Workbench allows multiple users to connect to a single Elastic Compute Service (ECS) instance at the same time. Workbench is more efficient and convenient than Virtual Network Console (VNC).
Prerequisites
- A logon password or a key is configured for the Windows instance to which you want
to connect.
Note The ECS console cannot be used to bind key pairs to Windows instances. If you want to use a key to log on to a Windows instance, you can enable the sshd service (such as Cygwin SSHD or WinSSHD in Windows) and configure a key on the instance. For more information about how to enable the sshd service in Windows, see Get started with OpenSSH.
- The instance is in the Running state.
- Security group rules are added to allow the IP addresses related to the Workbench service to access the instance. For more information, see Add security group rules to allow Workbench access to a Windows instance.
Background information
By default, a Workbench remote session persists for 6 hours. If you do not perform operations for 6 hours, the remote connection is closed. You must reconnect to the instance.
Workbench can be used to connect to ECS instances over one of the following protocols:
- Remote Desktop Protocol (RDP): By default, Windows instances are connected by using
RDP. RDP can also be used to connect to Linux instances on which remote desktop services
are enabled. For information about how to connect to a Windows instance over RDP,
see the Connect to a Windows instance over RDP section.
Note If you want to connect to an instance over RDP, make sure that the public bandwidth is at least 5 Mbit/s. If the public bandwidth is less than 5 Mbit/s, the remote desktop freezes.
- SSH: By default, Linux instances are connected by using SSH. SSH can also be used to connect to Windows instances on which a GNU-like system such as Cygwin is installed. For information about how to connect to a Windows instance over RDP, see the Connect to a Windows instance over SSH section.
Connect to a Windows instance over RDP
If all of the requirements specified in the prerequisites are met but the instance
cannot be connected, perform the following checks on the instance:
- Check whether a remote desktop service (such as Remote Desktop Services in Windows) is enabled. If not, enable a remote desktop service.
- Check whether the required remote desktop port (typically port 3389) is enabled. If not, enable the port.
- If you log on to the Windows instance as a non-administrator user, the user must belong to the Remote Desktop Users group.
Connect to a Windows instance over SSH
- Log on to the ECS console.
- In the left-side navigation pane, choose .
- In the top navigation bar, select a region.
- On the Instances page, find the instance to which you want to connect, and click Connect in the Actions column.
- In the Connection and Command dialog box, click Connect in the Workbench Connection section.
- In the Instance Login dialog box, specify parameters.
- Click OK.
If all of the requirements specified in the prerequisites are met but the instance
cannot be connected, perform the following checks on the instance:
- Check whether the sshd service (such as Cygwin SSHD or WinSSHD in Windows) is enabled. If not, enable the sshd service.
- Check whether the required terminal connection port (typically port 22) is enabled. If not, enable the port.
- If you log on to the Windows instance as a non-administrator user, the user must belong to the Remote Desktop Users group.
Add security group rules to allow Workbench access to a Windows instance
This section describes how to add rules to security groups of different network types
in the ECS console to allow Workbench access to a Windows instance.
- If you want to connect to a Windows instance in a VPC, find a security group of the
instance, go to the Security Group Rules page, and then add a rule on the Inbound tab. The following table describes the parameters to be configured for the rule.
NIC Type Rule Direction Action Protocol Type Port Range Priority Authorization Type Authorization Object N/A Inbound Allow - If port 3389 is enabled by default on the Windows instance, select RDP (3389).
- If you have manually enabled other ports on the Windows instance, select Custom TCP.
- If port 3389 is enabled by default on the Windows instance, 3389/3389 is automatically entered after you select the protocol type.
- If you have manually enabled other ports on the Windows instance, enter a corresponding port range.
1 IPv4 CIDR Block - If you want to connect to the instance by using its public IP address, specify 161.117.90.22. The public IP address can be the public IP address that is automatically assigned to the instance or an elastic IP address (EIP) that is associated with the instance.
- If you want to connect to the instance by using its private IP address, specify 100.104.0.0/16.
Note You can also specify 0.0.0.0/0 as the authorization object to allow inbound access from all IP addresses. However, this imposes security risks. Proceed with caution. - If you want to connect to a Windows instance in the classic network over the Internet,
find a security group of the instance, go to the Security Group Rules page, and then add a rule on the Internet Ingress tab. The following table describes the parameters to be configured for the rule.
NIC Type Rule Direction Action Protocol Type Port Range Priority Authorization Type Authorization Object Public Inbound Allow - If port 3389 is enabled by default on the Windows instance, select RDP (3389).
- If you have manually enabled other ports on the Windows instance, select Custom TCP.
- If port 3389 is enabled by default on the Windows instance, 3389/3389 is automatically entered after you select the protocol type.
- If you have manually enabled other ports on the Windows instance, enter a corresponding port range.
1 IPv4 CIDR Block If you want to connect to the instance by using its public IP address, specify 161.117.90.22. The public IP address can be the public IP address that is automatically assigned to the instance or an EIP that is associated with the instance. Note You can also specify 0.0.0.0/0 as the authorization object to allow inbound access from all IP addresses. However, this imposes security risks. Proceed with caution. - If you want to connect to a Windows instance in the classic network over the internal
network, find a security group of the instance, go to the Security Group Rules page, and then add a rule on the Internal Network Ingress tab. The following table describes the parameters to be configured for the rule.
NIC Type Rule Direction Action Protocol Type Port Range Priority Authorization Type Authorization Object N/A Inbound Allow - If port 3389 is enabled by default on the Windows instance, select RDP (3389).
- If you have manually enabled other ports on the Windows instance, select Custom TCP.
- If port 3389 is enabled by default on the Windows instance, 3389/3389 is automatically entered after you select the protocol type.
- If you have manually enabled other ports on the Windows instance, enter a corresponding port range.
1 IPv4 CIDR Block If you want to connect to the instance by using its internal IP address, specify 161.117.90.22. Notice High security risks may arise if you specify 0.0.0.0/0 as the authorization object. We recommend that you do not specify 0.0.0.0/0.