Methods Of Accessing EC2 In Private Subnet

baraamohamed2311

Baraa Mohamed

Posted on November 26, 2024

Methods Of Accessing EC2 In Private Subnet

Bastion - VPC - AWS - Archeticture

Accessing Private EC2 Instances in AWS: A Guide

Cloud architectures commonly use public and private subnets to balance accessibility and security. Public subnets host resources like bastion hosts or load balancers, while private subnets house sensitive workloads such as application servers. This setup ensures a secure environment, as private EC2 instances are only accessible through specific configurations.

Two Approaches to Access Private EC2 Instances

Depending on your requirements, you can access an EC2 instance in a private subnet through one of two methods: SSH access or traffic forwarding.


Method 1: SSH Access to a Private EC2

This method is ideal for performing configurations or debugging directly on the private EC2 instance.

Steps:

  1. Start the SSH-Agent to manage your private keys:

    eval "$(ssh-agent -s)"
    
  2. Add the private EC2 key to the agent:

    ssh-add <file-key-of-private-app>
    
  3. Connect to the bastion host in the public subnet, forwarding the SSH-Agent:

    ssh -v -i <file-key-of-bastion> -A <public-instance>
    
  4. From the bastion host, SSH into the private EC2:

    ssh -v -i <file-key-of-private-app> <private-instance>
    

By forwarding the agent (-A), you securely authenticate to the private instance without transferring your private keys.


Method 2: Port Forwarding

If you need to access a service (e.g., Jenkins) running on the private EC2, port forwarding allows you to securely forward traffic through the bastion host.

Example: Forwarding Jenkins Dashboard

  1. Start the SSH-Agent and add the private key:

    eval "$(ssh-agent -s)"
    ssh-add <file-key-of-private-app>
    
  2. Forward traffic from port 8080 on the private EC2 to port 4040 on your local machine:

    ssh -v -i <file-key-of-bastion> -A -L 4040:<ip-of-private-jenkins-ec2>:8080 <public-instance>
    
  3. Open http://localhost:4040 in your browser to access the Jenkins dashboard.

Note:

To retrieve the Jenkins setup password, use:

sudo cat /var/lib/jenkins/secrets/initialAdminPassword
Enter fullscreen mode Exit fullscreen mode

This approach avoids exposing Jenkins to the internet, improving security.


Best Practices

  • Use SSH-Agent to securely store keys during your session.
  • Enable agent forwarding (A) only when necessary to minimize security risks.
  • Clean up your SSH session by removing keys after use:

    ssh-add -D
    

Conclusion

With these methods, you can securely access private EC2 instances while maintaining a robust and secure cloud architecture.

💖 💪 🙅 🚩
baraamohamed2311
Baraa Mohamed

Posted on November 26, 2024

Join Our Newsletter. No Spam, Only the good stuff.

Sign up to receive the latest update from our blog.

Related