# AWS Launch Wizard for Remote Desktop Gateway Remote Desktop GatewayAWS Launch Wizard for Remote Desktop Gateway You can set up a new Remote Desktop Gateway infrastructure to an existing AWS infrastructure using AWS Launch Wizard for Remote Desktop Gateway. AWS Launch Wizard for Remote Desktop Gateway (RD Gateway) guides you through the sizing, configuration, and deployment of RD Gateway on the AWS Cloud. RD Gateway uses the Remote Desktop Protocol (RDP) over HTTPS to establish a secure, encrypted connection between remote users and Amazon Elastic Compute Cloud instances running Windows, without needing to configure a virtual private network (VPN). This helps reduce the attack surface on your Windows instances while providing a remote administration solution for administrators. ## Deployment options This Launch Wizard application provides two deployment options: + **Deploy RD Gateway into a new VPC (end-to-end deployment).** Builds a new AWS environment consisting of a VPC, subnets, NAT gateways, security groups, and other infrastructure components, and then deploys RD Gateway into this new VPC. + **Deploy RD Gateway into an existing VPC.** Provisions standalone RD Gateway instances in your existing AWS infrastructure. AWS Launch Wizard provides separate templates for these two deployment types. You can also configure CIDR blocks, instance types, and RD Gateway settings. ## AWS Regions Launch Wizard uses various AWS services during the provisioning of the application's environment. Not every workload is supported in all AWS Regions. For a current list of Regions where the workload can be provisioned, see [AWS Launch Wizard workload availability](launch-wizard-workload-availability.md). ## Features **Topics** + [ ### Simple application deployment ](#launch-wizard-remote-desktop-gateway-features-app-deployment) + [ ### Application Resource Groups for discoverability ](#launch-wizard-remote-desktop-gateway-resource-groups) + [ ### AWS resource selection ](#launch-wizard-remote-desktop-gateway-features-resource-selection) + [ ### Cost estimation ](#launch-wizard-remote-desktop-gateway-features-cost) + [ ### SNS notification ](#launch-wizard-remote-desktop-gateway-features-sns) + [ ### Early input validation ](#launch-wizard-remote-desktop-gateway-input-validation) ### Simple application deployment AWS Launch Wizard makes it more efficient for you to deploy third-party applications on AWS, such as Remote Desktop Gateway. When you input the application requirements, AWS Launch Wizard deploys the necessary AWS resources for a production-ready application. This means that you do not have to manage separate infrastructure pieces or spend as much time provisioning and configuring your Remote Desktop Gateway application. ### Application Resource Groups for discoverability Launch Wizard creates a Resource Group for all of the AWS resources created for your Remote Desktop Gateway application. You can manage the resources through the Amazon EC2 console or with AWS Systems Manager. When you access Systems Manager through Launch Wizard, the resources are automatically filtered for you based on your Resource Group. You can manage, patch, and maintain your Remote Desktop Gateway applications in Systems Manager. ### AWS resource selection Launch Wizard considers performance, memory, bandwidth, and other application features to determine the most appropriate instance type for your Remote Desktop Gateway application. You can modify the recommended defaults. ### Cost estimation Launch Wizard provides a cost estimate for a complete deployment. The cost estimate is itemized for each individual resource to deploy. The estimated cost automatically updates each time you change a resource type configuration in the wizard. The provided estimates are for general comparisons only. The estimates are based on On-Demand costs and actual costs may be lower. ### SNS notification You can provide an [Amazon SNS topic](https://docs.aws.amazon.com/sns/latest/dg/welcome.html) so that Launch Wizard will send you notifications and alerts about the status of a deployment. ### Early input validation **Launch Wizard performs the following resource limit validations at the AWS account level:** + VPC + Internet gateway + Number of AWS CloudFormation stacks ## Components An RD Gateway application deployed with Launch Wizard includes the following components: + A highly available architecture that spans two Availability Zones. + In each public subnet, up to four RD Gateway instances in an Auto Scaling group to provide secure remote access to instances in the private subnets. Each instance is assigned an Elastic IP address so it’s reachable directly from the internet. + A Network Load Balancer to provide RDP access to the RD Gateway instances. + A security group for Windows instances that will host the RD Gateway role, with an ingress rule permitting TCP port 3389 from your administrator IP address. After deployment, you’ll modify the security group ingress rules to configure administrative access through TCP port 443 instead. + An empty application tier for instances in private subnets. If more tiers are required, you can create additional private subnets with unique CIDR ranges. + AWS Systems Manager Parameter Store to securely store credentials used for accessing the RD Gateway instances. + AWS Systems Manager to automate the deployment of the RD Gateway Auto Scaling group. + Self-signed SSL certificate and configuration of Remote Desktop Connection Authorization Policies (RD CAPs) and RD Gateway. + Resource Groups that contain all the resources created with Launch Wizard. Additionally, a new VPC deployment includes the following components: + A VPC configured with public and private subnets according to AWS best practices, to provide you with your own virtual network on AWS. + An internet gateway to allow access to the internet. This gateway is used by the RD Gateway instances to send and receive traffic. + Managed network address translation (NAT) gateways to allow outbound internet access for resources in the private subnets. ![\[A Remote Desktop gateway application deployed in two Availability Zones using an Auto Scaling group and a Network Load Balancer.