[英]SSH'ing into AWS EC2 Instance located in Private Subnet in a VPC
I've been going at this problem for a couple of hours and maybe its not possible, maybe it is.我已经解决这个问题几个小时了,也许不可能,也许是。
I have a VPC in AWS, with a couple of EC2 instances and Lambda Instances.我在 AWS 中有一个 VPC,有几个 EC2 实例和 Lambda 实例。
As of right now, The lambda can invoke, ssh and so on to the EC2 server without a problem.截至目前,lambda 可以毫无问题地调用、ssh 等到 EC2 服务器。
My lambdas are using a security group with only HTTP, HTTPS AND SSH in "Outbound".我的 lambdas 在“出站”中使用只有 HTTP、HTTPS 和 SSH 的安全组。
My ec2 default security group only accepts 22 inbound (From my Lambda security group, AND my office IP).我的 ec2 默认安全组只接受 22 个入站(来自我的 Lambda 安全组和我的办公室 IP)。
If i create an ec2 instance on my public subnet, both me and my lambda functions can access it through ssh.如果我在我的公共子网上创建一个 ec2 实例,我和我的 lambda 函数都可以通过 ssh 访问它。
If i create it on my PRIVATE subnet, my lambdas can ssh but i CANT...如果我在我的私有子网上创建它,我的 lambdas 可以 ssh 但我不能...
Do i really have to have a NAT SERVER in order to achieve this?我真的必须有一个 NAT SERVER 才能实现这一目标吗?
TL:DR; TL:博士; Only my office and my lambdas should have access to my ec2 instances.
只有我的办公室和我的 lambdas 应该可以访问我的 ec2 实例。
First option to consider for SSH access to EC2 instances should be AWS Systems Manager Session Manager for Shell Access to EC2 Instances . SSH 访问 EC2 实例时要考虑的第一个选项应该是AWS Systems Manager Session Manager for Shell Access to EC2 Instances 。 It's potentially a big deal.
这可能是一件大事。 No more bastions, no more firewall rules allowing inbound port 22. You basically run an SSH session in your browser and it can target all EC2 instances, regardless of public/private IP or subnet.
不再有堡垒,不再有允许入站端口 22 的防火墙规则。您基本上在浏览器中运行 SSH 会话,它可以针对所有 EC2 实例,而不管公共/私有 IP 或子网。 EC2 instances have to be running an up to date version of the SSM Agent and must have been launched with an appropriate IAM role (including the key policies from AmazonEC2RoleForSSM).
EC2 实例必须运行最新版本的 SSM 代理,并且必须使用适当的 IAM 角色(包括来自 AmazonEC2RoleForSSM 的关键策略)启动。
The second option to consider is AWS Systems Manager Run Command which allows you to run commands remotely on your EC2 instances.要考虑的第二个选项是AWS Systems Manager Run Command ,它允许您在 EC2 实例上远程运行命令。 It's not interactive like SSH but if you simply want to run a sequence of scripts then it's very good.
它不像 SSH 那样具有交互性,但如果您只想运行一系列脚本,那么它非常好。 Again, the instance has to be running the SSM Agent and have an appropriate IAM policy, and this option avoids the need to tunnel through bastion hosts.
同样,实例必须运行 SSM 代理并具有适当的 IAM 策略,并且此选项避免了通过堡垒主机建立隧道的需要。
Finally, if you really must SSH from your office laptop to an EC2 instance in a private subnet you need a few things:最后,如果您真的必须从办公室笔记本电脑通过 SSH 连接到私有子网中的 EC2 实例,您需要做一些事情:
Then you have to tunnel through the bastion host.然后你必须通过堡垒主机隧道。 See Securely Connect to Linux Instances Running in a Private Amazon VPC for more.
有关更多信息,请参阅安全连接到在私有 Amazon VPC 中运行的 Linux 实例。
Create a Bastion host.创建堡垒主机。
This would be a public EC2 instance in a public subnet having the same security group as your private ec2 instance.这将是公共子网中的公共 EC2 实例,与您的私有 ec2 实例具有相同的安全组。
Ensure that traffic within the security group is allowed.确保允许安全组内的流量。 You can do this by creating an inbound rule for your security-group.
您可以通过为您的安全组创建入站规则来做到这一点。
Now in Windows 10, you can run the following though your command prompt :现在在 Windows 10 中,您可以通过命令提示符运行以下命令:
ssh -i your_private_key.pem ec2-user@private_ip -o "proxycommand ssh -W %h:%p -i your_private_key.pem ec2-user@public_ip"
ssh -i your_private_key.pem ec2-user@private_ip -o "proxycommand ssh -W %h:%p -i your_private_key.pem ec2-user@public_ip"
Replace the following 3 things in the command posted above :替换上面发布的命令中的以下 3 项内容:
您可以参考: https : //docs.aws.amazon.com/vpc/latest/userguide/VPC_Scenario2.html您必须使用 NAT 网关来访问私有子网中的任何内容。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.