14 Accessing a Windows Instance Using RDP

Remote desktop protocol (RDP) allows you to securely access your Windows instance from a remote host. To access a Windows instance from a Windows host, you can use the default RDP client, Remote Desktop Connection.

Note:

This procedure assumes that your local host runs a Windows operating system and that you’re using the Remote Desktop Connection client to access your Windows instance. If your local host has another operating system, use an appropriate RDP client to access your Windows instance.

Topics

• Accessing a Windows Instance on IP Network Using RDP

• Accessing a Windows Instance on Shared Network Using RDP

Accessing a Windows Instance on IP Network Using RDP

RDP access to your Windows instance on IP network is not enabled by default. Before accessing your Windows instance using RDP, you must create the following networking components: an ACL, a vNICset which contains your instance’s vNIC and the created ACL is applied to it, ingress and egress security rules for IP network to enable RDP access. You don’t need to perform this task if you have created your Windows instance using QuickStarts. When you use QuickStarts to create your Windows instance, it also creates all the networking objects that’s required to access the instance over remote desktop protocol (RDP). You’ll need to set up the required security rules and ACLs if you have created the Windows instance by using orchestrations or by using the Create Instance wizard.

Prerequisites

• Ensure that you’ve created your Windows instance with the following configuration:

  • Has one interface on an IP network and is added to a vNICset. This interface should be specified as the default gateway for the instance.

  • Has one IP address from the /oracle/public/public-ippool IP address pool.

  • Doesn’t have an interface on the shared network.

  • Has the required userdata attributes. See Creating an Instance from the Instances Page for information about the required attributes. See Retrieving Instance Metadata to find out how to view the metadata associated with your instance. If you’re using an orchestration to manage your instance, you can view the orchestration to check the specified attributes. See Monitoring Orchestrations v1.

• The instance is in the running state.

Procedure

1. Sign in to the Compute Classic console. If your domain spans multiple sites, select the appropriate site. To change the site, click the Site menu near the top of the page.
2. Click the Network tab.
3. In the Network drop-down list, expand IP Network, and then click Access Control Lists.
4. Click Create Access Control List.
5. Select or enter the required information, and then click Create.
   • Name: Enter a name for the ACL.
   • Status: Select Enabled to enable the ACL.
   • Description: Enter a meaningful description for the ACL.
   • Tags: Enter one or more tags to help you identify the ACL.
6. In the Network drop-down list, expand IP Network, and then click Virtual NIC Sets.
7. Click Create vNICset to create a vNICset which contains the instance vNIC and to apply the ACL that you have created to this vNICset.
8. In the Create vNICset dialog box, select or enter the following, and then click Create.
   • Name: Enter a name for the vNICset.
   • vNICs: Select the vNIC of the instance that you want to access using RDP.
   • Applied Access Control Lists: Select the access control list that you have created. The selected ACL is applied to this vNICset. When you apply an ACL to a vNICset, all the security rules in that ACL are applied to traffic to or from each of the vNICs in the vNICset.
   • Description: Enter a meaningful description for the vNICset.
   • Tags: Enter a list of the tags that you want to associate with this vNICset.
9. In the Network drop-down list, expand IP Network, and then click Security Rules.
10. Click Create Security Rule to create an ingress security rule for IP network.
11. Select or enter the required information:
    • Name: Enter a name for the security rule.
    • Status: Security rules are enabled by default.
    • Type: Select Ingress as the direction of flow of traffic for this security rule.
    • Access Control List: Select the access control list that you have created. This security rule is added to the specified access control list. Security rules are applied to vNICsets by using ACLs.
    • Security Protocols: Select rdp as the security protocol for which you want to permit traffic. Only packets that match the specified protocols and ports are permitted. When no security protocols are specified, traffic using any protocol over any port is permitted.
    • Destination vNICset: Select the vNICset that you have created to permit traffic to this vNICset. Only packets to vNICs in the specified vNICset are permitted. When no destination vNICset is specified, traffic to any vNIC is permitted.
    You must provide values for the specified fields while creating the security rule. It is optional to provide values for other fields that appear in the Create Security Rule dialog box.
12. Click Create Security Rule to create an egress security rule for IP network.
13. Select or enter the required information:
    • Name: Enter a name for the security rule.
    • Status: Security rules are enabled by default.
    • Type: Select Egress as the direction of flow of traffic for this security rule.
    • Access Control List: Select the access control list that you have created. This security rule is added to the specified access control list. Security rules are applied to vNICsets by using ACLs.
    You must provide values for the specified fields while creating the security rule. It is optional to provide values for other fields that appear in the Create Security Rule dialog box
    The security rules that you have created are applied to the running instance.
14. Next, on your Windows local host, start Remote Desktop Connection.
    • To start Remote Desktop Connection from the GUI:

      • Click the Start button and type Remote Desktop in the search field.

      • In the search result, click Remote Desktop Connection.

      • In the Computer field, enter the public IP address of your Windows instance and then click Connect.

    • To start Remote Desktop Connection from the command line, enter:
      • mstsc /v:public-IP-address-of-your-instance

    Note:

    If you’ve enabled a VPN tunnel to your Compute Classic instances, you can use the private IP address of your instance to connect to the instance. To set up a VPN tunnel, see Connecting to Instances in a Multitenant Site Using VPN, Setting Up VPN Using VPNaaS, or Connecting to Oracle Cloud Infrastructure Dedicated Compute Classic Instances Using VPN. (Not available on Oracle Cloud at Customer)

    The Remote Desktop Connection client starts.
15. In the Windows security dialog box, enter the user name and password that you specified in userdata attributes while creating the instance.