\]](http://docs.aws.amazon.com/launchwizard/latest/userguide/images/rdgateway-architecture-diagram.png) # Get Started with AWS Launch Wizard for Remote Desktop Gateway Get Started This section contains information to help you set up your environment to deploy RD Gateway with Launch Wizard. When your environment is set up, you can deploy RD Gateway application with Launch Wizard by following the steps and parameter specification details provided in this section. **Topics** + [ ## Access AWS Launch Wizard ](#launch-wizard-remote-desktop-gateway-access) + [ ## Specialized knowledge ](#launch-wizard-remote-desktop-gateway-specialized-knowledge) + [ ## Amazon Web Services account ](#launch-wizard-remote-desktop-gateway-aws-account) + [ ## Service Quotas ](#launch-wizard-remote-desktop-gateway-resource-quotas) + [ ## Amazon Elastic Compute Cloud key pairs ](#launch-wizard-remote-desktop-gateway-key-pairs) + [ ## AWS Identity and Access Management permissions ](#launch-wizard-remote-desktop-gateway-iam-permissions) ## Access AWS Launch Wizard Access You can launch AWS Launch Wizard from the AWS Launch Wizard console located at [https://console.aws.amazon.com/launchwizard](https://console.aws.amazon.com/launchwizard). ## Specialized knowledge This deployment requires a moderate level of familiarity with AWS services. If you’re new to AWS, see [Getting Started Resource Center](https://aws.amazon.com/getting-started) and [AWS Training and Certification](https://aws.amazon.com/training). These sites provide materials for learning how to design, deploy, and operate your infrastructure and applications on the AWS Cloud. This Launch Wizard assumes familiarity with Remote Desktop Gateway. ## Amazon Web Services account ### Sign up for an AWS account If you do not have an AWS account, complete the following steps to create one. **To sign up for an AWS account** 1. Open [https://portal.aws.amazon.com/billing/signup](https://portal.aws.amazon.com/billing/signup). 1. Follow the online instructions. Part of the sign-up procedure involves receiving a phone call or text message and entering a verification code on the phone keypad. When you sign up for an AWS account, an *AWS account root user* is created. The root user has access to all AWS services and resources in the account. As a security best practice, assign administrative access to a user, and use only the root user to perform [tasks that require root user access](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_root-user.html#root-user-tasks). AWS sends you a confirmation email after the sign-up process is complete. At any time, you can view your current account activity and manage your account by going to [https://aws.amazon.com/](https://aws.amazon.com/) and choosing **My Account**. ### Create a user with administrative access After you sign up for an AWS account, secure your AWS account root user, enable AWS IAM Identity Center, and create an administrative user so that you don't use the root user for everyday tasks. **Secure your AWS account root user** 1. Sign in to the [AWS Management Console](https://console.aws.amazon.com/) as the account owner by choosing **Root user** and entering your AWS account email address. On the next page, enter your password. For help signing in by using root user, see [Signing in as the root user](https://docs.aws.amazon.com/signin/latest/userguide/console-sign-in-tutorials.html#introduction-to-root-user-sign-in-tutorial) in the *AWS Sign-In User Guide*. 1. Turn on multi-factor authentication (MFA) for your root user. For instructions, see [Enable a virtual MFA device for your AWS account root user (console)](https://docs.aws.amazon.com/IAM/latest/UserGuide/enable-virt-mfa-for-root.html) in the *IAM User Guide*. **Create a user with administrative access** 1. Enable IAM Identity Center. For instructions, see [Enabling AWS IAM Identity Center](https://docs.aws.amazon.com//singlesignon/latest/userguide/get-set-up-for-idc.html) in the *AWS IAM Identity Center User Guide*. 1. In IAM Identity Center, grant administrative access to a user. For a tutorial about using the IAM Identity Center directory as your identity source, see [ Configure user access with the default IAM Identity Center directory](https://docs.aws.amazon.com//singlesignon/latest/userguide/quick-start-default-idc.html) in the *AWS IAM Identity Center User Guide*. **Sign in as the user with administrative access** + To sign in with your IAM Identity Center user, use the sign-in URL that was sent to your email address when you created the IAM Identity Center user. For help signing in using an IAM Identity Center user, see [Signing in to the AWS access portal](https://docs.aws.amazon.com/signin/latest/userguide/iam-id-center-sign-in-tutorial.html) in the *AWS Sign-In User Guide*. **Assign access to additional users** 1. In IAM Identity Center, create a permission set that follows the best practice of applying least-privilege permissions. For instructions, see [ Create a permission set](https://docs.aws.amazon.com//singlesignon/latest/userguide/get-started-create-a-permission-set.html) in the *AWS IAM Identity Center User Guide*. 1. Assign users to a group, and then assign single sign-on access to the group. For instructions, see [ Add groups](https://docs.aws.amazon.com//singlesignon/latest/userguide/addgroups.html) in the *AWS IAM Identity Center User Guide*. ## Service Quotas If necessary, [request service quota increases](https://console.aws.amazon.com/servicequotas/) for the following resources. You might need to request increases if your existing deployment currently uses these resources and if this Launch Wizard deployment could result in exceeding the default quotas. The [Service Quotas console](https://console.aws.amazon.com/servicequotas/) displays your usage and quotas for some aspects of some services. For more information, see [What is Service Quotas?](https://docs.aws.amazon.com/servicequotas/latest/userguide/intro.html) and [AWS service quotas](https://docs.aws.amazon.com/general/latest/gr/aws_service_limits.html). Existing VPC Service Quotas: | Resource | Default quota | This deployment uses | | --- | --- | --- | | Elastic IP Addresses | 5 per Region | 2 | | AWS Identity and Access Management (IAM) security groups | 300 per account | 1 | | IAM roles | 1,000 per account | 1 | | Auto Scaling groups | 200 per Region | 1 | | Amazon EC2 On-Demand Instances (Standard) | 5 per Region | 1-4 | New VPC Service Quotas: | Resource | Default quota | This deployment uses | | --- | --- | --- | | VPCs | 5 per Region | 1 | | Elastic IP Addresses | 5 per Region | 2 | | Internet Gateway | 5 per Region | 1 | | AWS Identity and Access Management (IAM) security groups | 300 per account | 1 | | IAM roles | 1,000 per account | 1 | | Auto Scaling groups | 200 per Region | 1 | | Amazon EC2 On-Demand Instances (Standard) | 5 per Region | 1-4 | ## Amazon Elastic Compute Cloud key pairs Ensure that at least one Amazon EC2 key pair exists in your AWS account in the Region where you plan to deploy the Launch Wizard application. Note the key pair name because you will use it during deployment. To create a key pair, see [Amazon EC2 key pairs and EC2 instances](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-key-pairs.html). For testing or proof-of-concept purposes, we recommend creating a new key pair instead of using one that’s already being used by a production instance. ## AWS Identity and Access Management permissions Before deploying the Launch Wizard application, you must sign in to the AWS Management Console with IAM permissions for the resources that the templates deploy. The *AdministratorAccess* managed policy within IAM provides sufficient permissions, although your organization may choose to use a custom policy with more restrictions. For more information, see [AWS managed policies for job functions](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_job-functions.html). # Deploy standalone Remote Desktop Gateway into a new VPC (Console) Deploy to a new VPC (Console) The following steps guide you through a Remote Desktop Gateway deployment with AWS Launch Wizard after you have launched it from the console. 