This scenario considers the provisioning of a sample Windows based instance, accessing it over a public routable IP using remote desktop protocol
| Function | Result | Notes |
|---|---|---|
| VPC | ✅ | |
| Floating IPv4 | ✅ | |
| Subnet & BYO Private IP | ✅ | |
| Dedicated VSI support | ✅ | |
| Multiple Network Interfaces in VSI | ✅ | |
| Windows VSI support | ✅ | |
| Security groups | ✅ | |
| Multiple Network Interfaces in VSI | ✅ |
Use IBMid or Softlayer ID as appropiate, notice that not all accounts have access to VPC infrastructure, please confirm with your IBM Cloud account master user.
Go to the VPC Getting Started External link icon page in IBM Cloud console.
- Click Create VPC on the Getting Started page.
- Enter a name for the VPC, such as DemoWindows.
- Select or create the default ACL for new subnets in this VPC. In this tutorial, let's create a new default ACL. We'll configure rules for the ACL later.
- Enter a name for the new subnet in your VPC, such as DemoSubnet
- Select a location for the subnet. The location consists of a region and a zone.
- Enter an IP range for the subnet in CIDR notation, for example: 10.240.0.0/18.
- Select an ACL for the subnet. Let's select Use VPC default to use the default ACL that's created for this VPC.
- Click Create virtual private cloud.
An SSH key is required when creating a VPC instance. Copy the ssh public key you wish to use to vpc-key.pub and click over Add SSH Key to fill out the Name, Region and Public key contents, after that confirm that the key has been created.
To create a virtual server instance in the newly created subnet:
- Click Virtual server instance in the navigation pane and click New instance.
- Enter a name for the instance, such as
DemoWindows. - Select the VPC that you created.
- Note the Location field (read-only) that shows the location of the subnet on which the instance is created.
- Select an image (that is, operating system and version) such as Windows Server.
- To set the instance size, select one of the popular profiles or click All profiles to choose a different core and RAM combination that's most appropriate for your workload.
- Select an existing SSH key or add an SSH key that will be used to access the virtual server instance.
- In the Network interfaces area, you can change the name and port speed of the interface. If you have more than one subnet in your VPC, you can select the subnet that you want to attach to the instance.
You can also select which security groups to attach to this instance. By default, the VPC's default security group is attached. The default security group allows inbound SSH and ping traffic, all outbound traffic, and all traffic between instances in the group. All other traffic is blocked; you can configure rules to allow additional traffic. If you later edit the rules of the default security group, those updated rules will apply to all current and future instances in the group.
Click Create virtual server instance.
Reserve and associate a floating IP address to enable your instance to be reachable from the internet Tip: Your instance must be running before you can associate a floating IP address. It can take a few minutes for the instance to be up and running.
To reserve and associate a floating IP address:
- In the left navigation pane, click Floating IP.
- Click Reserve floating IP.
- Select the instance that you created and its network interface that you want to associate with the floating IP address.
- Click Reserve IP. The new IP address is displayed on the Floating IPs page.
You can configure the security group to define the inbound and outbound traffic that is allowed for the instance.
To configure the security group:
-
On the Virtual server instances page, click your new instance to view its details.
-
In the Network interfaces section, click the security group.
-
Click Add rule to configure inbound and outbound rules that define what traffic is allowed to and from of the instance. For each rule, specify the following information:
- Select which protocols and ports the rule applies to.
- Specify a CIDR block or IP address for the permitted traffic. Alternatively, you can specify a security group in the same VPC to allow traffic to or from all instances of the selected security group.
Tips:
- All rules are evaluated, regardless of the order in which they're added.
- Rules are stateful, which means that return traffic in response to allowed traffic is automatically permitted. For example, a rule that allows inbound TCP traffic on port 80 also allows replying outbound TCP traffic on port 80 back to the originating host, without the need for an additional rule.
- Optional: If you want to attach this security group to other instances, click Attached interfaces in the navigation pane and select additional interfaces.
- When you finish creating rules, click the All security groups breadcrumb at the top of the page.
For example, you can configure inbound rules that do the following:
- Allow all SSH traffic (TCP port 22)
- Allow all ping traffic (ICMP type 8)
Then, configure outbound rules that allow all TCP traffic.
In case that the port is not open, use the following example to open the necessary port:
9. Connect to the instance using Remote Desktop protocol using the floating IP as target with any Remote desktop client.
- To properly connect get encrypted password from UI and saved to a file
- decode it using:
cat UI_PASSWORD_FILE | base64 --decode > decoded_base64_password_file
Decrypt it using the SSH key used to create the instance:
openssl pkeyutl -in decoded_base64_password_file -decrypt -inkey ~/.ssh/id_rsa -pkeyopt rsa_padding_mode:oaep -pkeyopt rsa_oaep_md:sha256 -pkeyopt rsa_mgf1_md:sha256 > finalpass
cat finalpass
VPC documentation