Workbench allows multiple users to connect to a single Elastic Compute Service (ECS) instance at the same time and provides a GUI for users to manage files in Linux instances. Workbench is more efficient and convenient than Virtual Network Console (VNC).

Prerequisites

  • A logon password is set for or a key pair is bound to the Linux instance to which you want to connect.
  • The instance is in the Running state.
  • Security group rules are added to allow the IP addresses related to the Workbench service to access the instance. For more information about the security group rules, see the Add security group rules to allow Workbench access to a Linux instance section.

Background information

By default, a Workbench remote session persists for 6 hours. If you do not perform operations for 6 hours, the remote connection is closed. You must reconnect to the instance.

Workbench can be used to connect to ECS instances over one of the following protocols:
  • SSH: By default, Linux instances are connected by using SSH. SSH can also be used to connect to Windows instances on which a GNU-like system such as Cygwin is installed. For information about how to connect to a Linux instance over SSH, see the Connect to a Linux instance over SSH section.
  • Remote Desktop Protocol (RDP): By default, Windows instances are connected by using RDP. RDP can also be used to connect to Linux instances on which remote desktop services are enabled. For information about how to connect to a Linux instance over RDP, see the Connect to a Linux instance over RDP section.
    Note If you want to connect to an instance over RDP, make sure that the public bandwidth is at least 5 Mbit/s. If the public bandwidth is less than 5 Mbit/s, the remote desktop freezes.

You can use the GUI provided by Workbench to manage files in your Linux instances in a visual manner. For more information, see Use Workbench to manage files in a Linux instance.

Connect to a Linux instance over SSH

  1. Log on to the ECS console.
  2. In the left-side navigation pane, choose Instances & Images > Instances.
  3. In the top navigation bar, select a region.
  4. On the Instances page, find the instance to which you want to connect, and click Connect in the Actions column.
  5. In the Connection and Command dialog box, click Connect in the Workbench Connection section.
  6. In the Instance Login dialog box, specify parameters.
    The following table describes the required parameters in the dialog box.
    Parameter Description
    Instance The information of the current instance is automatically populated. You can also manually enter the IP address or name of another instance.
    Connection
    • To connect to instances that are located in VPCs, you can use their public or private IP addresses.
    • To connect to instances that are located in the classic network, you can use their public or internal IP addresses.
    Username, Password, and Private Key Enter a username such as root and select an authentication method. The following authentication methods are supported:
    • Password-based: Enter the password of your specified username.
    • Certificate-based: Enter or upload a certificate. If the certificate is encrypted, enter its key passphrase.
    In the lower part of the dialog box, click More Options to show the optional parameters described in the following table.
    Parameter Description
    Resource Group By default, All is selected. You can manually select a resource group from the drop-down list.
    Region By default, All is selected. You can manually select a region from the drop-down list.
    Protocol By default, Terminal Connection (SSH) is selected.
    Port When Protocol is set to Terminal Connection (SSH), this parameter is automatically set to 22.
    Language Select your preferred language. The selected language affects the outputs of the instance. We recommend that you select Default for Workbench to detect the language settings of the instance and to make configurations accordingly.
    Character Set Select your preferred character set. The selected character set affects the outputs of the instance. We recommend that you select Default for Workbench to detect the character set settings of the instance and to make configurations accordingly.
  7. Click OK.
If all of the requirements specified in the prerequisites are met but the instance cannot be connected, perform the following checks on the instance:
  • Check whether the sshd service (such as sshd in Linux) is enabled. If not, enable the sshd service.
  • Check whether the required terminal connection port (typically port 22) is enabled. If not, enable the port.
  • If you log on to the Linux instance as the root user, make sure that PermitRootLogin yes is configured in the /etc/ssh/sshd_config file. For more information, see the Enable root logon over SSH on a Linux instance section.

Connect to a Linux instance over RDP

  1. Log on to the ECS console.
  2. In the left-side navigation pane, choose Instances & Images > Instances.
  3. In the top navigation bar, select a region.
  4. On the Instances page, find the instance to which you want to connect, and click Connect in the Actions column.
  5. In the Connection and Command dialog box, click Connect in the Workbench Connection section.
  6. In the Instance Login dialog box, specify parameters.
    1. In the lower part of the dialog box, click More Options.
    2. Set Protocol to Remote Desktop (RDP).
    3. In the message that appears, click OK.
    4. Specify the parameters described in the following table.
      Parameter Description
      Resource Group By default, All is selected. You can manually select a resource group from the drop-down list.
      Region By default, All is selected. You can manually select a region from the drop-down list.
      Instance The information of the current instance is automatically populated. You can also manually enter the IP address or name of another instance.
      Connection
      • To connect to instances that are located in VPCs, you can use their public or private IP addresses.
      • To connect to instances that are located in the classic network, you can use their public or internal IP addresses.
      Port When Protocol is set to Remote Desktop (RDP), this parameter is automatically set to 3389.
      Username and Password Enter a username, such as Administrator, and its password.
  7. Click OK.
If all of the requirements specified in the prerequisites are met but the instance cannot be connected, perform the following checks on the instance:
  • Check whether a remote desktop service (such as xfreerdp installed on Linux) is enabled. If not, enable a remote desktop service.
  • Check whether the required remote desktop port (typically port 3389) is enabled. If not, enable the port.
  • If you log on to the Linux instance as the root user, make sure that PermitRootLogin yes is configured in the /etc/ssh/sshd_config file. For more information, see the Enable root logon over SSH on a Linux instance section.

