堆栈内存溢出
  简体   繁体   English

SSH 连接到位于 VPC 私有子网中的 AWS EC2 实例

[英]SSH'ing into AWS EC2 Instance located in Private Subnet in a VPC

 原文  2018-10-15 12:38:06       amazon-web-services/ amazon-ec2/ ssh

问题描述

I've been going at this problem for a couple of hours and maybe its not possible, maybe it is.我已经解决这个问题几个小时了,也许不可能,也许是。

I have a VPC in AWS, with a couple of EC2 instances and Lambda Instances.我在 AWS 中有一个 VPC,有几个 EC2 实例和 Lambda 实例。

As of right now, The lambda can invoke, ssh and so on to the EC2 server without a problem.截至目前,lambda 可以毫无问题地调用、ssh 等到 EC2 服务器。

My lambdas are using a security group with only HTTP, HTTPS AND SSH in "Outbound".我的 lambdas 在“出站”中使用只有 HTTP、HTTPS 和 SSH 的安全组。

My ec2 default security group only accepts 22 inbound (From my Lambda security group, AND my office IP).我的 ec2 默认安全组只接受 22 个入站(来自我的 Lambda 安全组和我的办公室 IP)。

If i create an ec2 instance on my public subnet, both me and my lambda functions can access it through ssh.如果我在我的公共子网上创建一个 ec2 实例,我和我的 lambda 函数都可以通过 ssh 访问它。

If i create it on my PRIVATE subnet, my lambdas can ssh but i CANT...如果我在我的私有子网上创建它,我的 lambdas 可以 ssh 但我不能...

Do i really have to have a NAT SERVER in order to achieve this?我真的必须有一个 NAT SERVER 才能实现这一目标吗?

TL:DR; TL:博士; Only my office and my lambdas should have access to my ec2 instances.只有我的办公室和我的 lambdas 应该可以访问我的 ec2 实例。

3 个解决方案

解决方案1
 11 已采纳  2018-10-15 13:12:17

First option to consider for SSH access to EC2 instances should be AWS Systems Manager Session Manager for Shell Access to EC2 Instances . SSH 访问 EC2 实例时要考虑的第一个选项应该是AWS Systems Manager Session Manager for Shell Access to EC2 Instances It's potentially a big deal.这可能是一件大事。 No more bastions, no more firewall rules allowing inbound port 22. You basically run an SSH session in your browser and it can target all EC2 instances, regardless of public/private IP or subnet.不再有堡垒,不再有允许入站端口 22 的防火墙规则。您基本上在浏览器中运行 SSH 会话,它可以针对所有 EC2 实例,而不管公共/私有 IP 或子网。 EC2 instances have to be running an up to date version of the SSM Agent and must have been launched with an appropriate IAM role (including the key policies from AmazonEC2RoleForSSM). EC2 实例必须运行最新版本的 SSM 代理,并且必须使用适当的 IAM 角色(包括来自 AmazonEC2RoleForSSM 的关键策略)启动。

The second option to consider is AWS Systems Manager Run Command which allows you to run commands remotely on your EC2 instances.要考虑的第二个选项是AWS Systems Manager Run Command ,它允许您在 EC2 实例上远程运行命令。 It's not interactive like SSH but if you simply want to run a sequence of scripts then it's very good.它不像 SSH 那样具有交互性,但如果您只想运行一系列脚本,那么它非常好。 Again, the instance has to be running the SSM Agent and have an appropriate IAM policy, and this option avoids the need to tunnel through bastion hosts.同样,实例必须运行 SSM 代理并具有适当的 IAM 策略,并且此选项避免了通过堡垒主机建立隧道的需要。

Finally, if you really must SSH from your office laptop to an EC2 instance in a private subnet you need a few things:最后,如果您真的必须从办公室笔记本电脑通过 SSH 连接到私有子网中的 EC2 实例,您需要做一些事情:

