Baraa Mohamed
Posted on November 26, 2024
Accessing Private EC2 Instances in AWS: A Guide
Cloud architectures commonly use public and private subnets to balance accessibility and security. Public subnets host resources like bastion hosts or load balancers, while private subnets house sensitive workloads such as application servers. This setup ensures a secure environment, as private EC2 instances are only accessible through specific configurations.
Two Approaches to Access Private EC2 Instances
Depending on your requirements, you can access an EC2 instance in a private subnet through one of two methods: SSH access or traffic forwarding.
Method 1: SSH Access to a Private EC2
This method is ideal for performing configurations or debugging directly on the private EC2 instance.
Steps:
-
Start the SSH-Agent to manage your private keys:
eval "$(ssh-agent -s)"
-
Add the private EC2 key to the agent:
ssh-add <file-key-of-private-app>
-
Connect to the bastion host in the public subnet, forwarding the SSH-Agent:
ssh -v -i <file-key-of-bastion> -A <public-instance>
-
From the bastion host, SSH into the private EC2:
ssh -v -i <file-key-of-private-app> <private-instance>
By forwarding the agent (-A
), you securely authenticate to the private instance without transferring your private keys.
Method 2: Port Forwarding
If you need to access a service (e.g., Jenkins) running on the private EC2, port forwarding allows you to securely forward traffic through the bastion host.
Example: Forwarding Jenkins Dashboard
-
Start the SSH-Agent and add the private key:
eval "$(ssh-agent -s)" ssh-add <file-key-of-private-app>
-
Forward traffic from port 8080 on the private EC2 to port 4040 on your local machine:
ssh -v -i <file-key-of-bastion> -A -L 4040:<ip-of-private-jenkins-ec2>:8080 <public-instance>
Open http://localhost:4040 in your browser to access the Jenkins dashboard.
Note:
To retrieve the Jenkins setup password, use:
sudo cat /var/lib/jenkins/secrets/initialAdminPassword
This approach avoids exposing Jenkins to the internet, improving security.
Best Practices
- Use SSH-Agent to securely store keys during your session.
- Enable agent forwarding (
A
) only when necessary to minimize security risks. -
Clean up your SSH session by removing keys after use:
ssh-add -D
Conclusion
With these methods, you can securely access private EC2 instances while maintaining a robust and secure cloud architecture.
Posted on November 26, 2024
Join Our Newsletter. No Spam, Only the good stuff.
Sign up to receive the latest update from our blog.