Windows Virtual Machine on Amazon Web Services

Cloud computing is a paradigm that allows users to access and use computing resources on demand. These resources are typically hosted in data centers and are accessed over the internet. Cloud computing is a powerful tool for developers and IT professionals because it allows them to quickly and easily access computing resources without having to manage the underlying infrastructure.

In this lab, you will learn how to create and manage virtual machines in the cloud. You will use Amazon Web Services (AWS) to create a Windows Server virtual machine and connect to it using Remote Desktop Protocol (RDP).

Before starting these steps, you should log into the Learner Lab and launch the AWS console. Refer here for a reminder of the steps.

Elastic Compute Cloud (EC2)

The AWS Elastic Compute Cloud (EC2) service allows you to create virtual machines that live in Amazon's data centers. A single virtual machine is called an EC2 instance. The terms instance and virtual machine can be used interchangeably.

The high-level process you will follow to create your EC2 instance includes:

1. creating a Security Group to define what traffic is allowed to reach your EC2 instance,
2. creating an EC2 Instance that references the Security group, and
3. connecting to your EC2 instance using the Remote Desktop Protocol (RDP).

Windows Server Security Group

In AWS, Security Groups define the network traffic that EC2 instances can send or receive. For example, unencrypted websites are served on port 80. If you are running a web server, you would allow inbound connections to port 80. If your EC2 instance does not host a website, you would not allow inbound connections to port 80. In Security Groups, anything that is not specifically allowed is denied.

• Click the EC2 link to open the EC2 dashboard.
• Find the link in the left navigation that says Security Groups and open it.

• Click Create security group.
• Name the security group Lastname Windows Server SG, replacing Lastname with your name (e.g., "Marquardson Windows Server SG").
• Change the description to Windows Server RDP and ICMP.
• Leave the VPC unchanged.

• Under Inbound rules, click Add rule.
  • In the service, choose RDP. This will allow inbound traffic for the Remote Desktop Protocol. By default, RDP uses port 3389. You do not have to modify the port.
  • In the source, choose Anywhere-IPv4. Once selected, a box showing 0.0.0.0/0 will appear. This rule allows anybody on the internet to attempt to connect to your instance and log in. Ideally, you would restrict this to only your IP address, but your IP address will change frequently. From a security standpoint, allowing connection attempts from the entire internet is not ideal, but it's a tradeoff from having to edit your security group every time you want to connect. You must have a very strong password for your login credentials, otherwise, an attacker could guess your password and log in.
• Add another rule.
  • In the service, choose All ICMP - IPv4. This allows you to ping your virtual machine to test connectivity.
  • In the source, choose Anywhere-IPv4 again.

• At the bottom of the page, click Create security group.
• You should see a message saying that the security group was created successfully.

Create a Windows Server EC2 Instance

Now that your Security Group has been created, you can create the EC2 instance (i.e., virtual machine). There are many different types of virtual machines you could create. The steps below walk you through the creation of a Windows Server virtual machine with a graphical user interface that can be accessed over the internet.

• In the EC2 service, click Instances.
  
• Click the Launch Instances button. This button will take you to a screen where you configure the EC2 instance launch settings.
  

• In the Launch an instance page, use the following settings

  • Name: Lastname Windows Server (replacing Lastname with your last name, e.g., "Marquardson Windows Server")
  • Application and OS Images: Windows
  • Amazon Machine Image (AMI): Microsoft Windows Server (Year) Base
    
  • Instance Type: t2.medium (Note the cost per hour. You do not have to pay this amount, but this amount will be deducted from your credits whenever the virtual machine runs.)
    
  • Key pair (login): Select the vockey key from the list.
    
  • In the Network settings, click Edit.
  • Choose the Subnet with the availability zone us-east-1e.
    
  • Select an existing security group rather than creating a new one. Select your previously created Lastname Windows Server SG security group.
    
  • Expand Advanced network configuration.
  • Set the Primary IP to 172.31.50.50. This will be the private IP address for the life of this EC2 instance, no matter how many times it is rebooted.
    
  • Scroll to the bottom of the page and expand the Advanced Details section. In the IAM Profile, select LabInstanceProfile. Choosing this facilitates instance management later.
    
  • At the bottom of the page, click Launch instance. This button starts the creation of your EC2 instance on Amazon's infrastructure.
    

• You should see a message that the instance was launched successfully.

• A random ID will be created for the instance. Click the ID link to view the instance status.

Connecting to the Windows Server

• The Windows Server EC2 instance will appear in the list of EC2 instances. If it does not appear, click the refresh button next to the Connect button. The "Status check" will show "Initializing" as the EC2 instance is being launched. It will take a few minutes for the instance to fully initialize.
  
