SSH'ing into AWS EC2 Instance located in Private Subnet in a VPC

Question

I've been going at this problem for a couple of hours and maybe its not possible, maybe it is.

I have a VPC in AWS, with a couple of EC2 instances and Lambda Instances.

As of right now, The lambda can invoke, ssh and so on to the EC2 server without a problem.

My lambdas are using a security group with only HTTP, HTTPS AND SSH in "Outbound".

My ec2 default security group only accepts 22 inbound (From my Lambda security group, AND my office IP).

If i create an ec2 instance on my public subnet, both me and my lambda functions can access it through ssh.

If i create it on my PRIVATE subnet, my lambdas can ssh but i CANT...

Do i really have to have a NAT SERVER in order to achieve this?

TL:DR; Only my office and my lambdas should have access to my ec2 instances.

Answer 1

The 1st option to consider for SSH access to EC2 instances is EC2 Instance Connect which allows you to control access to your EC2 instances using IAM and provides access from either the AWS console or your regular command line SSH tools.

The 2nd option is AWS Systems Manager Session Manager for Shell Access to EC2 Instances. You basically run an SSH session in your browser and it can target all EC2 instances, regardless of public/private IP or subnet. EC2 instances have to be running an up to date version of the SSM Agent and must have been launched with an appropriate IAM role (including the key policies from AmazonEC2RoleForSSM). No need for a bastion host or firewall rules allowing inbound port 22.

The 3rd option to consider is AWS Systems Manager Run Command which allows you to run commands remotely on your EC2 instances. It's not interactive like SSH but if you simply want to run a sequence of scripts then it's very good. Again, the instance has to be running the SSM Agent and have an appropriate IAM policy, and this option avoids the need to tunnel through bastion hosts.

Finally, if you really must SSH from your office laptop to an EC2 instance in a private subnet, you can do so via a bastion host. You need a few things:

1. IGW and NAT in the VPC
2. bastion host with public IP in the VPC's public subnet
3. security group on the bastion allowing inbound SSH from your laptop
4. a default route from the private subnet to the NAT
5. security group on the private EC2 instance that allows inbound SSH from the bastion

Then you have to tunnel through the bastion host. See Securely Connect to Linux Instances Running in a Private Amazon VPC for more.

Answer 2

1. Create a Bastion host.

2. This would be a public EC2 instance in a public subnet having the same security group as your private ec2 instance.

3. Ensure that traffic within the security group is allowed. You can do this by creating an inbound rule for your security-group.

4. Now in Windows 10, you can run the following though your command prompt :

   ssh -i your_private_key.pem ec2-user@private_ip -o "proxycommand ssh -W %h:%p -i your_private_key.pem ec2-user@public_ip"

5. Replace the following 3 things in the command posted above :

   • your_private_key
   • private_ip
   • public_ip