Deploy RD Gateway in new VPC

(for additional scenarios, see deployment guide)

View guide — HTML | PDF


For details and instructions, see the Quick Start deployment guide. For additional Quick Starts, see the complete catalog.


AWS provides a comprehensive set of services and tools for deploying Microsoft Windows-based workloads on its highly reliable and secure cloud infrastructure. This Quick Start deploys Remote Desktop Gateway (RD Gateway) on the AWS Cloud.

RD Gateway uses the Remote Desktop Protocol (RDP) over HTTPS to establish a secure, encrypted connection between remote users and EC2 instances running Microsoft Windows, without needing to configure a virtual private network (VPN). This helps reduce the attack surface on your Windows-based instances while providing a remote administration solution for administrators.

You can use the AWS CloudFormation templates included with the Quick Start to deploy a fully configured RD Gateway infrastructure in your AWS account. The Quick Start automates the following:

- Deploying RD Gateway into a new VPC
- Deploying RD Gateway into an existing VPC (standalone)
- Deploying RD Gateway into an existing VPC (domain-joined)

You can also use the AWS CloudFormation templates as a starting point for your own implementation.

  • What you'll build

    • A highly available architecture that spans two Availability Zones.*
    • A virtual private cloud (VPC) configured with public and private subnets according to AWS best practices, to provide you with your own virtual network on AWS.*
    • An Internet gateway to allow access to the Internet. This gateway is used by the RD Gateway instances to send and receive traffic.*
    • Managed network address translation (NAT) gateways to allow outbound Internet access for resources in the private subnets.*
    • In each public subnet, up to four RD Gateway instances in an Auto Scaling group to provide secure remote access to instances in the private subnets. Each instance is assigned an Elastic IP address so it’s reachable directly from the Internet.
    • A security group for Windows-based instances that will host the RD Gateway role, with an ingress rule permitting TCP port 3389 from your administrator IP address. After deployment, you’ll modify the security group ingress rules to configure administrative access through TCP port 443 instead.
    • An empty application tier for instances in private subnets. If more tiers are required, you can create additional private subnets with unique CIDR ranges.


    * The template that deploys the Quick Start into an existing VPC skips the tasks marked by asterisks (*) and prompts you for your existing VPC configuration.

    The Quick Start also installs a self-signed SSL certificate and configures RD CAP and RD RAP policies.

    For details, see the Quick Start deployment guide.

  • Deployment details

    Building your RD Gateway environment on AWS involves a few simple steps and takes about 30 minutes:

    1. Prepare your AWS account at https://aws.amazon.com.
    2. Launch the Quick Start. You can choose one of three scenarios:
         - Deploy RD Gateway into a new VPC
         - Deploy standalone RD Gateway into an existing VPC
         - Deploy domain-joined RD Gateway into an existing VPC
    3. Perform post-deployment tasks such as installing the root certificate and configuring the connection.


    Customization options include RD Gateway instance type, number of instances to deploy, and CIDR block sizes.  

    For complete details, see the Quick Start deployment guide.

  • Cost and licenses

    You are responsible for the cost of the AWS services used while running this Quick Start reference deployment. There is no additional cost for using the Quick Start. For cost estimates, see the pricing pages for each AWS service you will be using in this Quick Start.  

    This Quick Start launches the Amazon Machine Image (AMI) for Microsoft Windows Server 2012 R2 and includes the license for the Windows Server operating system. The AMI is updated on a regular basis with the latest service pack for the operating system, so you don’t have to install any updates. The Windows Server AMI doesn’t require Client Access Licenses (CALs) and includes two Microsoft Remote Desktop Services licenses. For details, see Microsoft Licensing on AWS.