Connect to Linux EC2 instances in a private subnet on AWS - by Session Manager instead of bastion
1.Before:
If we want to connect the instance on AWS private subnet ,we should configure a bastion server first.
2.After:
3.Benefit:
We don’t have to manage bastion anymore.
We can save the cost of bastion.
4.Prerequisite:
On AWS: You need to configure SSM VPC endpoint,IAM Role.
On local: Please verify AWS CLI is installed.
On instance: Please verify SSM Agent is installed on the instance.
443 port is open in EC2 security group.
4.1 Configure SSM VPC endpoint
Create the 3 VPC endpoint as below:
1.For Service Name,Select com.amazonaws.[region].ssm (for example, com.amazonaws.us-east-1.ssm).
2.For Service Name, select com.amazonaws.[region].ec2messages.
3.For Service Name, select com.amazonaws.[region].ssmmessages. You must do this if you want to use Session Manager.
4.2 Create Role and attach Role to EC2
EC2 should be reboot to put the instance role into effect quickly.
4.3 Configure EC2 Security Group
4.4 Configure a user
Attach the policy as below:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ssm:StartSession"
],
"Resource": [
"*"
]
}
]
}
or you can generate any policy which is fit to your scenario.
4.5 Connect to EC2 on private subnet through AWC cli command Steps:
4.5.1 On local side, run the AWS CLI command as below:
aws ssm start-session --target <instance-id>
Command reference: https://docs.aws.amazon.com/systems-manager/latest/userguide/session-manager-working-with-sessions-start.html#sessions-start-cli
- Please change <instance-id> to the instance id which you want to connect。
4.5.2 Connect to Linux instance on EC2 console
Congratulation!! we connect the instance on private subnet without bastion!!