Workbench allows multiple users to connect to the same Elastic Compute Service (ECS) instance at the same time. You can use Workbench to connect to instances with passwords, keys, or credentials. Workbench is more efficient and convenient than Virtual Network Computing (VNC).

Prerequisites

  • A logon password or a key is configured for the Windows instance to which you want to connect.
    Note The ECS console cannot be used to bind key pairs to Windows instances. If you want to use a key to log on to a Windows instance, you can enable the sshd service (such as Cygwin SSHD or WinSSHD in Windows) and configure a key on the instance. For more information about how to enable the sshd service in Windows, see Get started with OpenSSH.
  • The instance is in the Running state.
  • Security group rules are added to allow the IP addresses related to the Workbench service to access the instance. For more information, see Add security group rules to allow Workbench access to a Windows instance.

Background information

  • By default, a Workbench remote connection persists for 6 hours. If you do not perform operations for 6 hours, the remote connection is closed. You must reconnect to the instance.
  • Workbench can be used to connect to Windows instances over Remote Desktop Protocol (RDP). For more information, see Connect to a Windows instance over RDP.

Connect to a Windows instance over RDP

  1. Log on to the ECS console.
  2. In the left-side navigation pane, choose Instances & Images > Instances.
  3. In the top navigation bar, select a region.
  4. On the Instances page, find the instance to which you want to connect, and click Connect in the Actions column.
  5. In the Remote connection dialog box, click Sign in now in the Workbench section.
  6. In the Instance Login dialog box, configure parameters.
    The following table describes the required parameters.
    ParameterDescription
    InstanceThe information about the current instance is automatically populated. You can also enter the IP address or the name of another instance.
    Connection
    • To connect to an instance that resides in a virtual private cloud (VPC), use the public or private IP address of the instance.
    • To connect to an instance that resides in the classic network, use the public or internal IP address of the instance.
    AuthenticationSelect an authentication method. The following authentication methods are supported:
    • Password-based: Enter a username, such as Administrator, and a password.
    • Credential-based: Select an existing credential or create a credential.

      Credentials are used to store instance information such as usernames, passwords, and keys. You can use credentials to log on to instances in a secure manner without the need to enter usernames and passwords. For more information about credentials, see the Create a credential in Workbench section of this topic.

    In the lower part of the dialog box, click More Options to show the optional parameters. The following table describes the parameters.
    ParameterDescription
    Resource GroupBy default, All is selected. You can select a resource group from the drop-down list.
    RegionBy default, All is selected. You can select a region from the drop-down list.
    ProtocolBy default, Remote Desktop (RDP) is selected.
    PortWhen Protocol is set to Remote Desktop (RDP), this parameter is automatically set to 3389.
  7. Click OK.
If all of the requirements specified in the prerequisites are met but the instance cannot be connected, perform the following checks on the instance:
  • Check whether a remote desktop service (such as Remote Desktop Services in Windows) is enabled. If not, enable a remote desktop service.
  • Check whether the required remote desktop port (typically port 3389) is enabled. If not, enable the port.
  • If you log on to the Windows instance as a non-administrator user, the user must belong to the Remote Desktop Users group.

Create a credential in Workbench

Perform the following operations to create a credential for an instance in Workbench. Then, you can use the credential to log on to the instance.

  1. Log on to the ECS console.
  2. In the left-side navigation pane, choose Instances & Images > Instances.
  3. In the top navigation bar, select a region.
  4. On the Instances page, find the instance to which you want to connect, and click Connect in the Actions column.
  5. In the Connection and Command dialog box, click Connect in the Workbench Connection (Default) section.
  6. In the Instance Login dialog box, specify parameters to log on to the instance.
    • If no credentials are present for the instance in Workbench, perform the following steps:
      1. Specify the parameters described in the following table.
        ParameterDescription
        InstanceThe information of the current instance is automatically populated. You can also select another instance from the drop-down list.
        Connection
        • To connect to an instance that resides in a VPC, use the public or private IP address of the instance.
        • To connect to an instance that resides in the classic network, use the public or internal IP address of the instance.
        Authentication
        1. Select Credential-based.
        2. Select Create Credential from the Credential drop-down list.
      2. In the Add Credential dialog box, specify parameters described in the following table.
        ParameterDescription
        Credential NameEnter a name for the credential.
        UsernameEnter a username, such as root or ecs-user.
        Credential TypeSelect a credential type. Valid values:
        • Password: If you select this value, you must continue to enter a password for the authentication material.
        • PrivateKey: If you select this value, you must continue to enter or upload a private key certificate. If the certificate is encrypted, enter the key passphrase of the certificate.
        Material NameEnter a name for the authentication material.
        PasswordEnter a password to use for authentication.
        FingerprintFingerprint is automatically generated based on the password or key of the authentication material.
      3. Optional:You can click Add Material to add more authentication materials. At least one authentication material must be retained for each credential.
      4. Click OK.
      5. In the Instance Login dialog box, select the credential that you created from the Credential drop-down list and click OK.
    • If credentials are present for the instance in Workbench, perform the following steps:
      1. Specify the parameters described in the following table.
        ParameterDescription
        InstanceThe information of the current instance is automatically populated. You can also select another instance from the drop-down list.
        Connection
        • To connect to an instance that resides in a VPC, use the public or private IP address of the instance.
        • To connect to an instance that resides in the classic network, use the public or internal IP address of the instance.
        AuthenticationSelect an existing credential.

