Connect to a Windows instance using EC2 Instance Connect Endpoint

You can use EC2 Instance Connect Endpoint to connect to a Windows instance that supports RDP.

For information about how to connect to a Linux instance, see Connect to a Linux instance using EC2 Instance Connect Endpoint in the Amazon EC2 User Guide for Linux Instances.

Prerequisites

• You must have the required IAM permission to connect to an EC2 Instance Connect Endpoint. For more information, see Permissions to use EC2 Instance Connect Endpoint to connect to instances.

• The EC2 Instance Connect Endpoint must be in the Available (console) or create-complete (AWS CLI) state. If you do not have an EC2 Instance Connect Endpoint for your VPC, you can create one. For more information, see Create an EC2 Instance Connect Endpoint.

• Ensure that the security group of the instance allows inbound SSH traffic from the EC2 Instance Connect Endpoint. For more information, see Target instance security group rules.

Connect to your Windows instance using EC2 Instance Connect Endpoint

You can use Remote Desktop Protocol (RDP) over EC2 Instance Connect Endpoint to connect to a Windows instance without a public IPv4 address or public DNS name.

To connect to your Windows instance using an RDP client

1. Complete Steps 1 – 8 in Connect to your Windows instance using RDP. After downloading the RDP desktop file at Step 8, you'll get an Unable to connect message, which is to be expected because your instance does not have a public IP address.

2. Run the following command to establish a private tunnel to the VPC in which the instance is located. --remote-port must be 3389 because RDP uses port 3389 by default.

   aws ec2-instance-connect open-tunnel \
       --instance-id i-0123456789example \
       --remote-port 3389 \
       --local-port any-port

3. In your Downloads folder, find the RDP desktop file that you downloaded, and drag it onto the RDP client window.

4. Right-click the RDP desktop file and choose Edit.

5. In the Edit PC window, for PC name (the instance to connect to), enter localhost:local-port, where local-port uses the same value as you specified in Step 2, and then choose Save.

   Note that the following screenshot of the Edit PC window is from Microsoft Remote Desktop on a Mac. If you are using a Windows client, the window might be different.

   

6. In the RDP client, right-click the PC (that you just configured) and choose Connect to connect to your instance.

7. At the prompt, enter the decrypted password for the administrator account.

Troubleshoot

Use the following information to help diagnose and fix issues that you might encounter when using EC2 Instance Connect Endpoint to connect an instance.

Can't connect to your instance

The following are common reasons why you might not be able to connect to your instance.

• Security groups – Check the security groups assigned to the EC2 Instance Connect Endpoint and your instance. For more information about the required security group rules, see Security groups for EC2 Instance Connect Endpoint.

• Instance state – Verify that your instance is in the running state.

• Key pair – If the command you're using to connect requires a private key, verify that your instance has a public key and that you have the corresponding private key.

• IAM permissions – Verify that you have the required IAM permissions. For more information, see Grant permissions to use EC2 Instance Connect Endpoint.

For more troubleshooting tips, see Troubleshoot connecting to your Windows instance.

ErrorCode: AccessDeniedException

If you receive an AccessDeniedException error, and the maxTunnelDuration condition is specified in the IAM policy, be sure to specify the --max-tunnel-duration parameter when connecting to an instance. For more information about this parameter, see open-tunnel in the AWS CLI Command Reference.