Connect to Windows VMs using RDP
This document describes how to connect to Windows virtual machine (VM)instances using RDP. For other ways to connect to Windows VMs, see the followingguides:
- Connect to Windows VMs using PowerShell
- Connect to a Windows VM's SAC
- Connect to Windows VMs using SSH
Before you begin
- Be sure the VM allows access through Remote Desktop Protocol (RDP). By default, Compute Engine creates firewall rules that allow RDP access on TCP port 3389. Verify that these firewall rules exist by visiting thefirewall rules page in the Google Cloud console and looking for firewall rules that allow
tcp:3389connections. - If you haven't already, set upauthentication. Authentication verifies your identity for access to Google Cloud services and APIs. To run code or samples from a local development environment, you can authenticate to Compute Engine by selecting one of the following options:
Select the tab for how you plan to use the samples on this page:
Console
When you use the Google Cloud console to access Google Cloud services and APIs, you don't need to set up authentication.
gcloud
Install the Google Cloud CLI. After installation,initialize the Google Cloud CLI by running the following command:
gcloudinit
If you're using an external identity provider (IdP), you must first sign in to the gcloud CLI with your federated identity.
Note: If you installed the gcloud CLI previously, make sure you have the latest version by runninggcloud components update.- Set a default region and zone.
Connect to Windows VMs by using RDP
Compute Engine supports multiple ways to connect to your Windows instances.
The best way to connect to the remote desktop of a Windows instance depends onmultiple factors:
- If you are connecting from anywhere over the public internet(Connecting from >Anywhere in theprevious illustration), it's best to enableIdentity-Aware Proxy TCP forwarding for yourproject. Then use IAP Desktop (on Windows) or the Google Cloud CLI incombination with an RDP client. For more information, seeMicrosoft Remote Desktopclients to connect to the Windows instance.If you cannot use Identity-Aware Proxy TCP forwarding, useChrome Remote Desktop.
- If the VM instance has a public IP address and firewall rules permitRDP access, use an RDP client. For more information, seeMicrosoft Remote Desktopclients to connect to the Windows instance.
- If the VM instance does not have a public IP and you are connecting by usingCloud VPN or Cloud Interconnect,you can connect to the VM's private IP address by using an RDP clientFor more information, seeMicrosoft Remote Desktopclients.
If you have difficulty connecting using RDP, seeTroubleshootingRDP. If you can't connect toa Windows instance by using Remote Desktop, seeConnect to a Windows VM's SAC.
To connect to the remote desktop of a Windows instance, use one of the followingprocedures.
IAP Desktop
IAP Desktop is a Windows application that lets you manage multiple Remote Desktopconnections to Windows VM instances. IAP Desktop connects to VM instancesby usingIdentity-Aware Proxy TCP forwardingand does not require VM instances to have a public IP address.
Before you connect by using IAP Desktop, make sure that thefollowing prerequisites are met:
- You've configured your VPC toallow IAP traffic to your VM instance.
- You'vedownloaded and installed IAP Desktop on your local computer.
To connect to a VM instance by using IAP Desktop, do the following:
In IAP Desktop, selectProfile >Add project.
Enter the ID or name of your project, and clickOK.
In theProject Explorer window, right-click the VM instance youwant to connect to and selectConnect.
For more information about IAP Desktop, see theGitHub projectpage.
Note: IAP Desktop is an open-source project and not an officially supportedGoogle product.Remote Desktop Connection app
You can use the Microsoft Remote Desktop Connection app that is part ofWindows to connect to Windows instances.
Before you connect using the Microsoft Remote Desktop Connection app, makesure that one of the following prerequisites is met:
- Your VM instance has a public IP address and yourfirewallrulesallow TCP ingress traffic from your client's public IP address tothe instance by using port 3389.
- Your local network is connected to your VPC by usingCloud VPN orCloud Interconnectand yourfirewallrulesallow TCP ingress traffic from your client's private IP address tothe instance by using port 3389.
To connect with Microsoft Windows Remote Desktop, do the following:
Create a Windows account andpasswordif you do not have one yet.
To connect over the internet, use theexternal IP address.To connect by using Cloud VPN or Cloud Interconnect, use theinternal IP address.
Identify the external and internal IP addresses of your Windows instanceby completing one of the following steps:
In the Google Cloud console, go to theVM instances page.
