Solved

Restore VM to AWS VPC --- HELP


Userlevel 2

Hi,  

We are using Veeam to back up our on Prem HyperV VMs with no problem.  This is working like a dream.  What we urgently need to do is restore a VM to AWS EC2 that we can RDP onto.

Ive tried this but when I start the EC2 instance RDP just doesnt work….

 

Some background

We have an on-prem domain mydomain.local with two physical host servers that contain around 9 VMs

This onprem set up is also covered by Forticlient VPN

In AWS we have a VPC (for example myVPC) with a public and private subnets.  

Im able to spin up new EC2 instances into both subnets and connect them to our domain and login with a mydmomain\User for example with no problem. 

 

The issue is when restoring a VM to EC2 via Veeam to our public subnet - there is no way I can RDP to it.  Ive checked that the security group has RDP 3389 listening but no joy.  I cant imagine that Im the only person who has tried to do this???? 

 

Does anyone have any advice or walkthrough on this?  As it’s really giving me a massive headache!

 

Many thanks and much appreciated.

 

icon

Best answer by Iams3le 29 September 2021, 15:50

View original

15 comments

Userlevel 7
Badge +17

Just some basic questions - no offence…

  • is the VM powered on after restore?
  • Is it possible that you have duplicate IPs after restore?
  • Is there a firewall between the net parts?
Userlevel 2

Hi @JMeixner thanks so much for the quick reply..

 

  • is the VM powered on after restore?
    if you mean the on prem VM then yes…. 
  • Is it possible that you have duplicate IPs after restore?
    A new private IP and new public IP are attached to the EC2 instance
  • Is there a firewall between the net parts?
    Windows firewall is switched off as defualt on our on prem VMs as we have external firewall management

Hope this helps

Userlevel 6
Badge +3

Hi, did you also check whether the AWS network ACLs do allow you to connect via RDP?

Userlevel 2

Hi @StefanZi ,

 

Yes - I am able to launch a new EC2 into the same VPC and Subnet and RDP with no issues so I take it RDP is allowed ?

Hope this helps

Userlevel 6
Badge +3

That’s good, thanks. Just for sanity check: RDS is enabled and allowed by the host firewall? :-D

 

This onprem set up is also covered by Forticlient VPN

 

What about this - do you want to access the Windows machine via VPN or is there a VPN connection between your VPC and on-prem or did you add a public (Elastic) IP to the restored VM to make it accessible?

Userlevel 2

HI,  we have a VPN connection between our OnPrem and VPC… Ive tested shutting down the VPN which results in not being able to RDP to existing EC2 instances (we have a Site-to-Site VPN Connection running)

 

Also, I have attached a public (Elastic) IP to the EC2

 

 

Userlevel 6
Badge +3

So you also can’t connect on the Elastic IP?

What about the IP routing? Are you able to ping/traceroute to the EC2 VM through the VPN?

When you login to the console of the EC2 instance, can you connect to/ping/reach on-prem resources from there (so is the networking working at all)?

What about the routes in the VPC and on the EC2 instance - is everything configured here properly (so the way back working when the way towards works maybe)?

Are the DNS names (if used to connect) resolving to the correct IP? 

So a lot of networking stuff I’d look into. Because if the EC2 is running and connected, thats baiscally coming down to this if you can’t connect.

Userlevel 7
Badge +12

I don’t have any experience in AWS at all, so it’s just a guess from my side. Are you sure that the VM did boot without any problems? And, also, that it received the private IP you’ve assigned to it? Can you reach any other service or ping the VM?

Userlevel 7
Badge +9

Hello @Fiorano995 ,

Good to know that you already have the RDP port opened via the security group. Additionally, you will need to enable RDP on The EC2 instance itself. 
- Also, you may need to add the users to the RDP group via the Computer Management. (You should only do this if you aren't the Administrator of this device). 

