Menu
I'm using the new (june 2019) EC2 browser SSH connect feature to shell into a EC2. This is very convenient, since I'm on Windows and it's annoying to configure PuTTy with AWS auth and the legacy browser SSH offering never worked right for me.
I can connect to an EC2 instance through AWS console as below
and it works perfectly if SSH is enabled for any IP address. However, when I set SSH security group to my IP address, the SSH shell simply hangs.
I've confirmed this is my correct public IP address, and I've also tried with my private IPV4 address - no luck. However, when setting the CIDR block to anywhere, the connection works fine.
Figured maybe this new feature uses a proxy shell somewhere, so I'd have to allow access to the address of this intermediary.
Am doing this from my home office desktop, not from an enterprise or sophisticated environment, and using my root AWS credentials (yes I know this is a worst-practice).
538
Open the Amazon EC2 console at https://console.aws.amazon.com/ec2/ . In the navigation pane, choose Instances. Select your instance, and then choose Actions, Security, Change security groups. For Associated security groups, select a security group from the list and choose Add security group.
To connect from the Amazon EC2 console Open the Amazon EC2 console. In the left navigation pane, choose Instances and select the instance to which to connect. Choose Connect. On the Connect To Your Instance page, choose EC2 Instance Connect (browser-based SSH connection), Connect.
To connect to your instance using SSH In a terminal window, use the ssh command to connect to the instance. You specify the path and file name of the private key ( . pem ), the user name for your instance, and the public DNS name or IPv6 address for your instance.
Ah! The wonderful new AWS EC2 Instance Connect service. Good to see you're using it!
EC2 Instance Connect works by establishing an HTTPS connection between your web browser (running on your computer) and the backend EC2 Instance Connect service. Then, EC2 Instance Connect establishes a "mostly normal" SSH connection to the target instance. (The slight difference is the way a temporary key is pushed to the instance.)
As a result, the connection appears to be coming from the EC2 Instance Connect service rather than your own computer!
Therefore, instead of accepting a connection from "My IP", the security group on the EC2 instance should allow inbound connections from the EC2 Instance Connect service.
You can obtain the relevant IP address range from AWS IP Address Ranges. This is a JSON file that provides IP ranges for each AWS service.
For example, here is the range for the Sydney region:
{
"ip_prefix": "13.239.158.0/29",
"region": "ap-southeast-2",
"service": "EC2_INSTANCE_CONNECT"
},
Thus, you could put this CIDR in the security group and it would enable EC2 Instance Connect within the Sydney region. (Consult the https://ip-ranges.amazonaws.com/ip-ranges.json file for the relevant range in your region.)
177
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
