How does Remote Desktop works in Windows Azure?

As you may have known that when you create any of kind of role in your Windows Azure application (Web, Worker or VM) you have ability to enable Remote Access to your role. It mean you can have Remote Desktop access to all of the instances related with the role, which has RDP access to it.


The remote desktop feature is comprised of two imports:

  1. RemoteAccess
  2. RemoteForwarder.


That’s why when you enable Remote Desktop access your service definition shows imports as below:



      <Import moduleName="RemoteAccess" />

      <Import moduleName="RemoteForwarder" />



Remote Access:

RemoteAccess is imported on all roles you want to eventually be able to connect to. This import controls turning on RDP on the Windows Azure virtual machines and creating the user account for you so you can connect to Windows Azure instance. RemoteAccess has four configuration settings (prefixed with Microsoft.WindowsAzure.Plugins.RemoteAccess):

  • Enabled – must be set to “true” then RDP will be turned on inside the VM.
  • AccountUsername – User account name to create.
  • AccountEncryptedPassword – a Base64 encoded PKCS#7 blob encrypted with the PasswordEncryption certificate that specifies the password for the user account to create.
  • AccountExpiration – a DateTime string that specifies the time the account expires. If left blank or improperly formatted then no useraccount is created.


The Service Configuration shows these configuration settings as below:


      <Setting name="Microsoft.WindowsAzure.Plugins.RemoteAccess.Enabled" value="true" />

      <Setting name="Microsoft.WindowsAzure.Plugins.RemoteAccess.AccountUsername" value="avkash" />

      <Setting name="Microsoft.WindowsAzure.Plugins.RemoteAccess.AccountEncryptedPassword" value="****************" />

      <Setting name="Microsoft.WindowsAzure.Plugins.RemoteAccess.AccountExpiration" value="RD_Access_Expiry_Date" />

      <Setting name="Microsoft.WindowsAzure.Plugins.RemoteForwarder.Enabled" value="true" />



RemoteAccess components tracks every user it creates by putting them in a special group for RemoteAccess use only. When a configuration change occurs or the role starts, RemoteAccess searches for any existing user account in that group with the name specified in AccountUsername. If the user is found, its password and expiration date are updated. All other account in that group will be disabled for RemoteAccess. This way RemoteAccess ensures that only a single user account is active on the machine at any given time.



  • RemoteForwarder is imported on a single role and takes care of dealing with the fact that Windows Azure only provides load-balanced input endpoints.
  • The forwarder runs on every instance of the role in which it is imported and listens on port 3389 for remote desktop connections.
  • When a connection is received, it searches the first packet for a load balancing cookie which you can see if you open the Portal-supplied .rdp file in a text editor.
  • Using this cookie data it then opens a connection internally to the desired instance and forwards all traffic to that instance.
  • The forwarder only has a single configuration setting:
    • Enabled – if set to “true” then listen for new connections and forward them appropriately.


Comments (1)

  1. sekhar says:

    I am having web role with two instances.

    Is it possible to take remote for two instances.

    Please mail me at

    Its very urgent requirement…

Skip to main content