• Once the instance is fully initialized, the "Status check" will show "2/2 checks passed". The instance will be ready to use.
  
• Check the box next to your Windows Server instance. (If you have more than one instance, be sure that only this instance is checked.) At the top of the page, click the Connect button.
  
• On the Connect to instance page, choose RDP client and click the Download remote desktop file button.
  
• Save the file to your computer in a place you remember.
• Scroll down and click the Get password link.
  
• Click the "Upload private key" link and select the private key file you downloaded earlier.
  
• Your private key will be loaded in the web page.
  
• Click the Decrypt Password button and your password will appear in the web page. Use the copy button to copy this password to your clipboard. (It is very easy to accidentally copy extra spaces before or after the password; the password copy button ensures you copy only the password.)
  
• Save this password in a text file or password manager. Keep this password secure. Anybody with this password can access your Windows Server instance. According to the AWS shared responsibility model, you are responsible for the security of your password.

Remote Desktop Connection

• Locate the RDP file you downloaded earlier.
  

• Double-click the RDP file to open the file in the Remote Desktop Connection application.

• You may be prompted to confirm that you want to connect. This confirmation is a basic safeguard to ensure that you are not connecting to a malicious connection. Check the box so that you are not prompted to confirm again and click Connect.
  
• Paste the password you decrypted earlier. Optionally, you can check the box to Remember me.
  
• The connection to the server will be encrypted using the server's certificate. But, your computer does not know if it should trust the server's certificate. Check the box so that it will not prompt you again about this certificate, and click Yes.
  
• At this point, you should see the Windows Server graphical user interface.
• Explore the installed applications. How does this compare to a traditional desktop computer?
• Launch the Server Manager application. Explore the interface. What might you do to configure this server?
• Launch PowerShell. Can you ping sites on the internet?
• Launch the web browser. Use a search engine to query, "What's my IP address?" What IP address is shown? How does this compare to your host computer's IP address and the IP addresses shown on the desktop?

Stopping Your Windows Server Instance

When you are finished with your Windows Server EC2 instance, you can stop it to avoid per-hour charges. (Note that a nominal charge will still apply for the storage of the virtual machine.)

• Close the Remote Desktop Connection application.
• Return to the AWS Management Console.
• At the top of the page, click EC2, then use either of the Instances links.
  
• Check the box next to your Windows Server instance. (If you have multiple instances, ensure that only the one Windows Server instance is selected.) At the top of the page, click Instance State, and then click Stop. Confirm that you want to stop the instance.
  

Stopping an instance does not delete it. Stopping an instance is like shutting down a computer. The computer still exists in its shut down state.

Reconnecting

If you start your Windows Server EC2 instance later, it will be assigned a different public IP address but the Administrator password will remain the same. Here are summarized steps for connecting to the Windows Server EC2 instance after having stopped your instance.

• Open the AWS Management Console.
• Access the EC2 dashboard.
• Open the Instances link.
• Check the box next to your Windows Server instance.
• Click Instance State, then click Start.
• Return to the list of instances to check the instance's status. Refresh the status periodically. It will take several minutes for the EC2 instance to start.
• When the status checks show that all checks have passed, check the instance's box, and click Connect.
• Choose the RDP client connection option.
• Download the RDP file. Overwrite the old file--the old RDP file will no longer work because it points to the old public IP address.
• If you lost the password, decrypt the password again using your private key.
• Open the RDP file by double-clicking it. Connect to the server using the password you decrypted.
• When finished working with your server, you can stop the instance in the AWS Management Console.

In the Learner Lab environment, when your 4-hour lab time expires, all running instances will be stopped automatically. The automatic stoppage is a safeguard so that you don't accidentally leave instances running and incurring charges. When you start your Learner Lab environment, all stopped instances will be started automatically.

Terminating an Instance

Terminating an instance permanently deletes it. You may need to terminate an instance if you created it with the wrong settings, or if it has become unstable (e.g., if important operating system files were accidentally deleted.)

• Open the AWS Management Console.
• Access the EC2 dashboard.
• Open the Instances link.
• Check the box next to your Windows Server instance.
• Click Instance State, then click Terminate.
• Confirm that you want to terminate your instance.
• The terminated instance will appear in the list of EC2 instances for a few minutes, but will eventually disappear.

At this point, you could follow the steps to create a new Windows Server EC2 instance.

Learning Checkpoint

By this point you should be able to:

• Access the AWS Management Console.
• Launch an EC2 instance in AWS.
• Check the status of EC2 instances.
• Download RDP files.
• Decrypt AWS passwords using private keys.
• Connect to a Windows Server EC2 instance using RDP.
• Verify network connectivity in an EC2 instance.
• Stop EC2 instances.
• Start EC2 instances.