Yandex Cloud
Search
Contact UsGet started
  • Blog
  • Pricing
  • Documentation
  • All Services
  • System Status
    • Featured
    • Infrastructure & Network
    • Data Platform
    • Containers
    • Developer tools
    • Serverless
    • Security
    • Monitoring & Resources
    • ML & AI
    • Business tools
  • All Solutions
    • By industry
    • By use case
    • Economics and Pricing
    • Security
    • Technical Support
    • Customer Stories
    • Gateway to Russia
    • Cloud for Startups
    • Education and Science
  • Blog
  • Pricing
  • Documentation
Yandex project
© 2025 Yandex.Cloud LLC
Yandex Compute Cloud
  • Yandex Container Solution
    • All tutorials
    • Configuring time synchronization using NTP
    • Autoscaling an instance group to process messages from a queue
    • Updating an instance group under load
    • Deploying Remote Desktop Gateway
    • Getting started with Packer
    • Transferring logs from a VM to Yandex Cloud Logging
    • Building a VM image with infrastructure tools using Packer
    • Migrating data to Yandex Cloud using Hystax Acura
    • Fault protection with Hystax Acura
    • VM backups using Hystax Acura
    • Deploying a fault-tolerant architecture with preemptible VMs
    • Configuring a fault-tolerant architecture in Yandex Cloud
    • Creating a budget trigger that invokes a function to stop a VM
    • Creating triggers that invoke a function to stop a VM and send a Telegram notification
    • Creating a Python web application with Flask
    • Creating an SAP program in Yandex Cloud
    • Deploying a Minecraft server in Yandex Cloud
    • Automating image builds using Jenkins and Packer
    • Creating test VMs via GitLab CI
    • High-performance computing on preemptible VMs
    • Configuring an SFTP server based on CentOS 7
    • Deploying GlusterFS in high availability mode
    • Deploying GlusterFS in high performance mode
    • Backing up to Object Storage with Bacula
    • Building a CI/CD pipeline in GitLab using serverless products
    • Implementing a secure high-availability network infrastructure with a dedicated DMZ based on the Check Point NGFW
    • Cloud infrastructure segmentation with the Check Point next-generation firewall
    • Configuring a secure GRE tunnel over IPsec
    • Creating a bastion host
    • Implementing fault-tolerant scenarios for NAT VMs
    • Creating a tunnel between two subnets using OpenVPN Access Server
    • Creating an external table from a Object Storage bucket table using a configuration file
    • Setting up network connectivity between BareMetal and Virtual Private Cloud subnets
    • Working with snapshots in Managed Service for Kubernetes
      • Secure password transmission to an initialization script
      • Deploying Active Directory
      • Deploying Microsoft Exchange
      • Deploying Remote Desktop Services
      • Deploying an Always On availability group with an internal network load balancer
      • Deploying Remote Desktop Gateway
      • Creating an MLFlow server for logging experiments and artifacts
      • Deploying GitLab Runner on a virtual machine
    • Launching the DeepSeek-R1 language model in a Yandex Compute Cloud GPU cluster
  • Access management
  • Terraform reference
  • Monitoring metrics
  • Audit Trails events
  • Release notes

In this article:

  • Get your cloud ready
  • Required paid resources
  • Create a cloud network and subnets
  • Create a security group
  • Create a gateway VM
  • Configure the RDGW role
  • Test the RDGW
  • How to delete the resources you created
  1. Tutorials
  2. Microsoft products in Yandex Cloud
  3. Deploying Remote Desktop Gateway

Deploying Remote Desktop Gateway

Written by
Yandex Cloud
Updated at May 7, 2025
  • Get your cloud ready
    • Required paid resources
  • Create a cloud network and subnets
  • Create a security group
  • Create a gateway VM
  • Configure the RDGW role
  • Test the RDGW
  • How to delete the resources you created

Warning

In Yandex Cloud, you can only use Microsoft products with your own licenses and on dedicated hosts. For more information, see Use of personal licenses for Microsoft products.

Remote Desktop Gateway (RDGW) is a Windows Server role which allows you to access internal network resources over HTTPS.

In this scenario, users from the Administrators group will access a test VM with a self-signed certificate.