  1. IGW and NAT in the VPC VPC中的IGW和NAT
  2. bastion host with public IP in the VPC's public subnet VPC 公有子网中具有公有 IP 的堡垒主机
  3. security group on the bastion allowing inbound SSH from your laptop堡垒上的安全组允许来自您的笔记本电脑的入站 SSH
  4. a default route from the private subnet to the NAT从私有子网到 NAT 的默认路由
  5. security group on the private EC2 instance that allows inbound SSH from the bastion私有 EC2 实例上的安全组,允许来自堡垒的入站 SSH

Then you have to tunnel through the bastion host.然后你必须通过堡垒主机隧道。 See Securely Connect to Linux Instances Running in a Private Amazon VPC for more.有关更多信息,请参阅安全连接到在私有 Amazon VPC 中运行的 Linux 实例

解决方案2
 1  2021-03-22 15:36:11

  1. Create a Bastion host.创建堡垒主机。

  2. This would be a public EC2 instance in a public subnet having the same security group as your private ec2 instance.这将是公共子网中的公共 EC2 实例,与您的私有 ec2 实例具有相同的安全组。

  3. Ensure that traffic within the security group is allowed.确保允许安全组内的流量。 You can do this by creating an inbound rule for your security-group.您可以通过为您的安全组创建入站规则来做到这一点。 安全组允许内部流量

  4. Now in Windows 10, you can run the following though your command prompt :现在在 Windows 10 中,您可以通过命令提示符运行以下命令:

    ssh -i your_private_key.pem ec2-user@private_ip -o "proxycommand ssh -W %h:%p -i your_private_key.pem ec2-user@public_ip" ssh -i your_private_key.pem ec2-user@private_ip -o "proxycommand ssh -W %h:%p -i your_private_key.pem ec2-user@public_ip"

  5. Replace the following 3 things in the command posted above :替换上面发布的命令中的以下 3 项内容:

    • your_private_key your_private_key
    • private_ip私有IP
    • public_ip公共IP

解决方案3
 0  2018-10-15 12:45:49

您可以参考: https : //docs.aws.amazon.com/vpc/latest/userguide/VPC_Scenario2.html您必须使用 NAT 网关来访问私有子网中的任何内容。

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 AWS VPC - 无法从私有子网中的堡垒主机通过 SSH 连接到不同子网中同一 VPC 中的 EC2 实例 - AWS VPC - Cannot SSH from Bastion Host in private subnet to EC2 instance in the same VPC in a different subnet AWS - 无法 ping VPC 中私有子网上的 EC2 实例 - AWS - Cannot ping EC2 instance on private subnet in VPC 通过VPN在VPC的专用子网中运行的SSH到EC2实例:连接超时 - SSH to EC2 instance running in a private subnet in a VPC over VPN : connection timed out 另一个 vpc 的私有子网中的 ssh ec2 实例而不使用堡垒 - ssh ec2 instance in Private subnet of another vpc without using bastion 如何在 AWS VPC 的私有子网中连接 AWS EC2 实例后面的网页 - How to connect a webpage behind a AWS EC2 instance in a private subnet in a AWS VPC AWS:SSH 通过 NAT 网关从公共 su.net EC2 实例到私有 su.net EC2 实例没有发生 - AWS : SSH to private subnet EC2 instance from public subnet EC2 instance via NAT GATEWAY is not happening 无法在自定义 vpc 中通过 SSH 连接到公共子网内的 EC2 实例 - unable to ssh to EC2 instance inside public subnet in custom vpc 用户数据未在私有VPC子网中的EC2实例上运行 - User Data is not running on EC2 instance in Private VPC subnet 在私有子网中的EC2实例之间切换的AWS最佳方法 - AWS best method to ssh between EC2 instances in private subnet AWS - SSH 在私有 Su.net 中从 ALB 跳转到 EC2? - AWS - SSH Jump from ALB to EC2 in private Subnet?
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM