Windows Virtual Machine on Amazon Web Services
Cloud computing is a paradigm that allows users to access and use computing resources on demand. These resources are typically hosted in data centers and are accessed over the internet. Cloud computing is a powerful tool for developers and IT professionals because it allows them to quickly and easily access computing resources without having to manage the underlying infrastructure.
In this lab, you will learn how to create and manage virtual machines in the cloud. You will use Amazon Web Services (AWS) to create a Windows Server virtual machine and connect to it using Remote Desktop Protocol (RDP).
Before starting these steps, you should log into the Learner Lab and launch the AWS console. Refer here for a reminder of the steps.
Video Walkthrough
Use this video to follow along with the steps in this lab.
Elastic Compute Cloud (EC2)
The AWS Elastic Compute Cloud (EC2)
service allows you to create virtual machines that live in Amazon's data centers. A single virtual machine is called an EC2 instance
. The terms instance
and virtual machine
can be used interchangeably.
The high-level process you will follow to create your EC2 instance includes:
- creating a
Security Group
to define what traffic is allowed to reach yourEC2 instance
, - creating an
EC2 Instance
that references theSecurity group
, and - connecting to your
EC2
instance using theRemote Desktop Protocol (RDP)
.
Windows Server Security Group
In AWS, Security Groups
define the network traffic that EC2 instances can send or receive. For example, unencrypted websites are served on port 80
. If you are running a web server, you would allow inbound connections to port 80. If your EC2 instance does not host a website, you would not allow inbound connections to port 80. In Security Groups, anything that is not specifically allowed is denied.
- Click the
EC2
link to open the EC2 dashboard. - Find the link in the left navigation that says
Security Groups
and open it.
- Click
Create security group
. - Name the security group
Lastname Windows Server SG
, replacing Lastname with your name (e.g., "Marquardson Windows Server SG"). - Change the description to
Windows Server RDP and ICMP
. - Leave the VPC unchanged.
- Under
Inbound rules
, clickAdd rule
.- In the service, choose
RDP
. This will allow inbound traffic for theRemote Desktop Protocol
. By default, RDP uses port3389
. You do not have to modify the port. - In the source, choose
Anywhere-IPv4
. Once selected, a box showing0.0.0.0/0
will appear. This rule allows anybody on the internet to attempt to connect to your instance and log in. Ideally, you would restrict this to only your IP address, but your IP address will change frequently. From a security standpoint, allowing connection attempts from the entire internet is not ideal, but it's a tradeoff from having to edit your security group every time you want to connect. You must have a very strong password for your login credentials, otherwise, an attacker could guess your password and log in.
- In the service, choose
- Add another rule.
- In the service, choose
All ICMP - IPv4
. This allows you toping
your virtual machine to test connectivity. - In the source, choose
Anywhere-IPv4
again.
- In the service, choose
- At the bottom of the page, click
Create security group
. - You should see a message saying that the security group was created successfully.
Create a Windows Server EC2 Instance
Now that your Security Group has been created, you can create the EC2 instance (i.e., virtual machine). There are many different types of virtual machines you could create. The steps below walk you through the creation of a Windows Server virtual machine with a graphical user interface that can be accessed over the internet.
- In the
EC2
service, clickInstances
. - Click the
Launch Instances
button. This button will take you to a screen where you configure theEC2 instance
launch settings. -
In the
Launch an instance
page, use the following settings- Name:
Lastname Windows Server
(replacingLastname
with your last name, e.g., "Marquardson Windows Server") - Application and OS Images:
Windows
- Amazon Machine Image (AMI):
Microsoft Windows Server (Year) Base
- Instance Type:
t2.medium
(Note the cost per hour. You do not have to pay this amount, but this amount will be deducted from your credits whenever the virtual machine runs.) - Key pair (login): Select the
vockey
key from the list. - In the
Network settings
, clickEdit
. - Choose the
Subnet
with the availability zoneus-east-1e
. - Select an existing security group rather than creating a new one. Select your previously created
Lastname Windows Server SG
security group. - Expand
Advanced network configuration
. - Set the
Primary IP
to172.31.50.50
. This will be the private IP address for the life of this EC2 instance, no matter how many times it is rebooted. - Scroll to the bottom of the page and expand the
Advanced Details
section. In theIAM Profile
, selectLabInstanceProfile
. Choosing this facilitates instance management later. - At the bottom of the page, click
Launch instance
. This button starts the creation of your EC2 instance on Amazon's infrastructure.
- Name:
-
You should see a message that the instance was launched successfully.
- A random ID will be created for the instance. Click the ID link to view the instance status.
Connecting to the Windows Server
- The Windows Server EC2 instance will appear in the list of EC2 instances. If it does not appear, click the refresh button next to the Connect button. The "Status check" will show "Initializing" as the EC2 instance is being launched. It will take a few minutes for the instance to fully initialize.
- Once the instance is fully initialized, the "Status check" will show "2/2 checks passed". The instance will be ready to use.
- Check the box next to your Windows Server instance. (If you have more than one instance, be sure that only this instance is checked.) At the top of the page, click the
Connect
button. - On the
Connect to instance
page, chooseRDP client
and click theDownload remote desktop file
button. - Save the file to your computer in a place you remember.
- Scroll down and click the
Get password
link. - Click the "Upload private key" link and select the private key file you downloaded earlier.
- Your private key will be loaded in the web page.
- Click the
Decrypt Password
button and your password will appear in the web page. Use the copy button to copy this password to your clipboard. (It is very easy to accidentally copy extra spaces before or after the password; the password copy button ensures you copy only the password.) - Save this password in a text file or password manager. Keep this password secure. Anybody with this password can access your Windows Server instance. According to the AWS shared responsibility model, you are responsible for the security of your password.
Remote Desktop Connection
-
Locate the RDP file you downloaded earlier.
-
Double-click the RDP file to open the file in the Remote Desktop Connection application.
- You may be prompted to confirm that you want to connect. This confirmation is a basic safeguard to ensure that you are not connecting to a malicious connection. Check the box so that you are not prompted to confirm again and click
Connect
. - Paste the password you decrypted earlier. Optionally, you can check the box to
Remember me
. - The connection to the server will be encrypted using the server's certificate. But, your computer does not know if it should trust the server's certificate. Check the box so that it will not prompt you again about this certificate, and click
Yes
. - At this point, you should see the Windows Server graphical user interface.
- Explore the installed applications. How does this compare to a traditional desktop computer?
- Launch the
Server Manager
application. Explore the interface. What might you do to configure this server? - Launch PowerShell. Can you ping sites on the internet?
- Launch the web browser. Use a search engine to query, "What's my IP address?" What IP address is shown? How does this compare to your host computer's IP address and the IP addresses shown on the desktop?
Stopping Your Windows Server Instance
When you are finished with your Windows Server EC2 instance, you can stop it to avoid per-hour charges. (Note that a nominal charge will still apply for the storage of the virtual machine.)
- Close the Remote Desktop Connection application.
- Return to the AWS Management Console.
- At the top of the page, click
EC2
, then use either of theInstances
links. - Check the box next to your Windows Server instance. (If you have multiple instances, ensure that only the one Windows Server instance is selected.) At the top of the page, click
Instance State
, and then clickStop
. Confirm that you want to stop the instance.
Stopping an instance does not delete it. Stopping an instance is like shutting down a computer. The computer still exists in its shut down state.
Reconnecting
If you start your Windows Server EC2 instance later, it will be assigned a different public IP address but the Administrator password will remain the same. Here are summarized steps for connecting to the Windows Server EC2 instance after having stopped your instance.
- Open the AWS Management Console.
- Access the EC2 dashboard.
- Open the
Instances
link. - Check the box next to your Windows Server instance.
- Click
Instance State
, then clickStart
. - Return to the list of instances to check the instance's status. Refresh the status periodically. It will take several minutes for the EC2 instance to start.
- When the status checks show that all checks have passed, check the instance's box, and click
Connect
. - Choose the
RDP client
connection option. - Download the RDP file. Overwrite the old file--the old RDP file will no longer work because it points to the old public IP address.
- If you lost the password, decrypt the password again using your private key.
- Open the RDP file by double-clicking it. Connect to the server using the password you decrypted.
- When finished working with your server, you can stop the instance in the AWS Management Console.
In the Learner Lab environment, when your 4-hour lab time expires, all running instances will be stopped automatically. The automatic stoppage is a safeguard so that you don't accidentally leave instances running and incurring charges. When you start your Learner Lab environment, all stopped instances will be started automatically.
Terminating an Instance
Terminating an instance permanently deletes it. You may need to terminate an instance if you created it with the wrong settings, or if it has become unstable (e.g., if important operating system files were accidentally deleted.)
Warning
The steps here are provided as a reference only. Only terminate the instance if you are experiencing problems or are instructed to terminate your instance.
- Open the AWS Management Console.
- Access the EC2 dashboard.
- Open the
Instances
link. - Check the box next to your Windows Server instance.
- Click
Instance State
, then clickTerminate
. - Confirm that you want to terminate your instance.
- The terminated instance will appear in the list of EC2 instances for a few minutes, but will eventually disappear.
At this point, you could follow the steps to create a new Windows Server EC2 instance.
Learning Checkpoint
By this point you should be able to:
- Access the AWS Management Console.
- Launch an EC2 instance in AWS.
- Check the status of EC2 instances.
- Download RDP files.
- Decrypt AWS passwords using private keys.
- Connect to a Windows Server EC2 instance using RDP.
- Verify network connectivity in an EC2 instance.
- Stop EC2 instances.
- Start EC2 instances.