AWS provides a comprehensive set of services and tools for deploying Microsoft Windows-based workloads on its highly reliable and secure cloud infrastructure. This Quick Start deploys Remote Desktop Gateway (RD Gateway) on the AWS Cloud. RD Gateway uses the Remote Desktop Protocol (RDP) over HTTPS to establish a secure, encrypted connection between remote users and EC2 instances running Microsoft Windows, without needing to configure a virtual private network (VPN). This helps reduce the attack surface on your Windows-based instances while providing a remote administration solution for administrators.

You can use the AWS CloudFormation templates included with the Quick Start to deploy a fully configured RD Gateway infrastructure in your AWS account. You can choose to deploy RD Gateway into a new virtual private cloud (VPC) in your AWS account, or into an existing VPC, either standalone or domain-joined. You can also use the AWS CloudFormation templates as a starting point for your own implementation.


This Quick Start was developed by AWS.

AWS Service Catalog administrators can add this architecture to their own catalog.  

  •  What you'll build
  •  How to deploy
  •  Cost and licenses
  •  What you'll build
  • Use this Quick Start to automatically set up the following RD Gateway environment on AWS:

    • A highly available architecture that spans two Availability Zones.*
    • A VPC configured with public and private subnets according to AWS best practices, to provide you with your own virtual network on AWS.*
    • An internet gateway to allow access to the internet. This gateway is used by the RD Gateway instances to send and receive traffic.*
    • Managed network address translation (NAT) gateways to allow outbound internet access for resources in the private subnets.*
    • In each public subnet, up to four RD Gateway instances in an Auto Scaling group to provide secure remote access to instances in the private subnets. Each instance is assigned an Elastic IP address so it’s reachable directly from the internet.
    • A Network Load Balancer to provide RDP access to the RD Gateway instances.
    • A security group for Windows-based instances that will host the RD Gateway role, with an ingress rule permitting TCP port 3389 from your administrator IP address. After deployment, you’ll modify the security group ingress rules to configure administrative access through TCP port 443 instead.
    • An empty application tier for instances in private subnets. If more tiers are required, you can create additional private subnets with unique CIDR ranges.
    • AWS Secrets Manager to securely store credentials used for accessing the RD Gateway instances.
    • AWS Systems Manager to automate the deployment of the RD Gateway Auto Scaling group.

    The Quick Start also installs a self-signed SSL certificate and configures RD CAP and RD RAP policies.

    *  The template that deploys the Quick Start into an existing VPC skips the tasks marked by asterisks and prompts you for your existing VPC configuration.

  •  How to deploy
  • To build your RD Gateway environment on AWS, follow the instructions in the deployment guide. The deployment process includes these steps:

    1. If you don't already have an AWS account, sign up at
    2. Launch the Quick Start. Each deployment takes about 30 minutes. You can choose from three options:
    3. Perform post-deployment tasks such as installing the root certificate and configuring the connection.

    Customization options include RD Gateway instance type, number of instances to deploy, and CIDR block sizes.

    Amazon may share user-deployment information with the AWS Partner that collaborated with AWS on the Quick Start.  

  •  Cost and licenses
  • You are responsible for the cost of the AWS services and any paid third-party licenses used while running this Quick Start reference deployment. There is no additional cost for using the Quick Start.

    The AWS CloudFormation template for this Quick Start includes configuration parameters that you can customize. Some of these settings, such as instance type, will affect the cost of deployment. For cost estimates, see the pricing pages for each AWS service you will be using. Prices are subject to change.

    This Quick Start launches the Amazon Machine Image (AMI) for Microsoft Windows Server 2012 R2 and includes the license for the Windows Server operating system. The AMI is updated on a regular basis with the latest service pack for the operating system, so you don’t have to install any updates. The Windows Server AMI doesn’t require Client Access Licenses (CALs) and includes two Microsoft Remote Desktop Services licenses. For details, see Microsoft Licensing on AWS.