab.
Configure the VPN server
Step 1: Install the VPN server role
Connect to the ECS instance. For more information, see Connect to a Windows ECS instance by using RDP.
Search for Server Manager in the taskbar search box.
Open Server Manager. In the menu bar, choose Manage > Add roles and features.
NoteSpecific steps are not described in this section. When you perform the steps that are not described in this section, use the default settings and click Next.
Select the installation type.
Select a server on which you want to install the server roles and features.
In the Select server roles step, click Server Roles in the left-side pane and then select Remote Access in the Roles section.
In the Select role services step, choose Remote Access > Role Services in the left-side pane, and then select DirectAccess and VPN (RAS) and Routing in the Role services section.
Confirm and install the VPN server role and role services that you selected.
Step 2: Configure VPN
In the menu bar of the Server Manager window, choose to open the Routing and Remote Access dialog box.
In the Routing and Remote Access dialog box, right-click the instance to which you want to establish a VPN connection and select Configure and Enable Routing and Remote Access from the shortcut menu.
Install the services by following the steps in the Routing and Remote Access Server Setup Wizard.
NoteSpecific steps are not described in this section. When you perform the steps that are not described in this section, use the default settings and click Next.
Select Custom configuration.
In the Custom Configuration dialog box, select the services that you want to enable.
Click Finish and Start service.
Assign IP addresses to the client.
Right-click the instance, choose , click Add, and then enter the start and end IP addresses.
Add a NAT forwarding rule.
In the Routing and Remote Access dialog box, choose in the left-side navigation pane, right-click NAT, and then select New Interface from the shortcut menu.
Add an Ethernet interface.
In the Properties dialog box, select Public interface connected to the Internet and Enable NAT on this interface.
Step 3: Configure a VPN user
In the taskbar search box, search for Computer Management and open the Computer Management dialog box.
In the Computer Management dialog box, select Local Users and Groups, right-click Users, and then select New User from the shortcut menu.
In the New User dialog box, enter the username and password, select User cannot change password and Password never expires, and then click Create.
After the new user is created, right-click the username and select Properties from the shortcut menu.
On the Properties page, click the Dial-In tab, and then select Allow access in the Network Access Permission section.
Connect to the VPN server
After the VPN server is built, you can connect to the VPN server from the client.
Click the Start icon in the lower-left corner of the desktop and choose to add a VPN connection.
In the Add a VPN connection dialog box, enter the connection name, server name or address, user name, and password parameters. Set the Server name or address parameter to the private IP address of the VPN server and the User name (optional) parameter to the username created in the preceding step.
Select the VPN connection that you created and click Connect.
References
If the client needs to access the Internet over a VPN, you must enable the public bandwidth for the ECS instance connected to the VPN server. For more information, see Enable public bandwidth for an ECS instance.