DEV Community

Baraa Mohamed
Baraa Mohamed

Posted on

Methods Of Accessing EC2 In Private Subnet

#aws #vpc #linux #ssh

Bastion - VPC - AWS - Archeticture

Accessing Private EC2 Instances in AWS: A Guide

Cloud architectures commonly use public and private subnets to balance accessibility and security. Public subnets host resources like bastion hosts or load balancers, while private subnets house sensitive workloads such as application servers. This setup ensures a secure environment, as private EC2 instances are only accessible through specific configurations.

Two Approaches to Access Private EC2 Instances

Depending on your requirements, you can access an EC2 instance in a private subnet through one of two methods: SSH access or traffic forwarding.

Method 1: SSH Access to a Private EC2

This method is ideal for performing configurations or debugging directly on the private EC2 instance.

Steps:

  1. Start the SSH-Agent to manage your private keys:

    eval "$(ssh-agent -s)"

  2. Add the private EC2 key to the agent:

    ssh-add <file-key-of-private-app>

  3. Connect to the bastion host in the public subnet, forwarding the SSH-Agent:

    ssh -v -i <file-key-of-bastion> -A <public-instance>

  4. From the bastion host, SSH into the private EC2:

    ssh -v -i <file-key-of-private-app> <private-instance>

By forwarding the agent (-A), you securely authenticate to the private instance without transferring your private keys.

Method 2: Port Forwarding

If you need to access a service (e.g., Jenkins) running on the private EC2, port forwarding allows you to securely forward traffic through the bastion host.

Example: Forwarding Jenkins Dashboard

  1. Start the SSH-Agent and add the private key:

    eval "$(ssh-agent -s)"
ssh-add <file-key-of-private-app>

  2. Forward traffic from port 8080 on the private EC2 to port 4040 on your local machine:

    ssh -v -i <file-key-of-bastion> -A -L 4040:<ip-of-private-jenkins-ec2>:8080 <public-instance>

  3. Open http://localhost:4040 in your browser to access the Jenkins dashboard.

Note:

To retrieve the Jenkins setup password, use:

sudo cat /var/lib/jenkins/secrets/initialAdminPassword
Enter fullscreen mode Exit fullscreen mode

This approach avoids exposing Jenkins to the internet, improving security.

Best Practices

  • Use SSH-Agent to securely store keys during your session.
  • Enable agent forwarding (A) only when necessary to minimize security risks.

  • Clean up your SSH session by removing keys after use:

    ssh-add -D

Conclusion

With these methods, you can securely access private EC2 instances while maintaining a robust and secure cloud architecture.

Top comments (0)

Read next

ajcastillo profile image

C4 Model en la Nube: Implementación Práctica con AWS y Terraform

Antonio Jesús Castillo Cotán -

imzihad21 profile image

Setting Up a VPS Server with Docker, Nginx Proxy Manager, and Portainer

Mofajjal Rasul -

ervin_szilagyi profile image

How to Build a BlueSky RSS-like Bot with AWS Lambda and Terraform

Ervin Szilagyi -

hamilldivyesh profile image

Choosing a VPS/VDS Server in 2024: My TOP-4 Picks

hamill -