close
The Wayback Machine - https://web.archive.org/web/20190826211004/https://cloud.google.com/compute/docs/instances/connecting-to-instance

Connecting to instances

This page describes some of the most common ways to connect to your Compute Engine Linux instances and Compute Engine Windows instances.

For more ways to connect to your instances, see the following:

Before you connect, review the following notes:

  • You must set up user access to your instance. This page assumes you've followed the Quickstart using a Linux VM guide or the Quickstart using a Windows VM guide to create your instance, which includes creating default user access. Complete at least one of these quickstart guides before continuing.

    To learn about managing user access to your instance, see Managing instance access.

  • For Linux instances, you can store your host keys as guest attributes on your instance. For more information, see Storing host keys.

Connecting to Linux instances

To connect to Linux instances through the Google Cloud Platform Console or the gcloud command-line tool in the SDK, follow the steps in the tabs below:

If these basic SSH options do not work for you, you might need to connect to instances using third-party tools or connect to instances that have no external IP addresses.

Console

  1. In the GCP Console, go to the VM Instances page.

    Go to the VM Instances page

  2. In the list of virtual machine instances, click SSH in the row of the instance that you want to connect to.

    SSH button next to instance name.

gcloud

Use the gcloud compute ssh command to connect to instances that you have permission to access.

gcloud compute ssh --project [PROJECT_ID] --zone [ZONE] [INSTANCE_NAME]

Where:

  • [PROJECT_ID] is the ID of the project that contains the instance.
  • [ZONE] is the name of the zone in which the instance is located.
  • [INSTANCE_NAME] is the name of the instance.

If you have set default properties for the gcloud command-line tool, you can omit the --project and --zone flags from this command. For example:

gcloud compute ssh [INSTANCE_NAME]

After you connect, use the terminal to run commands on your Linux instance. When you have finished, disconnect from the instance by using the exit command.

Where SSH keys are located

After you connect for the first time, Compute Engine generates an SSH keypair for you and stores it in one of the following locations:

  • By default, Compute Engine adds the generated key to project or instance metadata.
  • If your account is configured to use OS Login, Compute Engine stores the generated key with your user account.

It is not necessary to know where your SSH keys are stored if you're connecting in the ways described in this document, but you might need this if want to connect using the alternative or advanced methods of connecting described in Connecting to instances using advanced methods.

Storing host keys

A host key is a key pair that identifies a particular host or machine. When you connect to a remote host, the host key is used to verify that you are connecting to the intended machine.

If you are using gcloud beta compute ssh to connect to your Linux instances, you can add a layer of security by storing your host keys as guest attributes.

Storing SSH host keys as guest attributes improves the security of your connections by helping to protect against vulnerabilities such as man-in-the-middle (MITM) attacks. On the initial boot of a VM instance, if guest attributes is enabled, Compute Engine stores your generated host keys as guest attributes. Compute Engine then uses these host keys that were stored during the initial boot to verify all subsequent connections to the VM instance.

Supported operating systems

The storing of host keys as guest attributes is supported on the following operating systems:

  • Debian
  • Red Hat Enterprise Linux (RHEL)
  • CentOS
  • SUSE Enterprise Linux Server (SLES)

Host keys can only be written to guest attributes on the first boot of a VM instance. To write the host keys to the guest attributes, you must enable guest attributes before you boot the VM instance for the first time.

To store host keys as guest attributes, complete the following steps:

  1. Before you boot your VM instance for the first time, enable guest attributes. You can enable guest attributes either on select VM instances during instance creation or on your entire project. To enable guest attributes, see Enabling guest attributes on your instance.

  2. Connect to your instance using gcloud beta compute SSH.

    1. Ensure that you have the latest version of the gcloud command-line tool.

      gcloud components update

    2. Connect to the instance.

      gcloud beta compute ssh --project [PROJECT_ID] --zone [ZONE] [INSTANCE_NAME]

      Where:

      • [PROJECT_ID] is the ID of the project that contains the instance.
      • [ZONE] is the name of the zone in which the instance is located.
      • [INSTANCE_NAME] is the name of the instance.

