The use of private EC2 instances has become a popular practice for many organizations. An AWS Bastion Host is necessary to provide access, but now that the tool was deprecated by Amazon, companies must find alternative methods for connecting to their private instances. This blog post discusses some common ways to connect without a Bastion Host and how you can make sure your network stays secure even with this change.,
The “how to connect to private instance from bastion host” is a question that has been asked many times. In this article, I will explain how to connect to private EC2 instances without an AWS Bastion Host.
So you’ve got an AWS EC2 private instance operating on your own network. Everything is fine until you need to access your EC2 instance over the Internet. Now what? An AWS bastion server with a public elastic IP address is required.
But, hold on, do you really need a bastion host? Nope. In reality, AWS Systems Manager (SSM) may be used to replace a bastion host instance. You may then connect to fleets of EC2 instances using the AWS CLI without exposing another server to the Internet!
Let’s dive in and explore what you can do using SSM and the AWS CLI to connect to your EC2 instances! No need for a jump server.
How to Use EBS Snapshots to Backup AWS EC2 Instances
Prerequisites
This post will serve as a lesson with practical examples. If you want to follow along, make sure you have these items:
If you’re using Windows, make sure you have the most recent version of OpenSSH installed. The most recent version is 8.1p1 at the time of writing. Some of the samples illustrate that earlier versions of OpenSSH do not enable executables on the system path to be launched.
- No public IP address for a Linux EC2 instance – The AMI ID ami-090846e63eb748bc4 will be used in this tutorial, however any Linux instance would do. The ssm-ssh-demo-instance instance will be located in the us-east-1 region.
Use one of the official Canonical Amazon Machine Images (AMIs) mentioned below if you want to continue with Ubuntu.
- Installed AWS CLI on your local computer and signed in to your AWS account – v2 will be used in this lesson.
- With the AmazonSSMManagedInstanceCore AWS-managed policy connected, an EC2 instance may adopt this AWS IAM role. This is required for your EC2 instance to use certain of SSM’s services.
- This example will utilize an AWS IAM user with the AmazonSSMFullAccess policy applied, but you may create more granular permissions if you choose.
- A private subnet and NAT gateway in a Virtual Private Cloud (VPC) – A VPC with the ID vpc-025553dbb3ae36904 and a private subnet with the ID subnet-09933dcee9e3f4226 will be used in this tutorial.
Inventory of SSM: Adding an EC2 Instance
It’s time to start creating the solution utilizing SSM to connect to your EC2 instance now that it’s operating without a public IP address. We don’t need no stinkin’ AWS bastion host, after all!
“What’s the worst that can happen if your EC2 instance has a public IP address?” To mention a few, hostile actors are actively scanning known public IP address ranges, and AWS advises against using any publicly-facing IP addresses on EC2 instances.
SSM (AWS Systems Manager) was created with the intention of managing huge groupings of resources. It was designed to patch large groups of EC2 instances or track adherence to company regulations.
SSM installs an agent to connect to EC2 instances that serves two purposes: it provides information to SSM for reporting and, more importantly, it enables an AWS user or role with the appropriate rights to access to those instances using a shell.
To connect to EC2 instances, SSM does not utilize an interactive SSH terminal. This is a vital topic to grasp for the future.
Let’s get started with adding an EC2 instance to SSM. To do so, first:
1. Go to the AWS Management Console in your preferred web browser.
2. Go to the Systems Manager page in the management console.
Using the Management Console to find the Systems Manager service
3. Scroll down the left side and select Inventory under Node Management.
Inventory of SSM
4. Select the orange Inventory Setup icon. This operation will take you to a website where you may configure your EC2 instance.
SSM is being updated with a new EC2 instance.
5. Under Targets, choose Manually choosing instances. For instance selection, you must supply some criteria. You may accomplish this by choosing all managed instances, a tag, or each one individually. You’ll choose one for simplicity’s sake.
Select the EC2 instance you’d want to onboard to SSM once you’ve decided how to pick the target. When you’re finished, you should see something like the screenshot below.
After you’ve finished, scroll down and click Setup Inventory to accept the parameter defaults.
Adding the demo instance to the Inventory of SSM
AWS will install the SSM agent on the instance and begin sending data and use to AWS after you click Setup Inventory.
The managed instance should show under the Managed instances tab on the Fleet Manager website after it’s finished. You’re one step closer to connecting to your own EC2 instance without the need for an AWS bastion host!
Limiting the Permissions of the SSM Agent
Depending on the AMI, SSM adds the ssm-user account to the sudoers file when the SSM agent is installed on a new Linux instance. This operation grants that instance admin capabilities to the account. This user is created by SSM to login to the instance and conduct automatic operations.
You will not set up SSM for any automatic management chores in this tutorial. Instead, you’re using SSM to open an interactive shell to the instance, thus that extra admin user account isn’t required. Let’s take that user out of the sudoers file. This is done using the SSM Run Command functionality.