To deploy the Remote Desktop Gateway infrastructure:

  1. Get your cloud ready.
  2. Create a cloud network and subnets.
  3. Create a security group.
  4. Create a gateway VM.
  5. Configure the RDGW role.
  6. Test the RDGW.

If you no longer need the resources you created, delete them.

Get your cloud readyGet your cloud ready

Sign up in Yandex Cloud and create a billing account:

  1. Navigate to the management console and log in to Yandex Cloud or register a new account.
  2. On the Yandex Cloud Billing page, make sure you have a billing account linked and it has the ACTIVE or TRIAL_ACTIVE status. If you do not have a billing account, create one and link a cloud to it.

If you have an active billing account, you can navigate to the cloud page to create or select a folder for your infrastructure to operate in.

Learn more about clouds and folders.

Note

Make sure that the billing account contains user details required to meet the Microsoft licensing policy requirements. You can launch the product only if you have these details.

Required paid resourcesRequired paid resources

The cost of RDGW infrastructure includes:

  • Fee for continuously running virtual machines (see Yandex Compute Cloud pricing).
  • Fee for dynamic or static public IP addresses (see Yandex Virtual Private Cloud pricing).
  • Fee for Yandex Cloud outbound internet traffic (see Yandex Compute Cloud pricing).

Create a cloud network and subnetsCreate a cloud network and subnets

Create the rdgw-network cloud network with a subnet in the availability zone where your VMs will reside.

  1. Create a cloud network.

    Management console
    CLI
    API
    1. Navigate to the folder where you want to create your cloud network and select VPC.
    2. Click Create network.
    3. Specify the network name: rdgw-network.
    4. Click Create network.
    yc vpc network create --name rdgw-network
    

    Where rdgw-network is the network name.

    Result:

    id: qqppl6fduhct76qkjh6s
    folder_id: big67u7m5flplkc6vvpc
    created_at: "2021-06-09T10:49:07Z"
    name: rdgw-network
    default_security_group_id: enpa139ji55jti00u5sg
    

    Use the create REST API method for the Network resource or the NetworkService/Create gRPC API call.

  2. Create a subnet in rdgw-network.

    Management console
    CLI
    API
    1. Select VPC in the folder where you created the network.
    2. Click the name of your cloud network.
    3. Click Add subnet.
    4. Specify rdgw-subnet as the subnet name and select the availability zone from the drop-down list (e.g., ru-central1-d).
    5. Specify the subnet CIDR IP address range: 10.1.0.0/16. For more information about IP address ranges, see Cloud networks and subnets.
    6. Click Create subnet.
    yc vpc subnet create `
      --name rdgw-subnet `
      --zone ru-central1-d `
      --network-name rdgw-network `
      --range 10.1.0.0/16
    

    Where rdgw-subnet is the subnet name.

    Result:

    id: e9b95m6al33r********
    folder_id: big67u7m5flp********
    created_at: "2021-06-09T10:49:21Z"
    name: rdgw-subnet
    network_id: qqppl6fduhct********
    zone_id: ru-central1-d
    v4_cidr_blocks:
    - 10.1.0.0/16
    

    Use the create REST API method for the Subnet resource or the SubnetService/Create gRPC API call.

Create a security groupCreate a security group

Create and configure a security group.

Management console
CLI
API
  1. Select VPC in the folder where you want to create a security group.

  2. Open the Security groups tab.

  3. Click Create group.

  4. Specify the security group name: my-rdgw-sg.

  5. In the Network field, select the security group network: rdgw-network.

  6. Under Rules, create the following network traffic rules using the instructions below the table:

    Traffic
    direction
    Description Port
    range
    Protocol Source
    type
    Source/Destination
    Inbound icmp — ICMP CIDR 0.0.0.0/0
    Inbound self-security Any Any Security group Current
    Inbound tcp 3389 TCP CIDR 0.0.0.0/0
    Inbound rdgw 443 TCP CIDR 0.0.0.0/0
    Outbound default Any Any CIDR 0.0.0.0/0
    1. Select the Outgoing traffic or Incoming traffic tab.
    2. Click Add rule.
    3. In the Port range field of the window that opens, specify a port or range of ports open for inbound or outbound traffic.
    4. In the Protocol field, specify the protocol or leave Any to allow traffic over any protocol.
    5. In the Source or Destination field, select the scope of the rule:
      • CIDR: Rule will apply to a range of IP addresses. In the CIDR blocks field, specify CIDR IP address ranges of source or destination subnets, respectively. To add multiple CIDRs, click Add CIDR.
      • Security group: Rule will apply to the current or the selected security group VMs.
    6. Click Save. Repeat the steps to create all the rules from the table.
  7. Click Save.