Note: You will have to connect to the EC2 client via the server's public IP address or DNS name. If you find this comment useful, please mark it as the right answer.

From what you said so far, there is no need checking the router tables as everything seems to work previously. Good luck. 

Userlevel 7
Badge +9

HI,  we have a VPN connection between our OnPrem and VPC… Ive tested shutting down the VPN which results in not being able to RDP to existing EC2 instances (we have a Site-to-Site VPN Connection running)

 

Also, I have attached a public (Elastic) IP to the EC2

 

 

If you have a VPN in place, then connection should also be possible via the Private IP address. Ensure you have RDP enabled on the EC2 instance. 

Userlevel 2

Hi Everyone,

 

Lots of input which I really do appreciate…

 

So, Firstly, the instance is running fine as I can connect via a session manager : 

 

 

 

Also, I can ping the elastic IP from one of our Onprem VMs (whilst VPN is running):
 

 

 

Also, a tracert to the Public IP again from one of our OnPrem VMs (whilst VPN is running):

 

I guess the Request timed out messages are a concern?

 

@chris_eromosele your comment: 
Good to know that you already have the RDP port opened. Additionally, you will need to enable RDP on The EC2 instance itself. 

 

How can I do this?

 

Once again thanks for all the responses!

 

 

Userlevel 7
Badge +9

Hello @Fiorano995 ,

 

I just noticed I do not have a complete guide on how to do this on my blog. I will be posting one tonight and how to also add users to the RDP Group so they can connect. Sad! But these are some guides (link 1 and link2) to all topics of RDP.

 

Request Timed Out: This message indicates that no Echo Reply messages were received within the default time of 1 second. This can be due to many different causes; the most common include network congestion, failure of the ARP request, packet filtering, routing error, or a silent discard.
– Request timed out means that the local host did not receive a response from the destination host, but it was able to reach it. Destination host unreachable means that there was no valid route to the requested host. You may want to read this guide too for all possible errors and their meanings.

 

I think you are getting Request time out because you have got no route (connection via the Public IP). You have a VPN, use the Private IP. Not sure if ur have the SG group configured to allow access via the RDP with the Public IP address.

 

  • To answer your questions, Here are the steps to enable RDP
  • To check whether the Remote Desktop is enabled, you just need to complete the following steps.

    Step 1: Right-click This PC or My Computer on your desktop and then select Properties from the menu.
    Step 2: On the Properties window, click Remote settings on the left pane.
    Step 3: Under the Remote tab, see if the box next to Don’t allow connections to this computer is checked to check if the Remote Desktop feature is enabled.
    You must ensure this is enabled. Below is a screenshoot of how this is done on Windows 11

If you are not the administrator of the device, an admin of the device will need to add your account to this group below.

 

I hope these steps help you. I have got a meeting in 30 minutes and may not be able to replay until after it.

Userlevel 2

Thanks @chris_eromosele 

The onprem VM has all RDP settings configred… as we can RDP to it with no issues (also - as I cant RDP to the Restored Instance in AWS - I cant check these settings :confused: ).

From the AWS EC2 session manager I can check the RDP port  is open :

 



Also, the Security group has the following inbound rules:

 

 

 

Thanks again

 

Userlevel 7
Badge +9

Thanks @chris_eromosele 

The onprem VM has all RDP settings configred… as we can RDP to it with no issues (also - as I cant RDP to the Restored Instance in AWS - I cant check these settings :confused: ).

From the AWS EC2 session manager I can check the RDP port  is open :

 



Also, the Security group has the following inbound rules:

 

 

 

Thanks again

 

 

Yes, this is because, by default, the server listens on TCP port 3389 and UDP port 3389. This does not mean, RDP is enabled.

If you have got no Admin rights, contact AWS support, they can help you rescue the EC2 instance. 

Userlevel 7
Badge +9

If you have the rights, you can create an AMI of the EC2 instance and try to create a new instance. In this way, you will be able to connect to it.

Comment