SSH'ing into AWS EC2 Instance located in Private Subnet in a VPC

MatiasN Published at Dev

MatiasN

I've been going at this problem for a couple of hours and maybe its not possible, maybe it is.

I have a VPC in AWS, with a couple of EC2 instances and Lambda Instances.

As of right now, The lambda can invoke, ssh and so on to the EC2 server without a problem.

My lambdas are using a security group with only HTTP, HTTPS AND SSH in "Outbound".

My ec2 default security group only accepts 22 inbound (From my Lambda security group, AND my office IP).

If i create an ec2 instance on my public subnet, both me and my lambda functions can access it through ssh.

If i create it on my PRIVATE subnet, my lambdas can ssh but i CANT...

Do i really have to have a NAT SERVER in order to achieve this?

TL:DR; Only my office and my lambdas should have access to my ec2 instances.

jarmod

First option to consider for SSH access to EC2 instances should be AWS Systems Manager Session Manager for Shell Access to EC2 Instances. It's potentially a big deal. No more bastions, no more firewall rules allowing inbound port 22. You basically run an SSH session in your browser and it can target all EC2 instances, regardless of public/private IP or subnet. EC2 instances have to be running an up to date version of the SSM Agent and must have been launched with an appropriate IAM role (including the key policies from AmazonEC2RoleForSSM).

The second option to consider is AWS Systems Manager Run Command which allows you to run commands remotely on your EC2 instances. It's not interactive like SSH but if you simply want to run a sequence of scripts then it's very good. Again, the instance has to be running the SSM Agent and have an appropriate IAM policy, and this option avoids the need to tunnel through bastion hosts.

Finally, if you really must SSH from your office laptop to an EC2 instance in a private subnet you need a few things:

IGW and NAT in the VPC
bastion host with public IP in the VPC's public subnet
security group on the bastion allowing inbound SSH from your laptop
a default route from the private subnet to the NAT
security group on the private EC2 instance that allows inbound SSH from the bastion

Then you have to tunnel through the bastion host. See Securely Connect to Linux Instances Running in a Private Amazon VPC for more.

Collected from the Internet

Please contact [email protected] to delete if infringement.

edited at2020-11-18

Comments

0 comments

TOP Ranking

Article

SSH'ing into AWS EC2 Instance located in Private Subnet in a VPC

SSH'ing into AWS EC2 Instance located in Private Subnet in a VPC

Loopback Error: connect ECONNREFUSED 127.0.0.1:3306 (MAMP)

Can't pre-populate phone number and message body in SMS link on iPhones when SMS app is not running in the background

pump.io port in URL

How to import an asset in swift using Bundle.main.path() in a react-native native module

Failed to listen on localhost:8000 (reason: Cannot assign requested address)

Spring Boot JPA PostgreSQL Web App - Internal Authentication Error

Emulator wrong screen resolution in Android Studio 1.3

3D Touch Peek Swipe Like Mail

Double spacing in rmarkdown pdf

Svchost high CPU from Microsoft.BingWeather app errors

How to how increase/decrease compared to adjacent cell

Using Response.Redirect with Friendly URLS in ASP.NET

java.lang.NullPointerException: Cannot read the array length because "<local3>" is null

BigQuery - concatenate ignoring NULL

How to fix "pickle_module.load(f, **pickle_load_args) _pickle.UnpicklingError: invalid load key, '<'" using YOLOv3?

ngClass error (Can't bind ngClass since it isn't a known property of div) in Angular 11.0.3

Can a 32-bit antivirus program protect you from 64-bit threats

Make a B+ Tree concurrent thread safe

Bootstrap 5 Static Modal Still Closes when I Click Outside

Vector input in shiny R and then use it

Assembly definition can't resolve namespaces from external packages