1. When you select **Choose application** from the AWS Launch Wizard landing page, you are directed to the Choose application wizard where you are prompted to select the type of application that you want to deploy. 1. Select **Microsoft Remote Desktop Gateway**, select **Deploy into a new VPC**, then select **Create deployment.** 1. You are prompted to enter the specifications for the new deployment. The following tabs provide information about the specification fields of the deployment model. ------ #### [ General ] + **Deployment name**. Enter a unique application name for your deployment. + **Amazon Simple Notification Service (SNS) topic ARN — optional**. Specify an Amazon SNS topic where AWS Launch Wizard can send notifications and alerts. For more information, see the [Amazon Simple Notification Service Developer Guide](https://docs.aws.amazon.com//sns/latest/dg/welcome.html). + **Deactivate rollback on failed deployment**. By default, if a deployment fails, your provisioned resources will be deleted. You can enable this setting during deployment to prevent this behavior. + **Tags - optional**. Enter a key and value to assign metadata to your deployment. For help with tagging, see [Tagging Your EC2 Resources](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/Using_Tags.html). ------ #### [ Network configuration ] + **Key pair name**. Select an existing key pair from the dropdown list or create a new one. If you select **Create new key pair name**, you are directed to the Amazon EC2 console. From there, under **Network and Security**, choose **Key Pairs**. Choose **Create a new key pair**, enter a name for the key pair, and then choose **Download Key Pair**. **Important** This is the only opportunity for you to save the private key file. Download it and save it in a safe place. You must provide the name of your key pair when you launch an instance and provide the corresponding private key each time that you connect to the instance. Return to the Launch Wizard console and choose the refresh button next to the **Key Pairs** dropdown list. The newly created key pair appears in the dropdown list. For more information about key pairs, see [Amazon EC2 Key Pairs and Windows Instances](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-key-pairs.html). + **Availability Zone (AZ) configuration:** You must choose at least two Availability Zones. Deployment will create a highly available architecture that spans these Availability Zones. + **VPC Settings: **Launch Wizard creates your VPC in this case. The following shows Input fields that define VPC configuration. [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/launchwizard/latest/userguide/launch-wizard-remote-desktop-gateway-deployment-steps-new-vpc.html) ------ #### [ Microsoft Remote Desktop Gateway configuration ] [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/launchwizard/latest/userguide/launch-wizard-remote-desktop-gateway-deployment-steps-new-vpc.html) ------ 1. When you are satisfied with your infrastructure selections, select **Next**. If you don't want to complete the configuration, select **Cancel**. When you select **Cancel**, all of the selections on the specification page are lost and you are returned to the landing page. To go to the previous screen, select **Previous**. 1. After configuring your application, you are prompted to define the infrastructure requirements for the new deployment on the **Define infrastructure requirements** page. The following tabs provide information about the input fields. ------ #### [ Compute ] + **Infrastructure requirements based on instance type**. You can choose to select your instances or use AWS recommended resources. If you choose to use AWS recommended resources, you have the option of defining your performance needs. If no selections are made, default values are assigned. + **Number of instance cores**. Choose the number of CPU cores for your infrastructure. The default value assigned is 4. + **Network performance**. Choose your preferred network performance in Gbps. + **Memory (GB)**. Choose the amount of RAM that you want to attach to your EC2 instances. The default value assigned is 4 GB. + **Recommended resources**. Launch Wizard displays the system-recommended resources based on your infrastructure selections. If you want to change the recommended resources, select different infrastructure requirements. + **Infrastructure requirements based on instance type**. You can choose to select your instance or use AWS recommended resources. If no selections are made, default values are assigned. + **Instance type**. Select your preferred instance type from the dropdown list. ------ 1. When you are satisfied with your infrastructure selections, select **Next**. If you don't want to complete the configuration, select **Cancel**. When you select **Cancel**, all of the selections on the specification page are lost and you are returned to the landing page. To go to the previous screen, select **Previous**. 1. On the **Review and deploy** page, review your configuration details. If you want to make changes, select **Previous**. To stop, select **Cancel**. When you select **Cancel**, all of the selections on the specification page are lost and you are returned to the landing page. When you choose **Deploy**, you agree to the terms of the **Acknowledgment**. Launch Wizard validates the inputs and notifies you of any issues you must address. 1. When validation is complete, Launch Wizard deploys your AWS resources and configures your **Microsoft Remote Desktop Gateway** application. Launch Wizard provides you with status updates about the progress of the deployment on the **Deployments** page. From the **Deployments** page, you can view the list of current and previous deployments 1. When your deployment is ready, a notification informs you that your **Remote Desktop Gateway** application is successfully deployed. If you have set up an Amazon SNS notification, you are also alerted through Amazon SNS. To manage and access all of the resources related to your application, select the deployment, and from the **Actions** dropdown list, select **Manage**. 