Connect to Windows EC2 instances in a private subnet on AWS — by System Manager instead of bastion
1.Before:
If we want to connect the instance on AWS private subnet ,we should configure a bastion server first.
2.After:
3.Benefit:
We don’t have to manage bastion anymore.
We can save the cost of bastion.
4.Prerequisite:
On instance: Please verify
SSM Agent is installed on the instance.
443 port is open in EC2 security group.
4.1 Configure SSM VPC endpoint
Create the 3 VPC endpoint as below:
1.For Service Name,Select com.amazonaws.[region].ssm (for example, com.amazonaws.us-east-1.ssm).
2.For Service Name, select com.amazonaws.[region].ec2messages.
3.For Service Name, select com.amazonaws.[region].ssmmessages. You must do this if you want to use Session Manager.
4.2 Create Role and attach Role to EC2
EC2 should be reboot to put the instance role into effect quickly.
4.3 Configure EC2 Security Group
4.4 Configure a user
Attach the policy as below:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ssm:StartSession"
],
"Resource": [
"*"
]
}
]
}
or you can generate any policy which is fit to your scenario.
4.5 Connect to EC2 on private subnet through AWC cli command Steps:
4.5.1 On local side, run the AWS CLI command as below:
aws ssm start-session --target <instance-id> --document-name AWS-StartPortForwardingSession --parameters "localPortNumber=55678,portNumber=3389"
• Please change <instance-id> to the instance id which you want to connect。
- “localPortNumber=55678” , you can change port 55678 to your available port on local.
4.5.2 Open remote desktop on local and input “localhost:55678”
- “localhost:55678” , please change port 55678 to your available port on local.
Congratulation!! we connect the instance on private subnet without bastion!!