        You can modify or delete credentials based on your needs.

      2. Click OK.

Add security group rules to allow Workbench access to a Windows instance

This section describes how to add rules to security groups of different network types in the ECS console to allow Workbench access to a Windows instance.
  • If you want to connect to a Windows instance that resides in a VPC, find a security group of the instance, go to the Security Group Rules page, and then add a rule on the Inbound tab. The following table describes the parameters that you must configure for the rule.
    Network interface controller (NIC) typeRule directionActionProtocol typePortPriorityAuthorization typeAuthorized object
    N/AInboundAllow
    • If the default port 3389 is enabled on the Windows instance, select RDP (3389).
    • If you have manually enabled other ports on the Windows instance, select Custom TCP.
    • If the default port 3389 is enabled on the Windows instance, 3389/3389 is automatically entered after you select the protocol type.
    • If you have manually enabled other ports on the Windows instance, enter a port range.
    1IPv4 CIDR Block
    • If you want to connect to the instance by using its public IP address, specify 161.117.90.22. The public IP address can be the public IP address that is automatically assigned to the instance or an elastic IP address (EIP) that is associated with the instance.
    • If you want to connect to the instance by using its private IP address, specify 100.104.0.0/16.
    Warning You can also specify 0.0.0.0/0 as the authorization object to allow inbound access from all IP addresses. However, this imposes security risks. Proceed with caution.
  • If you want to connect to a Windows instance located in the classic network over the Internet, find a security group of the instance, go to the Security Group Rules page, and then add a rule on the Internet Ingress tab. The following table describes the parameters that you must configure for the rule.
    NIC typeRule directionActionProtocol typePortPriorityAuthorization typeAuthorized object
    PublicInboundAllow
    • If the default port 3389 is enabled on the Windows instance, select RDP (3389).
    • If you have manually enabled other ports on the Windows instance, select Custom TCP.
    • If the default port 3389 is enabled on the Windows instance, 3389/3389 is automatically entered after you select the protocol type.
    • If you have manually enabled other ports on the Windows instance, enter a port range.
    1IPv4 CIDR BlockIf you want to connect to the instance by using its public IP address, specify 161.117.90.22. The public IP address can be the public IP address that is automatically assigned to the instance or an EIP that is associated with the instance.
    Warning You can also specify 0.0.0.0/0 as the authorization object to allow inbound access from all IP addresses. However, this imposes security risks. Proceed with caution.
  • If you want to connect to a Windows instance located in the classic network over the internal network, find a security group of the instance, go to the Security Group Rules page, and then add a rule on the Internal Network Ingress tab. The following table describes the parameters that you must configure for the rule.
    NIC typeRule directionActionProtocol typePortPriorityAuthorization typeAuthorized object
    N/AInboundAllow
    • If the default port 3389 is enabled on the Windows instance, select RDP (3389).
    • If you have manually enabled other ports on the Windows instance, select Custom TCP.
    • If the default port 3389 is enabled on the Windows instance, 3389/3389 is automatically entered after you select the protocol type.
    • If you have manually enabled other ports on the Windows instance, enter a port range.
    1IPv4 CIDR BlockIf you want to connect to the instance by using its internal IP address, specify 161.117.90.22.
    Warning High security risks may arise if you specify 0.0.0.0/0 as the authorization object. We recommend that you do not specify 0.0.0.0/0.