1. When the application is deployed, you can access your EC2 instances through the Amazon EC2 console. # Deploy standalone Remote Desktop Gateway into an existing VPC (Console) Deploy to an existing VPC (Console) The following steps guide you through a Remote Desktop Gateway deployment with AWS Launch Wizard after you have launched it from the console. 1. When you select **Choose application** from the AWS Launch Wizard landing page, you are directed to the Choose application wizard where you are prompted to select the type of application that you want to deploy. 1. Select **Microsoft Remote Desktop Gateway**, select **Deploy into an existing VPC**, then select **Create deployment.** 1. You are prompted to enter the specifications for the new deployment. The following tabs provide information about the specification fields of the deployment model. ------ #### [ General ] + **Deployment name**. Enter a unique application name for your deployment. + **Amazon Simple Notification Service (SNS) topic ARN — optional**. Specify an Amazon SNS topic where AWS Launch Wizard can send notifications and alerts. For more information, see the [Amazon Simple Notification Service Developer Guide](https://docs.aws.amazon.com//sns/latest/dg/welcome.html). + **Deactivate rollback on failed deployment**. By default, if a deployment fails, your provisioned resources will be deleted. You can enable this setting during deployment to prevent this behavior. + **Tags - optional**. Enter a key and value to assign metadata to your deployment. For help with tagging, see [Tagging Your Amazon EC2 Resources](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/Using_Tags.html). ------ #### [ Network configuration ] **Key pair name**. Select an existing key pair from the dropdown list or create a new one. If you select **Create new key pair name**, you are directed to the Amazon EC2 console. From there, under **Network and Security**, choose **Key Pairs**. Choose **Create a new key pair**, enter a name for the key pair, and then choose **Download Key Pair**. **Important** This is the only opportunity for you to save the private key file. Download it and save it in a safe place. You must provide the name of your key pair when you launch an instance and provide the corresponding private key each time that you connect to the instance. Return to the Launch Wizard console and choose the refresh button next to the **Key Pairs** dropdown list. The newly created key pair appears in the dropdown list. For more information about key pairs, see [Amazon EC2 Key Pairs and Windows Instances](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-key-pairs.html). **VPC Settings: ** + **Select Virtual Private Cloud (VPC)** option. Choose the VPC that you want to use from the dropdown list. Your VPC must be associated at least two public subnets for HA deployments. **To add a new public subnet** If a subnet's traffic is routed to an internet gateway, the subnet is known as a public subnet. If, however, a subnet doesn't have a route to the internet gateway, the subnet is known as a private subnet. To use an existing VPC that does not have a public subnet, you can add a new public subnet using the following steps. + Follow the steps in [Creating a Subnet in the Amazon VPC User Guide](https://docs.aws.amazon.com/vpc/latest/userguide/VPC_Internet_Gateway.html#Add_IGW_Create_Subnet) using the existing VPC you intend to use AWS Launch Wizard. + To add an internet gateway to your VPC, follow the steps in [Attaching an Internet Gateway](https://docs.aws.amazon.com/vpc/latest/userguide/VPC_Internet_Gateway.html#Add_IGW_Attach_Gateway) in the Amazon VPC User Guide. + To configure your subnets to route internet traffic through the internet gateway, follow the steps in [Creating a Custom Route Table](https://docs.aws.amazon.com/vpc/latest/userguide/VPC_Internet_Gateway.html#Add_IGW_Routing) in the Amazon VPC User Guide. Use IPv4 format (0.0.0.0/0) for Destination. + The public subnet should have the “auto-assign public IPv4 address” setting enabled. To enable this setting, follow the steps in [Modifying the Public IPv4 Addressing Attribute for Your Subnet](https://docs.aws.amazon.com/vpc/latest/userguide/vpc-ip-addressing.html#subnet-public-ip) in the Amazon VPC User Guide. + **Availability Zone (AZ) configuration:** You must choose at least two Availability Zones. The deployment will create a highly available architecture that spans these Availability Zones. + **Allowed Remote Desktop Gateway external access CIDR:** You must specify a CIDR block for allowing external RDP access to the Remote Desktop Gateways on TCP port 3389. ------ #### [ Microsoft Remote Desktop Gateway configuration ] [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/launchwizard/latest/userguide/launch-wizard-remote-desktop-gateway-deployment-steps-existing-vpc-standalone.html) ------ 1. When you are satisfied with your infrastructure selections, select **Next**. If you don't want to complete the configuration, select **Cancel**. When you select **Cancel**, all of the selections on the specification page are lost and you are returned to the landing page. To go to the previous screen, select **Previous**. 1. After configuring your application, you are prompted to define the infrastructure requirements for the new deployment on the **Define infrastructure requirements** page. The following tabs provide information about the input fields. ------ #### [ Compute ] + **Infrastructure requirements based on instance type**. You can choose to select your instances, or to use AWS recommended resources. If you choose to use AWS recommended resources, you have the option of defining your performance needs. If no selections are made, default values are assigned. + **Number of instance cores**. Choose the number of CPU cores for your infrastructure. The default value assigned is 4. + **Network performance**. Choose your preferred network performance in Gbps. + **Memory (GB)**. Choose the amount of RAM that you want to attach to your EC2 instances. The default value assigned is 4 GB. + **Recommended resources**. Launch Wizard displays the system-recommended resources based on your infrastructure selections. If you want to change the recommended resources, select different infrastructure requirements. + **Infrastructure requirements based on instance type**. You can choose to select your instance or use AWS recommended resources. If no selections are made, default values are assigned. + **Instance type**. Select your preferred instance type from the dropdown list. ------ 1. When you are satisfied with your infrastructure selections, select **Next**. If you don't want to complete the configuration, select **Cancel**. When you select **Cancel**, all of the selections on the specification page are lost and you are returned to the landing page. To go to the previous screen, select **Previous**. 