Enable root logon over SSH on a Linux instance

In some Linux systems, sshd disables root logon by default. If this occurs, when you attempt to connect to an instance as the root user over SSH, you are prompted that your username or password is incorrect. To enable root logon over SSH, perform the following operations.

  1. Connect to a Linux instance by using a password with VNC
  2. Open the SSH configuration file. 
    vi /etc/ssh/sshd_config
  3. Change PermitRootLogin no to PermitRootLogin yes.
  4. Press the Esc key and enter :wq to save the change.
  5. Restart sshd. 
    service sshd restart

Add security group rules to allow Workbench access to a Linux instance

This section describes how to add rules to security groups of different network types in the ECS console to allow Workbench access to a Linux instance.
  • If you want to connect to a Linux instance in a VPC, find a security group of the instance, go to the Security Group Rules page, and then add a rule on the Inbound tab. The following table describes the parameters to be configured for the rule.
    NIC Type Rule Direction Action Protocol Type Port Range Priority Authorization Type Authorization Object
    N/A Inbound Allow
    • If port 22 is enabled by default on the Linux instance, select SSH (22).
    • If you have manually enabled other ports on the Linux instance, select Custom TCP.
    • If port 22 is enabled by default on the Linux instance, 22/22 is automatically entered after you select the protocol type.
    • If you have manually enabled other ports on the Linux instance, enter a corresponding port range.
    		1 IPv4 CIDR Block
    • If you want to connect to the instance by using its public IP address, specify 47.96.60.0/24 and 118.31.243.0/24. The public IP address can be the public IP address that is automatically assigned to the instance or an elastic IP address (EIP) that is associated with the instance.
    • If you want to connect to the instance by using its private IP address, specify 100.104.0.0/16.
    Note You can also specify 0.0.0.0/0 as the authorization object to allow inbound access from all IP addresses. However, this imposes security risks. Proceed with caution.
  • If you want to connect to a Linux instance in the classic network over the Internet, find a security group of the instance, go to the Security Group Rules page, and then add a rule on the Internet Ingress tab. The following table describes the parameters to be configured for the rule.
    NIC Type Rule Direction Action Protocol Type Port Range Priority Authorization Type Authorization Object
    Public Inbound Allow
    • If port 22 is enabled by default on the Linux instance, select SSH (22).
    • If you have manually enabled other ports on the Linux instance, select Custom TCP.
    • If port 22 is enabled by default on the Linux instance, 22/22 is automatically entered after you select the protocol type.
    • If you have manually enabled other ports on the Linux instance, enter a corresponding port range.
    		1 IPv4 CIDR Block If you want to connect to the instance by using its public IP address, specify 47.96.60.0/24 and 118.31.243.0/24. The public IP address can be the public IP address that is automatically assigned to the instance or an EIP that is associated with the instance.
    Note You can also specify 0.0.0.0/0 as the authorization object to allow inbound access from all IP addresses. However, this imposes security risks. Proceed with caution.
  • If you want to connect to a Linux instance in the classic network over the internal network, security group of the instance, go to the Security Group Rules page, and then add a rule on the Internal Network Ingress tab. The following table describes the parameters to be configured for the rule.
    NIC Type Rule Direction Action Protocol Type Port Range Priority Authorization Type Authorization Object
    N/A Inbound Allow
    • If port 22 is enabled by default on the Linux instance, select SSH (22).
    • If you have manually enabled other ports on the Linux instance, select Custom TCP.
    • If port 22 is enabled by default on the Linux instance, 22/22 is automatically entered after you select the protocol type.
    • If you have manually enabled other ports on the Linux instance, enter a corresponding port range.
    		1 IPv4 CIDR Block If you want to connect to the instance by using its internal IP address, specify 11.195.184.0/24 and 11.246.55.0/24.
    Notice High security risks may arise if you specify 0.0.0.0/0 as the authorization object. We recommend that you do not specify 0.0.0.0/0.