For further instructions on deleting the ssm-user from the sudoers file, see the AWS documentation.
- Select the instance you recently onboarded to SSM from the SSM Run Command page.
2. Select AWS-RunShellScript as the Command Document and type the following into the Command parameters section in the Commands box.
cd /etc/sudoers.d echo “#User rules for ssm-user” > ssm-agent-users
3. Remove the ssm-user from the sudoers file using the command on the EC2 instance. When finished, the sudoers file should look like this.
# ssm-user user’s rules
Using the AWS CLI to create an SSM session
You now have an EC2 instance with SSM ready to connect to (no need for an AWS bastion host)! But you’re not done yet. This article will show you how to connect to private EC2 instances using the AWS CLI. To do so, open a WebSocket from the AWS CLI to the SSM agent and start an SSM session.
The Session Manager plugin in the AWS CLI creates sessions to EC2 instances. The Session Manager plugin installs libraries that are used by the AWS CLI to initiate and stop SSM sessions. Because this plugin isn’t as well-known as others, it isn’t installed by default.
Install the Session Manager plugin as follows:
1. On your local computer, open a terminal.
2. For setup, see the AWS manual. The setup time is minimal.
3. Run the aws ssm start-session command with the target argument set to the EC2 instance ID you added to SSM previously.
AWS authenticates through your IAM user authorized using the AWS CLI on the backend using the ssm-user via the SSM agent.
start-session aws ssm —target i-072d83b52710f0ae5
Installing the session manager and starting a session
You’re not connected to the EC2 instance by SSH at this moment, but simply via SSM. You won’t be able to operate the remote host interactively as you are accustomed to. You may now connect via SSH without an AWS bastion host using this SSM session.
Using SSH to connect to the instance
An SSM session should now link you to the EC2 instance. Only one more step remains: connecting to the SSM session through SSH without the need of a Linux bastion server.
When using the command line to connect to an SSH host, you’ll normally use the command below, which includes the (optional) key file produced with a key pair, the username, and the IP address.
Using SSH with PowerShell: Getting Started
ssh -i <KeyFile> <RemoteUsername>@<IPAddress>
However, if you’re accessing from the Internet and the EC2 instance doesn’t have a public IP address, this strategy won’t work. Instead, you must use the ProxyCommand SSH option to proxy via the linked SSM session.
This option defines a totally distinct process to connect to the remote host when using the ProxyCommand SSH client option. Because the SSH client cannot connect directly to the EC2 instance, it must rely on the previously established SSM connection.
You must inform the SSH client how to call the external process that the SSH client will tunnel through to utilize the ProxyCommand SSH option. Run the following command to connect to the private EC2 instance using your SSH client with the SSM session functioning as a bastion host.
ssh -i <KeyFile> -o ProxyCommand=”sh -c “aws ssm start-session –target %h –document-name AWS-StartSSHSession”” [email protected]
The escaping () double quotes should be noted.
When you use the command syntax above to start the SSH client, a few things happen:
1. The values for InstanceID are read by the SSH client.
2. It then changes the host placeholder (percent h) in the aws ssm start-session text, resulting in the following string.
—target InstanceID —document-name AWS-StartSSHSession aws ssm start-session
3. The aws ssm start-session command launches a new shell with sh -c after it has been “created” but not yet run.
4. It also instructs the shell to run the aws ssm start-session command to establish a new SSM session.
5. After the SSM session is formed, the SSH client establishes a permanent connection via the SSM session, encrypting any communication that passes over it.
If you want to use PowerShell instead of sh, change sh -c to powershell -c or pwsh -c, depending on the PowerShell version you’re using.
As is, you’ll have to perform that command every time you want to connect to the SSM session using your SSH client. You may add the ProxyCommand to your SSH config file (/.ssh/config on Linux/macOS and $USERPROFILE.sshconfig on Windows) to avoid having to input the complete text every time.
Add the following to your SSH config file if you want to use the ProxyCommand. The host parameter in this case is searching for a pattern that starts with i- or mi-. The ProxyCommand will be applied to any SSH connections to instances with names that match that pattern.
“aws ssm start-session —target percent h —document-name AWS-StartSSHSession —parameters ‘portNumber= percent p’” host i-* mi-* ProxyCommand sh -c
Conclusion
Using the AWS Systems Manager and the SSH ProxyCommand option, you may now access to EC2 instances more securely. This approach isn’t really entertaining, but if you can demonstrate how to better secure connections to development servers, you could amaze your employer!
In your scenario, how do you intend to use this SSM/SSH trick?
The “how to connect ec2 instance using private ip” is a problem that has been present for a while. This article will provide some solutions on how to connect to private EC2 instances without an AWS Bastion Host.
Related Tags
- connect to private ec2 instance from public instance
- bastion host in private subnet
- aws bastion host alternative
- ssh into ec2 instance in private subnet
- how to connect to private ec2 instance using putty