1. On the **Review and deploy** page, review your configuration details. If you want to make changes, select **Previous**. To stop, select **Cancel**. When you select **Cancel**, all of the selections on the specification page are lost and you are returned to the landing page. When you choose **Deploy**, you agree to the terms of the **Acknowledgment**. Launch Wizard validates the inputs and notifies you of any issues you must address. 1. When validation is complete, Launch Wizard deploys your AWS resources and configures your **Microsoft Remote Desktop Gateway** application. Launch Wizard provides you with status updates about the progress of the deployment on the **Deployments** page. From the **Deployments** page, you can view the list of current and previous deployments 1. When your deployment is ready, a notification informs you that your **Remote Desktop Gateway** application is successfully deployed. If you have set up an Amazon SNS notification, you are also alerted through Amazon SNS. You can manage and access all of the resources related to your application by selecting the deployment, and then selecting **Manage** from the **Actions** dropdown list. 1. When the application is deployed, you can access your EC2 instances through the Amazon EC2 console. # Deploy Remote Desktop Gateway to a new or existing VPC (AWS CLI) Deploy to a new or existing VPC (AWS CLI) You can use the AWS Launch Wizard [https://docs.aws.amazon.com/launchwizard/latest/APIReference/API_CreateDeployment.html](https://docs.aws.amazon.com/launchwizard/latest/APIReference/API_CreateDeployment.html) API operation to deploy Remote Desktop Gateway. To create a deployment, you must provide values for various *specifications*. Specifications are a collection of settings that define how your deployment should be created and configured. A workload will have one or more deployment patterns with differing required and optional specifications. If you want to use the **Clone deployment** action on your deployment, you must create your deployment using the Launch Wizard console. ## Prerequisites for deploying Remote Desktop Gateway with the AWS CLI Prerequisites for AWS CLI workload deployments Before deploying Remote Desktop Gateway with the AWS CLI, ensure you have met the following prerequisites: + Install and configure the AWS CLI. For more information, see [Install or update to the latest version of the AWS CLI](https://docs.aws.amazon.com/cli/latest/userguide/getting-started-install.html). + Complete the steps in the previous section titled **Set up**. Some deployment patterns have requirements that must be met for a deployment to be successful. ## Create a Remote Desktop Gateway deployment with the AWS CLI You can create a deployment for your Remote Desktop Gateway application using the `CreateDeployment` Launch Wizard API operation. **To create a deployment for Remote Desktop Gateway using the AWS CLI** 1. List the available workload names using the [https://docs.aws.amazon.com/launchwizard/latest/APIReference/API_ListWorkloads.html](https://docs.aws.amazon.com/launchwizard/latest/APIReference/API_ListWorkloads.html) Launch Wizard API operation. The following example shows listing the available workloads: ``` aws launchwizard list-workloads --region us-east-1 { "workloads": [ { "displayName": "Remote Desktop Gateway", "workloadName": "RDGW" }, { "displayName": "MS SQL Server", "workloadName": "SQL" }, { "displayName": "SAP", "workloadName": "SAP" }, { "displayName": "Microsoft Active Directory", "workloadName": "MicrosoftActiveDirectory" } ... ] } ``` 1. Specify the desired workload name with the [https://docs.aws.amazon.com/launchwizard/latest/APIReference/API_ListWorkloadDeploymentPatterns.html](https://docs.aws.amazon.com/launchwizard/latest/APIReference/API_ListWorkloadDeploymentPatterns.html) operation to describe the supported values for the deployment pattern names. The following example lists the available workload patterns for a given workload: ``` aws launch-wizard list-workload-deployment-patterns --workload-name RDGW --region us-east-1 { "workloadDeploymentPatterns": [ { "deploymentPatternName": "RDGWExistingVpc", "description": "Example description.", "displayName": "ExampleDisplayName", "status": "ACTIVE", "workloadName": "RDGW", "workloadVersionName": "2024-05-03-00-00-00" }, ... ] } ``` 1. Use the workload and deployment pattern names you discovered with the [https://docs.aws.amazon.com/launchwizard/latest/APIReference/API_GetWorkloadDeploymentPattern.html](https://docs.aws.amazon.com/launchwizard/latest/APIReference/API_GetWorkloadDeploymentPattern.html) operation to list the specification details. The following example lists the workload specifications of a given workload and deployment pattern: ``` aws launchwizard get-workload-deployment-pattern --workload-name RDGW --deployment-pattern-name RDGWExistingVpc --region us-east-1 { "workloadDeploymentPattern": { "deploymentPatternName": "RDGWExistingVpc", "description": "Example description.", "displayName": "ExampleDisplayName", "specifications": [ { "description": "Enter an SNS topic for AWS Launch Wizard to send notifications and alerts.", "name": "AWS:LaunchWizard:TopicArn", "required": "No" }, { "description": "When a deployment fails, your provisioned resources will be deleted/rolled back by default. If deactivated, the provisioned resources will be deleted when you delete your deployment from the Launch Wizard console.", "name": "AWS:LaunchWizard:DisableRollbackFlag", "required": "No" }, { "allowedValues": [ "true", "false" ], "description": "Cloud Watch Application Insights monitoring", "name": "SetupAppInsightsMonitoring", "required": "Yes" }, ... ] } } ``` 1. With the workload specifications retrieved, you must provide values for any specification `name` with a `required` value of `Yes`. You can also provide any optional specifications you require for your deployment. We recommend that you pass inputs to the `specifications` parameter for your deployment as a file for easier usage. Your JSON file's format should resemble the following: ``` { "ExampleName1": "ExampleValue1", "ExampleName2": "ExampleValue2", "ExampleName3": "ExampleValue3" } ``` 1. With the specifications file created, you can create a deployment for your chosen workload and deployment pattern. The following example creates a deployment with specifications defined in a file: ``` aws launch-wizard create-deployment --workload-name RDGW --deployment-pattern-name RDGWExistingVpc --name ExampleDeploymentName --region us-east-1 --specifications file://specifications.json ``` # Post-deployment steps Post-deployment steps The following are the recommended post-deployment steps for Remote Desktop Gateway on AWS. **Topics** + [ ## Complete the configuration of your AWS environment ](#complete-config) + [ ## Install the root certificate ](#root-cert) + [ ## Configure the Remote Desktop Connection Client ](#configure-client) + [ ## Run Windows Updates ](#windows-updates) ## Complete the configuration of your AWS environment **After AWS Launch Wizard finishes the application deployment, follow these steps:** 1. Create security groups for your Windows instances that will be located in private VPC subnets. Create an ingress rule permitting TCP port 3389 from the RD Gateway security group, CIDR range, or IP address. Associate these groups with instances as they are launched into the private subnets. 