      If you have set default properties for the gcloud command-line tool, you can omit the --project and --zone flags from this command. For example:

       gcloud beta compute ssh [INSTANCE_NAME]

    3. Review the startup message. For example, a Debian operating system might display the following message:

      Writing 3 keys to [YOUR_HOME_DIRECTORY]/.ssh/google_compute_known_hosts
Linux host-key-2 4.9.0-9-amd64 #1 SMP Debian 4.9.168-1+deb9u3 (2019-06-16) x86_64

  3. Confirm that host keys are stored.

Confirming that host keys are stored as guest attributes

To confirm that host keys are stored as guest attributes, review either the serial port or the host key values for the instance.

Option 1: Reviewing the serial port

  1. Access the serial port output, see Viewing serial port output.
  2. Select serial port 1.

  3. Search for the following message:

    INFO Wrote ssh-rsa host key to guest attributes

    If your image uses a supported operating system but guest attributes was not enabled before the first VM boot, you might see the following message:

    Unable to write ssh-rsa host key to guest attributes

    This means that host keys aren't stored as guest attributes for this instance. If you want to store host keys for additional instances that you plan to create, ensure that you enable guest attributes before the first boot of the instance.

Option 2: Reviewing the host key values

You can use the gcloud command-line tool to verify that ssh keys are written to guest attributes.

 gcloud compute instances get-guest-attributes [INSTANCE_NAME] --query-path "hostkeys/" --zone [ZONE]

Where:

  • [ZONE] is the name of the zone in which the instance is located.
  • [INSTANCE_NAME] is the name of the instance.

Your output might resemble the following:

NAMESPACE  KEY                  VALUE
hostkeys   ecdsa-sha2-nistp256  AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBBJAGpTm
                                V3mFxBTHK1NIu9a7kVQWaHsZVaFUsqF8cLxQRQ+N96/Djiiuz1tucHQ8vBTJI=
hostkeys   ssh-ed25519          AAAAC3NzaC1lZDI1NTE5AAAAIM/WYBn3jIEW5t3BZumx0X/Htm61J6S9FcU8L
hostkeys   ssh-rsa              AAAAB3NzaC1yc2EAAAADAQABAAABAQDU3jReR/MoSttlWYfauW6qEqS2dhe5
                                Zdd3guYk2H7ZyxblNuP56nOl/IMuniVmsFa9v8W6MExViu6G5Cy4iIesot09
                                1hsgkG0U7sbWrXM10PQ8pnpI3B5arplCiEMhRtXy64rlW3Nx156bLdcxv5l+
                                7Unu4IviKlY43uqqwSyTv+V8q4ThpQ9dNbk1Gg838+KzazljzHahtbIaE1rm
                                I0L1lUqKiKLSLKuBgrI2Y/WSuqvqGEz+bMH7Ri4ht+7sAwykph6FbOgKqoBI
                                hVWBo38/Na/gEuvtmgULUwK+xy9zWg9k8k/Qtihc6El9GD9y

Connecting to Windows instances

To connect to Windows instances using Remote Desktop Protocol (RDP) in the Google Cloud Platform Console or through a graphical user interface, follow the steps in the tabs below:

Connect using a graphical RDP client

Check your VPC firewall rules to ensure RDP is allowed.

Before you connect, make sure you have created a Windows instance password and have it ready to enter in the following steps:

Console

To connect using the GCP Console with the Chrome RDP extension, do the following:

  1. install the Chrome RDP for Google Cloud Platform extension.

  2. Go to the VM instances page in GCP Console and find the Windows instance you want to connect to.

    Go to the VM instances page

  3. Click the RDP button for the instance you want to connect to. The Chrome RDP extension opens.

  4. Enter the domain, your username, and password, then click OK to connect.

    The instance creation window with the required options set.

    If your instance does not have a domain configured, you can leave the Domain field blank.