yc vpc security-group create --name=my-rdgw-sg `
  --network-name rdgw-network `
  --rule direction=ingress,protocol=icmp,v4-cidrs=[0.0.0.0/0],description=icmp `
  --rule direction=ingress,port=any,protocol=any,predefined=self_security_group,description=self `
  --rule direction=ingress,port=3389,protocol=tcp,v4-cidrs=[0.0.0.0/0],description=rdp `
  --rule direction=ingress,port=443,protocol=tcp,v4-cidrs=[0.0.0.0/0],description=rdgw `
  --rule direction=egress,port=any,protocol=any,v4-cidrs=[0.0.0.0/0],description=default 

Result:

id: enp136p8s2ae********
folder_id: big67u7m5flp********
created_at: "2021-06-09T10:50:29Z"
name: my-rdgw-sg
network_id: qqppl6fduhct********
status: ACTIVE
rules:
- id: env98jerk9b3********
  description: icmp
  direction: INGRESS
  protocol_name: ICMP
  protocol_number: "1"
  cidr_blocks:
  v4_cidr_blocks:
   - 0.0.0.0/0

Use the create REST API method for the SecurityGroup resource or the SecurityGroupService/Create gRPC API call.

Create a gateway VMCreate a gateway VM

Create a VM and give it a public IP address:

Management console
CLI
  1. On the folder dashboard in the management console, click Create resource and select Virtual machine instance.

  2. Under Boot disk image:

    • Navigate to the Custom tab.
    • Click Select and select Create in the window that opens.
    • In the Contents field, select Image and then select the Windows Server 2022 Datacenter image from the list below. For more information on how to upload a Microsoft disk image, see Importing a custom image.
    • Optionally, in the Additional field, enable Delete along with the virtual machine to automatically delete this disk when deleting the VM.
    • Click Add disk.
  3. Under Location, select the ru-central1-d availability zone.

  4. Under Disks and file storages, specify your boot disk size: 60 GB.

  5. Under Computing resources, navigate to the Custom tab and specify the required platform, number of vCPUs, and amount of RAM:

    • Platform: Intel Ice Lake
    • vCPU: 2
    • Guaranteed vCPU performance: 100%
    • RAM: 4 GB
  6. Under Network settings, specify:

    • Subnet: rdgw-subnet
    • Public IP address: Auto
    • Security groups: my-rdgw-sg
  7. Under General information, specify the VM name: my-rds-gw.

  8. Click Create VM.

Wait for the VM status to change to Running and reset the password:

  1. Select the VM.
  2. Click Reset password.
  3. Specify the Username to reset the password for. If there is no user with that name on the VM, this user will be created with administrator access.
  4. Click Generate password.
  5. Save the New password. It will become unavailable once you close the window.
  1. In PowerShell, create the setpass script setting up the Administrator password using the VM metadata user-data field. The cloudbase-init tool will execute the script on the first run.

    Note

    The first line of the script must be #ps1; otherwise, the cloudbase-init tool will fail.

    #ps1
    Get-LocalUser | Where-Object SID -like *-500 | Set-LocalUser -Password (ConvertTo-SecureString "<your password>" -AsPlainText -Force) 
    
  2. Create a VM specifying the created script as the metadata source. Specify the my-rdgw-group ID as the security-group-ids value:

    yc compute instance create `
      --name my-rds-gw `
      --hostname my-rds-gw `
      --memory 4 `
      --cores 2 `
      --platform standard-v3 `
      --zone ru-central1-d `
      --network-interface subnet-name=rdgw-subnet,ipv4-address=10.1.0.3,nat-ip-version=ipv4,security-group-ids=<id_my-rdgw-group> `
      --create-boot-disk image-folder-id=standard-images,image-family=windows-2022-dc-gvlk `
      --metadata-from-file user-data=setpass
    