1. Make sure that your administrative clients can resolve the name for the RD Gateway endpoint (for example, `win-1a2b3c4d5e6.example.com`). You can create an A (Host) record in DNS that maps the FQDN to the RD gateway’s Elastic IP or public IP address. For testing purposes, you can configure this mapping in the local host’s file on the machine. 1. Configure administrative clients with the proper configuration settings. This includes installing the root certificate from each RD Gateway server on the client machines (see the next section for instructions). When you use the CloudFormation templates, the default location for the root certificate will be `c:\servername.cer` on each RD Gateway server. 1. Modify the RD Gateway security group. Remove the ingress rule permitting TCP port 3389. Create a new ingress rule permitting TCP port 443 from your administrator’s IP address. 1. Make sure that instances in private subnets are associated with a security group containing ingress rules permitting the RD Gateway server IP address to connect through TCP port 3389. 1. Configure the Remote Desktop connection for administrative clients, as described later in this section. ## Install the root certificate This Launch Wizard deployment implements a self-signed certificate on the RD gateway instances. After deployment, you must install the root certificate on your administrative clients before you configure the RDP client to connect to your RD gateway instances. The root certificate will automatically be stored as `c:\servername.cer`. **To distribute this file to administrator workstations and install it, follow these steps:** 1. Open a Command Prompt window using administrative credentials. 1. Type `mmc` and press **Enter**. 1. In the Console Root window, on the **File** menu, choose **Add/Remove Snap In**. 1. In the **Add Standalone Snap-in** dialog box, choose **Certificates**, and then choose **Add**. 1. In the **Certificates snap-in** dialog box, choose **Computer account**, and then choose **Next**. 1. In the **Select Computer** dialog box, choose **Finish**. 1. In the **Add Standalone Snap-in** dialog box, choose **Close**. 1. On the **Add/Remove Snap-in** dialog box, choose **OK**. 1. In the Console Root window, expand **Certificates (Local Computer)**. 1. Under **Certificates (Local Computer)**, expand **Trusted Root Certification Authorities**. 1. Open the context (right-click) window for **Certificates**, and choose **All Tasks > Import**. 1. Navigate to the root certificate (e.g., `RDGW1.cer`) to complete the installation. **Note** The root certificate will be stored as `c:\servername.cer` on each RD gateway when deploying servers using the CloudFormation templates. ## Configure the Remote Desktop Connection Client 1. Start the Remote Desktop Connection client. 1. In the computer name field, type the name or IP address of the Windows instance you want to connect to. Keep in mind that this instance needs to be reachable only from the RD gateway, not from the client machine. ![\[The Remote Desktop Connection client\]](http://docs.aws.amazon.com/launchwizard/latest/userguide/images/rd-connect-client1.png) 1. Choose Show Options. On the Advanced tab, choose Settings. 1. Choose Use these RD Gateway server settings. For server name, specify the FQDN of the RD gateway. If the RD gateway and the server you want to connect to are in the same domain, choose Use my RD Gateway credentials for the remote computer, and then choose OK. ![\[Advanced properties for the Remote Desktop Connection client\]](http://docs.aws.amazon.com/launchwizard/latest/userguide/images/rd-connect-client2.png) **Note** The FQDN server name of the RD Gateway host must match the certificate and the DNS record (or local HOSTS file entry). Otherwise, the secure connection will generate warnings and might fail. 1. Enter your credentials, and then choose OK to connect to the server. You can supply the same set of credentials for the RD gateway and the destination server, as shown. If your servers are not joined to the domain, you will need to authenticate twice: once for the RD gateway and once for the destination server. If your servers aren’t joined to the domain, when prompted for the RD Gateway server credentials, provide the Admin User Name and Admin Password credentials you set in when you deployed with Launch Wizard. Check the Remember my credentials box. (Otherwise, if you’re connecting from a Windows computer, you’ll get prompted for your credentials repeatedly, and will be blocked from entering your remote computer credentials.) ![\[Default network ACL configuration for a VPC subnet.\]](http://docs.aws.amazon.com/launchwizard/latest/userguide/images/rd-connect-client3.png) ## Run Windows Updates **In order to ensure the deployed servers' operating systems and installed applications have the latest Microsoft updates, run Windows Update on each server.** 1. Create an RDP session to the Remote Desktop Gateway server(s). 1. Open the **Settings** application. 1. Open **Update & Security**. 1. Click **Check for updates**. 