This solution deploys Remote Desktop Gateway (RD Gateway) to the Amazon Web Services (AWS) Cloud. RD Gateway uses the Remote Desktop Protocol (RDP) over HTTPS to establish an encrypted connection between remote users and Amazon Elastic Compute Cloud (Amazon EC2) instances running Microsoft Windows, without a virtual private network (VPN). This helps reduce attacks on your Windows-based instances while providing a remote administration solution for administrators.

You can use the AWS CloudFormation templates included with the solution to deploy a fully configured RD Gateway infrastructure to your AWS account. You can choose to deploy RD Gateway into a new virtual private cloud (VPC) in your AWS account, or into an existing VPC, either standalone or domain-joined. You can also use the AWS CloudFormation templates as a starting point for custom implementations.

This solution was developed by AWS.

AWS Service Catalog administrators can add this architecture to their own catalog.  

  •  What you'll build
  • Use this solution to set up the following RD Gateway environment on AWS:

    • A highly available architecture that spans two Availability Zones.*
    • A VPC configured with public and private subnets according to AWS best practices, to provide you with your own virtual network on AWS.*
    • An internet gateway to allow access to the internet. This gateway is used by the RD Gateway instances to send and receive traffic.*
    • Managed network address translation (NAT) gateways to allow outbound internet access for resources in the private subnets.*
    • In each public subnet, up to four RD Gateway instances in an Auto Scaling group to provide secure remote access to instances in the private subnets. Each instance is assigned an Elastic IP address so it’s reachable directly from the internet.
    • A Network Load Balancer to provide RDP access to the RD Gateway instances.
    • A security group for Windows-based instances that will host the RD Gateway role, with an ingress rule permitting TCP port 3389 from your administrator IP address. After deployment, you’ll modify the security group ingress rules to configure administrative access through TCP port 443 instead.
    • An empty application tier for instances in private subnets. If more tiers are required, you can create additional private subnets with unique CIDR ranges.
    • AWS Secrets Manager to securely store credentials used for accessing the RD Gateway instances.
    • AWS Systems Manager to automate the deployment of the RD Gateway Auto Scaling group.

    The solution also installs a self-signed SSL certificate and configures RD CAP and RD RAP policies.

    * The template that deploys the solution into an existing VPC skips the tasks marked by asterisks and prompts you for your existing VPC configuration.

  •  How to deploy
  • To build your RD Gateway environment on AWS, follow the instructions in the deployment guide. The deployment process includes these steps:

    1. If you don't already have an AWS account, sign up at
    2. Launch the solution. Each deployment takes about 30 minutes. You can choose from the following options:
    3. Perform post-deployment tasks such as installing the root certificate and configuring the connection.

    Customization options include RD Gateway instance type, number of instances to deploy, and CIDR block sizes.

    Amazon may share user-deployment information with the AWS Partner that collaborated with AWS on this solution.  

  •  Costs and licenses
  • This solution launches the Amazon Machine Image (AMI) for Microsoft Windows Server 2012 R2 and includes the license for the Windows Server operating system. The AMI is updated regularly with the latest service pack so you don’t need to install updates. The Windows Server AMI doesn’t require Client Access Licenses (CALs) and includes two Microsoft Remote Desktop Services licenses. For more information, refer to Microsoft Licensing on AWS.

    You are responsible for the cost of the AWS services and any third-party licenses used while running this solution. There is no additional cost for using the solution.

    This solution includes configuration parameters that you can customize. Some of these settings, such as instance type, affect the cost of deployment. For cost estimates, refer to the pricing pages for each AWS service you use. Prices are subject to change.

    Tip: After you deploy a solution, create AWS Cost and Usage Reports to track associated costs. These reports deliver billing metrics to an Amazon Simple Storage Service (Amazon S3) bucket in your account. They provide cost estimates based on usage throughout each month and aggregate the data at the end of the month. For more information, refer to What are AWS Cost and Usage Reports?