    Result:

    done (25s)
    id: frmogfp7mm1k********
    folder_id: big67u7m5flp********
    created_at: "2021-06-09T10:51:58Z"
    name: my-rds-gw
    zone_id: ru-central1-d
    platform_id: standard-v3
    resources:
    memory: "4294967296"
    cores: "2"
    core_fraction: "100"
    status: RUNNING
    boot_disk:
    mode: READ_WRITE
    device_name: fhmplfvr7g6p********
    auto_delete: true
    disk_id: fhmplfvr7g6p********
    network_interfaces:
    - index: "0"
      mac_address: d0:0d:18:83:c8:7b
      subnet_id: e9b95m6al33r********
      primary_v4_address:
      address: 10.1.0.3
      one_to_one_nat:
      address: 178.154.231.126
      ip_version: IPV4
      security_group_ids:
       - enp136p8s2a********
         fqdn: my-rds-gw.ru-central1.internal
         scheduling_policy: {}
         network_settings:
         type: STANDARD
         placement_policy: {}
    

    Note

    The commands yc compute instance create | create-with-container | update | add-metadata support substitution of environment variable values into VM metadata. When you execute a Yandex Cloud CLI command, these values, specified in the user-data key in $<variable_name> format, will be substituted into the VM metadata from the environment variables of the environment the command is executed in.

    To change such behavior, i.e. to provide a variable name to the VM metadata in $<variable_name> format rather than take the variable value from the CLI command runtime environment, use the two-dollar syntax, e.g., $$<variable_name>.

    For more information, see Specifics of providing environment variables in metadata via the CLI.

Configure the RDGW roleConfigure the RDGW role

  1. Connect to the created VM via RDP.

  2. Install the required role and management tools:

    Install-WindowsFeature RDS-Gateway -IncludeManagementTools
    

    Result:

    Success Restart Needed Exit Code      Feature Result
    ------- -------------- ---------      --------------
    True    No             Success        {Network Policy and Access Services, Remot...
    
  3. Import the RDS module:

    Import-Module -Name RemoteDesktopServices
    
  4. Create a client access policy allowing members of the Administrators group to connect to the RDGW. You can do this using a Windows PowerShell drive that is automatically installed with the role:

    New-Item -Path 'RDS:\GatewayServer\CAP' -Name 'Default-CAP' -UserGroups Administrators@Builtin -AuthMethod '1'
    

    Result:

        Directory: RDS:\GatewayServer\CAP
    
    Name                   Type      CurrentValue         GP   PermissibleValues PermissibleOperations
    ----                   ----      ------------         --   ----------------- ---------------------
    Default-CAP                                           -                      Get-Item, Get-ChildItem, Remove-Item,...
    
  5. Create a resource access policy allowing members of the Administrators groups to connect to internal resources through the RDGW.

    New-Item -Path 'RDS:\GatewayServer\RAP' -Name 'Default-RAP' -UserGroups Administrators@Builtin -ComputerGroupType '2'
    

    Result:

        Directory: RDS:\GatewayServer\RAP
    
    Name                   Type      CurrentValue         GP   PermissibleValues PermissibleOperations
    ----                   ----      ------------         --   ----------------- ---------------------
    Default-RAP                                           -                      Get-Item, Get-ChildItem, Remove-Item,...
    
  6. Create your RDGW server certificate that will be used for traffic encryption:

    $Certificate = New-SelfSignedCertificate -CertStoreLocation 'Cert:\LocalMachine\My' -DnsName $ENV:COMPUTERNAME
    
  7. Export the created certificate so the gateway clients can upload it to their Trusted Roots Certificate Authorities certificate stores. This is required to trust your self-signed certificate:

    $Certificate | Export-Certificate -FilePath "C:\REGW.cer"
    

    Result:

        Directory: RDS:\GatewayServer\RAP
    
    Name                   Type      CurrentValue         GP   PermissibleValues PermissibleOperations
    ----                   ----      ------------         --   ----------------- ---------------------
    Default-RAP                                           -                      Get-Item, Get-ChildItem, Remove-Item,...
    