By using the gcloud CLI, run
gcloud compute instances list:gcloud compute instances list
Open Microsoft Windows Remote Desktop Connection on your Windows machine.You can find the executable at
%systemroot%\system32\mstsc.exe
In theComputer box, enter the IP address.
If you've configured your instance to use a different port number forRDP, add it after the IP address, for example:
1.2.3.4:3389.ClickConnect.
Enter your username and password, and clickOK.
If you have forgotten your password, you canreset it.
Chrome Remote Desktop
Chrome Remote Desktopis a service that lets you remotely access anothercomputer by using a web browser.Chrome Remote Desktop works on Windows, macOS, and Linux and does not requirethe VM instance to have a public IP address.
Before you connect by using Chrome Remote Desktop, make sure that thefollowing prerequisites are met:
- You'vecreated a Windows account andpasswordon the VM instance.
- You'veinstalled the Chrome Remote Desktop service on the VMinstance.
To connect to a VM instance by using Chrome Remote Desktop, do thefollowing:
On your local computer, go to theChrome Remote Desktop website.
If you're not already signed in to Google, sign in with the same GoogleAccount that you used to set up the Chrome Remote Desktop service.
Select the instance that you want to connect to.
When you're prompted, enter the PIN that you created when installingthe Chrome Remote Desktop service, and click the arrow buttonto connect.
Other
You can connect to your Windows VM instances by using other RDP clients,such as clients developed for Android, iOS, Mac, and others. For a list ofofficially supported clients, seeMicrosoft Remote Desktopclients.
Before you connect, make sure that one of the following prerequisites ismet:
- Your VM instance has a public IP address and yourfirewall rulesallow TCP ingress traffic from your client's public IP address tothe instance by using port 3389.
- Your local network is connected to your VPC by usingVPN orCloud Interconnectand yourfirewall rulesallow TCP ingress traffic from your client's private IP address tothe instance by using port 3389.
To connect using other RDP clients, do the following:
To connect over the internet, use theexternal IP address.To connect by using Cloud VPN or Cloud Interconnect, use theinternal IP address.
Identify the external and internal IP addresses of your Windows instanceby completing one of the following steps:
In the Google Cloud console, go to theVM instances page.
By using the gcloud CLI, run
gcloud compute instances list:gcloud compute instances list
Install the supported client according to the client's installationinstructions.
Connect using the IP address of your instance, and authenticatewith your username and password for the instance.
If you have difficulty connecting using RDP, see theTroubleshooting RDP page. For information about RDP licensing, see theFAQ about Microsoft licenses.
Verify the RDP certificate
Verify the RDP certificate by viewing the serial port output from the initialboot of the VM or by using the appropriate PowerShell command from the SAC.
Serial port
Verify the RDP certificate byviewing the output from serial port1during the initial boot of the Windows VM.
Examine the output of serial port 1 during the initial boot of theWindows VM for the following:
Serial port 1 (console) output for rdp-test......2021/03/31 15:53:58 GCEInstanceSetup: RDP certificate details: Subject: CN=rdp-test, Thumbprint: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX......
PowerShell from the SAC
Connect to the Windows SAC.
Run the following PowerShell commands:
# WinRM CertWrite-Host 'WinRM certificate details:'; Get-ChildItem 'Cert:\LocalMachine\My' | Where-Object { $_.Subject -like "CN=$env:COMPUTERNAME*" -and $_.NotAfter -gt $(Get-Date) -and $_.HasPrivateKey} | Select-Object Subject, Thumbprint | Format-List# RDP CertWrite-Host 'RDP certificate details:'; Get-ChildItem 'Cert:\LocalMachine\Remote Desktop\' | Where-Object { $_.Subject -like "CN=$env:COMPUTERNAME*" -and $_.NotAfter -gt $(Get-Date) -and $_.HasPrivateKey} | Select-Object Subject, Thumbprint | Format-ListWhat's next
Learn how totransfer files to Windows VMs.
Learn how toConnect to Linux VMs.
Except as otherwise noted, the content of this page is licensed under theCreative Commons Attribution 4.0 License, and code samples are licensed under theApache 2.0 License. For details, see theGoogle Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.
Last updated 2025-12-15 UTC.