  5. If prompted, press Continue to accept the certificate.

Remote Desktop

To connect with Microsoft Windows Remote Desktop, do the following:

  1. Identify the external IP address of your Windows instance from the VM instances page.

    Go to the VM instances page

    Alternatively, find the external IP address by running the gcloud instances list command in the gcloud command-line tool:

    gcloud compute instances list

  2. Open Microsoft Windows Remote Desktop Connection on your Windows machine.

    Screenshot of the mstsc connection window

  3. Enter the external IP address into the Computer field. Click Connect.

  4. Enter your username and password. Then click OK to connect.

Other

To connect using clients on other platforms that support RDP, such as clients developed for Android, iOS, Mac, and others, do the following:

  1. Identify the external IP address of your Windows instance from the VM instances page.

    Go to the VM instances page

    Alternatively, find the external IP address by running the gcloud instances list command in the gcloud command-line tool:

    gcloud compute instances list

  2. Install the supported client according to the client's installation instructions.

  3. Connect using the external IP address of your instance, and authenticate with your username and password for the instance.

For a list of officially supported clients, see Microsoft's Remote Desktop Clients article.

If you have difficulties connecting using RDP, see the Troubleshooting RDP page.

Connect to a Windows instance using the command line

This section describes how to connect to your Windows instance using an interactive serial console, or the Windows Special Administrative Console (SAC), which is often used for advanced troubleshooting on Windows instances.

For more information about using the interactive serial console, see Interacting with the serial console.

Before you connect, make sure you have created a Windows instance password and have it ready.

To connect to your Windows instance using an interactive serial console, follow the steps in the tabs below:

Console

To connect to your Windows instance using an interactive serial console through the GCP Console, do the following:

  1. Open the VM instances page in GCP Console and click the name of your instance. The VM instance details page opens.

    Go to the VM instances page

  2. Click Edit. Under Remote access, select Enable connecting to serial ports. This enables the interactive serial console for this instance.

    The edit instance details screen setting.

    Alternatively, if you want these settings to apply to all instances in your project, set project-wide custom metadata instead.

    For more information about updating instance metadata, see Storing and retrieving instance metadata.

  3. Click Save, then return to the top of the page.

  4. Under Remote access, click the drop-down list next to Connect to serial console, and select Serial port 2. A Windows Special Administrative Console (SAC) opens.

  5. At the SAC> prompt, run cmd to create a new channel. SAC returns the channel name, for example, Cmd001.

  6. Run ch -sn [CHANNEL_NAME] and press any key to connect to the channel. For example:

    SAC> cmd
The Command Prompt session was successfully launched.
SAC>
EVENT:   A new channel has been created.  Use "ch -?" for channel help.
Channel: Cmd0001
SAC> ch -sn cmd0001
Press any key to confirm connection to the channel.

  7. Enter the username, domain, and password of the instance to connect.

gcloud

To connect to your Windows instance using an interactive serial console through the gcloud command-line tool, do the following:

  1. If you haven't done so already, download and install the Cloud SDK for your local operating system. See Installing Cloud SDK.

  2. Launch Cloud SDK.

  3. Run the following command to configure your instance to allow for connecting to serial ports:

    gcloud compute instances add-metadata [INSTANCE_NAME]
--metadata=serial-port-enable=1

    Optional: If you want the settings to apply to all instances in your project, run the following Cloud SDK command instead:

    gcloud compute project-info add-metadata
--metadata=serial-port-enable=1

    For more information about project-wide custom metadata, see Setting project-wide custom metadata

    For more information about updating metadata, see Updating instance metadata.

  4. Run the following gcloud command to enter an interactive session:

    gcloud compute connect-to-serial-port [INSTANCE_NAME] --port=2

    The SAC interactive session.

  5. At the SAC> prompt, run cmd to create a new channel. SAC returns the channel name, for example, Cmd001.

  6. Run ch -sn [CHANNEL_NAME] and press any key to connect to the channel. For example:

    SAC> cmd
The Command Prompt session was successfully launched.
SAC>
EVENT:   A new channel has been created.  Use "ch -?" for channel help.
Channel: Cmd0001
SAC> ch -sn cmd0001
Press any key to confirm connection to the channel.

  7. Enter the username, domain, and password of the instance to connect.

What's next

Was this page helpful? Let us know how we did:

Send feedback about...

This page
Documentation feedback
BERJAYA
Compute Engine Documentation
Product feedback