  8. Configure RDGW to use your certificate and restart the RDG service to apply the settings:

    Set-Item -Path 'RDS:\GatewayServer\SSLCertificate\Thumbprint' -Value $Certificate.Thumbprint
    Get-Service TSGateway | Restart-Service
    

    Result:

        Directory: C:\
    
    Mode                LastWriteTime         Length Name
    ----                -------------         ------ ----
    -a----         6/9/2021  11:51 AM            796 REGW.cer
    

The RDGW VM allows members of the BUILTIN\Administrators group to connect to internal network VMs.

Test the RDGWTest the RDGW

  1. Create an internal network VM to which you will connect during the test.

    Management console
    CLI
    API
    1. On the folder dashboard in the management console, click Create resource and select Virtual machine instance.

    2. Under Boot disk image:

      • Navigate to the Custom tab.
      • Click Select and select Create in the window that opens.
      • In the Contents field, select Image and then select the Windows Server 2022 Datacenter image from the list below. For more information on how to upload a Microsoft disk image, see Importing a custom image.
      • Optionally, in the Additional field, enable Delete along with the virtual machine to automatically delete this disk when deleting the VM.
      • Click Add disk.
    3. Under Location, select the ru-central1-d availability zone.

    4. Under Disks and file storages, specify your boot disk size: 60 GB.

    5. Under Computing resources, navigate to the Custom tab and specify the required platform, number of vCPUs, and amount of RAM:

      • Platform: Intel Ice Lake
      • vCPU: 2
      • Guaranteed vCPU performance: 100%
      • RAM: 4 GB
    6. Under Network settings, specify:

      • Subnet: rdgw-subnet
      • Public IP address: No address
    7. Under General information, specify the VM name: test-vm.

    8. Click Create VM.

    Wait for the VM status to change to Running and reset the password:

    1. Select the VM.
    2. Click Reset password.
    3. Specify the Username to reset the password for. If there is no user with that name on the VM, this user will be created with administrator access.
    4. Click Generate password.
    5. Save the New password. It will become unavailable once you close the window.

    Create a VM:

    yc compute instance create `
      --name test-vm `
      --hostname test-vm `
      --memory 4 `
      --cores 2 `
      --platform standard-v3 `
      --zone ru-central1-d `
      --network-interface subnet-name=rdgw-subnet,ipv4-address=10.1.0.4 `
      --create-boot-disk image-folder-id=standard-images,image-family=windows-2022-dc-gvlk `
      --metadata-from-file user-data=setpass
    

    Result:

    done (19s)
    id: fhm5pflreh2j********
    folder_id: big67u7m5flp********
    created_at: "2021-06-09T11:53:03Z"
    name: test-vm
    zone_id: ru-central1-d
    platform_id: standard-v3
    resources:
    memory: "4294967296"
    cores: "2"
    core_fraction: "100"
    status: RUNNING
    boot_disk:
    mode: READ_WRITE
    device_name: fhmmf65nlbt1********
    auto_delete: true
    disk_id: fhmmf65nlbt1********
    network_interfaces:
    - index: "0"
      mac_address: d0:0d:5d:ef:bb:74
      subnet_id: e9b95m6al33r********
      primary_v4_address:
      address: 10.1.0.4
      fqdn: test-vm.ru-central1.internal
      scheduling_policy: {}
      network_settings:
      type: STANDARD
      placement_policy: {}
    

    Use the create REST API method for the Instance resource or the InstanceService/Create gRPC API call.

  2. Import your RDGW certificate file to the Trusted Roots Certificate Authorities directory of the computer you will connect to the test VM.

    To connect to the gateway by the VM name, specify its name and external IP address in the C:\Windows\system32\drivers\etc\hosts file. Here is an example:

    87.250.250.242 my-rds-gw
    
  3. Run the mstsc remote desktop client. On the Advanced tab of the connection settings, specify the gateway: my-rds-gw, destination node: test-vm, and username: Administrator.

How to delete the resources you createdHow to delete the resources you created

If you no longer need the resources you created, i.e., VMs and networks, delete them.

Was the article helpful?

Previous
Updating an instance group under load
Next
Getting started with Packer
Yandex project
© 2025 Yandex.Cloud LLC