1. Install any updates and reboot if necessary. # Best practices Best practices The following are the recommended best practices for using Remote Desktop Gateway on AWS. **Topics** + [ ## The Principle of Least Privilege ](#least-privilege) + [ ## VPC Configuration ](#vpc-config) + [ ## Network Access Control Lists ](#nacl) + [ ## Security groups ](#security-groups) + [ ## Initial Remote Administration Architecture ](#remote-admin-arch) + [ ## SSL Certificates ](#ssl-certs) + [ ## Connection and Resource Authorization Policies ](#connect-resource-auth-policy) ## The Principle of Least Privilege When considering remote administrative access to your environment, it is important to follow the principle of least privilege. This principle refers to users having the fewest possible permissions necessary to perform their job functions. This helps reduce the attack surface of your environment, making it much harder for an adversary to exploit. An attack surface can be defined as the set of exploitable vulnerabilities in your environment, including the network, software, and users who are involved in the ongoing operation of the system. Following the principle of least privilege, we recommend reducing the attack surface of your environment by exposing the absolute minimal set of ports to the network while also restricting the source network or IP address that will have access to your Amazon Elastic Compute Cloud instances. In addition to the functionality that exists in the Windows platform, there are several AWS capabilities to help you implement the principle of least privilege, such as subnets, security groups, and trusted ingress CIDR blocks. ## VPC Configuration Amazon Virtual Private Cloud (Amazon VPC) lets you provision a private, isolated section of the AWS Cloud where you can launch AWS resources in a virtual network that you define. With Amazon VPC, you can define a virtual network topology closely resembling a traditional network that you might operate on your own premises. You control your virtual networking environment. This includes the selection of your own IP address range, creation of subnets, and configuration of route tables and network gateways. **When deploying Windows architecture on the AWS Cloud, we recommend a VPC configuration that supports the following requirements:** + Place critical workloads in a minimum of two Availability Zones to provide high availability. + Place instances into individual tiers. For example, in a Microsoft SharePoint deployment, you should have separate tiers for web servers, application servers, database servers, and domain controllers. Traffic between these groups can be controlled to adhere to the principle of least privilege. + Deploy RD Gateways into public subnets in each Availability Zone for remote administration. Other components, such as reverse proxy servers, can also be placed into these public subnets if needed. ## Network Access Control Lists A network access control list (ACL) is a set of permissions that you can attach to any network subnet in a VPC to provide stateless filtering of traffic. You can use network ACLs for inbound or outbound traffic, as they provide an effective way to place a CIDR block or individual IP addresses on a deny list. These ACLs can contain ordered rules to allow or deny traffic based on IP protocol, service port, or source or destination IP address. The following image shows the default ACL configuration for a VPC subnet, which is also used by this Launch Wizard deployment: ![\[Default network ACL configuration for a VPC subnet.\]](http://docs.aws.amazon.com/launchwizard/latest/userguide/images/default-nacl.png) You can keep the default network ACL configuration, or you can configure more specific rules to restrict traffic between subnets at the network level. For example, you could set a rule that would allow inbound administrative traffic on TCP port 3389 from a specific set of IP addresses. In either case, you must implement security group rules to permit access from users connecting to RD Gateways and between tiered groups of Amazon EC2 instances. ## Security groups All instances are required to belong to one or more security groups. Security groups allow you to set policies to control open ports and provide isolation between application tiers. In a VPC, every instance runs behind a stateful firewall with all ports closed by default. The security group contains rules responsible for opening inbound and outbound ports on that firewall. While security groups act as an instance-level firewall, they can also be associated with multiple instances, providing isolation between application tiers in your environment. For example, you can create a security group for all your web servers that will allow traffic on TCP port 3389, but only from members of the security group containing your RD Gateway servers. The following diagram illustrates this configuration: ![\[Security groups for RD Gateway administrative access.\]](http://docs.aws.amazon.com/launchwizard/latest/userguide/images/security-group-admin.png) Notice that inbound connections from the internet are only permitted over TCP port 443 to the RD Gateways. The RD Gateways have an Elastic IP address assigned and have direct access to the internet. The remaining Windows instances are deployed into private subnets and are assigned private IP addresses only. Security group rules allow only the RD Gateways to initiate inbound connections for remote administration to TCP port 3389 for instances in the private subnets. In this architecture, RDP connections are established over HTTPS to the RD Gateway and proxied to backend instances on the standard RDP TCP port 3389. This configuration helps you reduce the attack surface on your Windows instances while allowing administrators to establish connections to all your instances through a single gateway. It’s possible to provide remote administrative access to all your Windows instances through one RD Gateway, but we recommend placing gateways in each Availability Zone for redundancy. This Launch Wizard deployment implements this best practice for you. ## Initial Remote Administration Architecture In an initial RD Gateway configuration, the servers in the public subnet will need an inbound security group rule permitting TCP port 3389 from the administrator’s source IP address or subnet. Windows instances sitting behind the RD Gateway in a private subnet will be in their own isolated tier. For example, a group of web server instances in a private subnet may be associated with their own web tier security group. This security group will need an inbound rule allowing connections from the RD Gateway on TCP port 3389. Using this architecture, an administrator can use a traditional RDP connection to an RD Gateway to configure the local server. The RD Gateway can also be used as a bastion host (jump box). This means that when an RDP connection is established to the desktop of the RD Gateway, an administrator can start a new RDP client session to initiate a connection to an instance in a private subnet, as illustrated in the following diagram: ![\[Initial architecture for remote administration\]](http://docs.aws.amazon.com/launchwizard/latest/userguide/images/initial-arch.png) Although this architecture works well for initial administration, it is not recommended for the long term. To further secure connections and reduce the number of RDP sessions required to administer the servers in the private subnets, the inbound rule should be changed to permit TCP port 