    Note:

    The first time you log in to your Windows instance, you must log in as Administrator using the administrator_password that you specified while creating the instance. After logging in, you can specify a list of users who are allowed to access the Windows instance remotely using RDP. Subsequently, you can log in as one of the new users. Alternatively, you can provide userdata attributes while creating the instance, to add users with RDP access enabled. For more information, see User Data Attributes Used on Windows Instances.

    Note:

    You should change the Administrator password when you log in to your instance the first time. You can also add additional administrators and users who are enabled for remote access, so that even if you lose or forget the Administrator password, you don’t get locked out of your instance. If your instance uses a persistent boot disk, any instance configuration, including tasks such as adding users or changing passwords, will be retained as long as the boot disk isn’t deleted. However, if you’re using a nonpersistent boot disk with your Windows instance, then if you terminate the orchestration and start it again later, the Administrator password will be reset to the password that you specified in the orchestration. This is true for any user password that you specify in an orchestration.

After you’ve logged in to your Windows instance, to change the administrator password, add users, enhance security, or perform other customization and configuration tasks, see the Windows Server documentation.

Accessing a Windows Instance on Shared Network Using RDP

RDP access to your Windows instance on shared network is not enabled by default. Before accessing your Windows instance using RDP, you must add your instance to a security list and create a security rule to enable RDP access.

Prerequisites

• Ensure that you’ve created your Windows instance with the required userdata attributes. See Creating an Instance from the Instances Page for information about the required attributes. See Retrieving Instance Metadata to find out how to view the metadata associated with your instance.

  If you’re using an orchestration to manage your instance, you can view the orchestration to check the specified attributes. If you have created your instance using orchestration v2, see Monitoring Orchestrations v2. If you have created your instance using orchestration v1, see Monitoring Orchestrations v1.

• Ensure that your instance has a public IP address. See Managing Public IP Addresses. To find out the public IP address of your instance, view the information on the Instances page. See Listing Instances.

Procedure

1. Sign in to the Compute Classic console. If your domain spans multiple sites, select the appropriate site. To change the site, click the Site menu near the top of the page.
2. Click the Network tab.
3. In the Network drop-down list, expand Shared Network, and then click the Security Lists.
4. Click Create Security List.
5. Enter or select the required details and then click Create.
   • Name: Enter Enable RDP access
   • Description: Enter an appropriate description
   • Inbound policy: Retain the default setting, deny.
   • Outbound policy: Retain the default setting, permit.
   The Enable RDP access security list is created.
6. Click the Instances tab.
7. On the Instances page, identify the instance that you want to update. From the menu, select View.
8. On the instance details page, click Add to Security List.
9. Select the Enable RDP access security list and click Attach.
   The instance is added to the Enable RDP access security list.
10. Click the Network tab.
11. Click Create Security Rule.
12. Enter or select the required detail and then click Create.
    • Name: Enter an appropriate name.
    • Status: Retain the default setting, Enabled.
    • Security application: Select the predefined security application, rdp.
    • Source: From the Security IP Lists drop down list, select public-internet, or select any other security IP list as the source.
    • Destination: Select the Enable RDP access security list that you just created.
    • Description: Enter an appropriate description.
13. Next, on your Windows local host, start Remote Desktop Connection.
    • To start Remote Desktop Connection from the GUI:

      • Click the Start button and type Remote Desktop in the search field.

      • In the search result, click Remote Desktop Connection.

      • In the Computer field, enter the public IP address of your Windows instance and then click Connect.

    • To start Remote Desktop Connection from the command line, enter:
      • mstsc /v:public-IP-address-of-your-instance

    Note:

    If you’ve enabled a VPN tunnel to your Compute Classic instances, you can use the private IP address of your instance to connect to the instance. To set up a VPN tunnel, see Connecting to Instances in a Multitenant Site Using VPN, Setting Up VPN Using VPNaaS, or Connecting to Oracle Cloud Infrastructure Dedicated Compute Classic Instances Using VPN. (Not available on Oracle Cloud at Customer)

    The Remote Desktop Connection client starts.
14. In the Windows security dialog box, enter the user name and password that you specified in userdata attributes while creating the instance.

    Note:

    The first time you log in to your Windows instance, you must log in as Administrator using the administrator_password that you specified while creating the instance. After logging in, you can specify a list of users who are allowed to access the Windows instance remotely using RDP. Subsequently, you can log in as one of the new users. Alternatively, you can provide userdata attributes while creating the instance, to add users with RDP access enabled. For more information, see User Data Attributes Used on Windows Instances.

    Note:

    You should change the Administrator password when you log in to your instance the first time. You can also add additional administrators and users who are enabled for remote access, so that even if you lose or forget the Administrator password, you don’t get locked out of your instance. If your instance uses a persistent boot disk, any instance configuration, including tasks such as adding users or changing passwords, will be retained as long as the boot disk isn’t deleted. However, if you’re using a nonpersistent boot disk with your Windows instance, then if you terminate the orchestration and start it again later, the Administrator password will be reset to the password that you specified in the orchestration. This is true for any user password that you specify in an orchestration.

After you’ve logged in to your Windows instance, to change the administrator password, add users, enhance security, or perform other customization and configuration tasks, see the Windows Server documentation.