Console-based access to Windows instances using AWS Systems Manager Fleet Manager
Historically, customers had to choose between security and costs when establishing RDP connections to Windows servers. The newest feature in Fleet Manager provides customers with a simple and secure browser-based method for accessing Windows servers over RDP.
Now you can connect to your instances directly from the browser from the AWS Management Console in just a few clicks. This feature lets you open an RDP connection into your Windows instance without publicly exposing the RDP port, thus reducing the attack surface. Console-based access to Windows Instances in Fleet Manager is available in all AWS Regions offering AWS Systems Manager.
Increasing competitive pressures drive organizations: the business environment, customers, and the organizational structure are all changing. Therefore, modern IT architecture evolves to meet organizational needs. Domain-Driven Design (DDD) and microservices let teams release software in a shorter time frame. They continuously adapt the software and IT architecture to changes in the business’ functional requirements. The infrastructure evolution requires planning and strategic thinking. Managing complex IT portfolios across cloud and on-premises environments can be overwhelming for system administrators. As a consequence of this evolution, system administrators must also work with different vendors’ tools, consoles, services, and software. This situation can contribute to creating technical debt and complicated workflows, thereby reducing organizational agility as a whole.
Operational Excellence is one of the critical pillars of the AWS Well-Architected Framework. Best practices are recommended to help you run workloads effectively, gain insights into workload operations, and continuously improve supporting processes and procedures to deliver business value.
AWS Systems Manager is a service that lets companies automate and manage their operations in the cloud and on-premises. In particular, Fleet Manager offers a console-based experience, enabling system administrators to view and administer their fleet of instances from a single place. Fleet Manager provides administrators with an aggregated view of their compute resources regardless of their location.
Accessing instances using RDP
System administrators access Windows-based instances using a Graphical User Interface (GUI) via Remote Desktop Protocol. One approach for doing this consisted of accessing the Windows machines using an RDP client. The main limitation of this method is that entering configuration parameters, such as the target endpoint for the RDP session and the password, is manual and time-consuming.
An alternative is setting up bastion hosts, server instances that can securely access other servers in your network, and proxying the RDP connections. However, this process requires additional manual configuration. This configuration can be error-prone and more costly due to excess provisioning, thus leading to more operational overhead for system administrators. Furthermore, security is one of the main priorities when designing architectures. You want to create systems for secure RDP access without assigning public IP addresses or opening inbound ports to the instances.
The main limitations of the approaches mentioned earlier for RDP are security and operational overhead. Accessing multiple instances in that way is cumbersome. Moreover, manually accessing Amazon EC2 instances increases the risks of errors and misconfigurations, leading to downtime or security risks.
Console-based RDP access to Windows instances
AWS Systems Manager Fleet Manager enables a console-based management experience for Windows instances using an RDP connection. These sessions are available through your web browser via the NICE DCV protocol.
This new feature provides customers with a full GUI to configure secure connections and manage Windows instances. There are several advantages to using console-based access to Windows instances, such as:
- Connect, view, and interact with up to four instances side-by-side within a single web browser window.
- Quickly establish a connection via the AWS Management Console. Fleet Manager uses Session Manager to connect to Windows instances using RDP, so there’s no need to set up additional servers or install additional software and plugins.
- Securely connect to your instances using AWS Single Sign-On (SSO), Amazon Elastic Compute Cloud (Amazon EC2) key pairs, or Windows credentials. System administrators can now choose to RDP into the instance without having to enter username or password credentials. Furthermore, the instance security groups don’t need to allow direct inbound access to RDP ports.
This walkthrough demonstrates how to open a remote desktop connection to a Windows instance where the RDP port isn’t exposed.
The following requirements must be fulfilled to open an RDP connection to an instance:
- It must be a Windows instance
- The SSM agent installed must be preinstalled and is available by default on many AMIs
- Associate an EC2 key pair or Windows User Credentials
- It must be able to access the public or private SSM endpoints
To use Fleet Manager, a capability of AWS Systems Manager, the instance profile attached to your instance must have the required permissions. It must have the Systems Manager EC2 instance profile and Fleet Manager permissions.
Connect to the instance via RDP
Navigate to the AWS Systems Manager console. On the left pane under Node Management, select Fleet Manager. This takes you to the Fleet Manager page on which the Managed Instance view shows you all of the instances – on-premises or on the cloud – that can be accessed.
In this case, you can see the Windows instance to which you intend to connect through RDP. Make sure that SSM Agent ping status says Online. If it isn’t, then you can troubleshoot why. Select the instance that you want to connect to, then select Node actions. In the drop-down menu, select Connect with Remote Desktop.
This takes you to the Remote Desktop connection page.
You can choose how you want to authenticate to the instance on this page. In this case, use the EC2 key pair saved when you launched the EC2 instance. Browse your local machine for the EC2 key pair, choose it, and select Connect. Alternatively, you can decide to connect to the instance using the Windows username and password.
You are now connected to the instance through RDP. Select End Session in the top right of the panel to exit the instance.
Up to four nodes, or Windows instances, can be connected in this view.
Console-based access to Windows Instances in Fleet Manager is a new feature and is available in all AWS Regions where AWS Systems Manager is offered (excluding AWS China Regions and AWS GovCloud (US)). See the AWS documentation for more information on this new feature. Choose Fleet Manager from the Systems Manager left navigation pane and “Connect via Remote Desktop” to your desired Windows instance to get started.