443. The RD Gateway service should be installed and configured with an SSL certificate and Remote Desktop Connection Authorization Policies (RD CAP). This Launch Wizard deployment sets up a standard TCP port 3389 connection from the administrator’s IP address. You must follow the post-deployment steps to modify the security group for RD Gateway to use a single inbound rule permitting TCP port 443. This modification will allow a Transport Layer Security (TLS) encrypted RDP connection to be proxied through the gateway over TCP port 443 directly to one or more Windows instances in private subnets on TCP port 3389. This configuration increases the security of the connection and also prevents the need to initiate an RDP session to the desktop of the RD Gateway. The following diagram illustrates this configuration: ![\[Architecture for RD Gateway administrative access\]](http://docs.aws.amazon.com/launchwizard/latest/userguide/images/admin-arch.png) ## SSL Certificates **The RD Gateway role uses Transport Layer Security (TLS) to encrypt communications over the internet between administrators and gateway servers. To support TLS, a valid X.509 SSL certificate must be installed on each RD Gateway. Certificates can be acquired in a number of ways, including:** + Your own PKI infrastructure, such as a Microsoft Enterprise Certificate Authority (CA) + Certificates issued by a public CA, such as Verisign or Digicert + Self-signed certificates For smaller test environments, implementing a self-signed certificate is a straightforward process that helps you get up and running quickly. This Launch Wizard deployment automatically generates a self-signed certificate for RD Gateway. However, if you have a large number of varying administrative devices that need to establish a connection to your gateways, we recommend using a public certificate. **For an RDP client to establish a secure connection with an RD Gateway, the following certificate and DNS requirements must be met:** + The issuing CA of the certificate installed on the gateway must be trusted by the RDP client. For example, the root CA certificate must be installed in the client machine’s Trusted Root Certification Authorities store. + The subject name used on the certificate installed on the gateway must match the DNS name used by the client to connect to the server; for example, rdgw1.example.com. + The client must be able to resolve the hostname (for example, rdgw1.example.com) to the Elastic IP address of the RD Gateway. This will require a Host (A) record in DNS. There are various considerations when choosing the right CA to obtain an SSL certificate. For example, a public certificate may be ideal, because the issuing CA will be widely trusted by the majority of client devices that need to connect to your gateways. However, you may want to use your own PKI infrastructure to ensure that only the machines that are part of your organization will trust the issuing CA. ## Connection and Resource Authorization Policies **Users must meet specific requirements to connect to RD Gateway instances:** + *Connection Authorization Policies* – Remote Desktop Connection Authorization Policies (RD CAPs) allow you to specify who can connect to an RD Gateway instance. For example, you can select a group of users from your domain, such as Domain Admins. + *Resource Authorization Policies* – Remote Desktop Resource Authorization Policies (RD RAPs) allow you to specify the internal Windows instances that remote users can connect to through an RD Gateway instance. For example, you can choose specific computers joined to a domain, which administrators can connect to through the RD Gateway. This Launch Wizard deployment automatically sets up Connection and Resource Authorization Policies. # Troubleshoot AWS Launch Wizard for Remote Desktop Gateway Troubleshoot Each application in your account in the same AWS Region can be uniquely identified by the application name specified at the time of a deployment. The application name can be used to view the details related to the application launch. **Topics** + [ ## Launch Wizard provisioning events ](#launch-wizard-remote-desktop-gateway-provisioning) + [ ## CloudFormation stack ](#launch-wizard-remote-desktop-gateway-cloudformation) + [ ## Application launch quotas ](#launch-wizard-remote-desktop-gateway-quotas) + [ ## Enable termination protection ](#launch-wizard-remote-desktop-gateway-terminate-protection) + [ ## Errors ](#launch-wizard-remote-desktop-gateway-errors) ## Launch Wizard provisioning events Launch Wizard captures events from CloudFormation to track the status of an ongoing application deployment. If an application deployment fails, you can access the CloudFormation console to view the deployment events for this application by selecting **Deployments** from the navigation pane. A failed event shows a status of **Failed** along with a failure message. ## CloudFormation stack Launch Wizard uses CloudFormation to provision the infrastructure resources of an application. You can view the status of these CloudFormation stacks, and if any of the stacks fail, you can view the cause of the failure. CloudFormation stacks can be found in your account using the CloudFormation [describe-stacks](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-describing-stacks.html) API or by accessing the stack in the CloudFormation console. The following can be used with the `describe-stacks` API for the `--stack-name` argument: + **Application resources** `LaunchWizard-APPLICATION_NAME`. This stack also has nested stacks for VPC and the RDGW node. ## Application launch quotas Launch Wizard allows three active applications with the status of `in progress` at one time. The combined maximum amount of `in progress` and `completed` active applications is 25 for any given application type. If you want to increase this limit, contact [Support](https://aws.amazon.com/contact-us). ## Enable termination protection If you encounter errors when you deploy Remote Desktop Gateway with Launch Wizard, and the log information provided by Launch Wizard or CloudFormation is not sufficient to determine your issue, you must [connect to the instance](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/connecting_to_windows_instance.html) within the Amazon EC2 Auto Scaling group to determine the cause of the failure. When you connect to an instance to troubleshoot deployment failures, a common cause is the deployment scripts failing on the operating system. The following error messages in CloudFormation can indicate that the deployment scripts failed: + ``` Received 1 FAILURE signal(s) out of 1. Unable to satisfy 100% MinSuccessfulInstancesPercent requirement ``` + ``` WaitCondition received failed message: ‘Error: Failed in function