In order to connect to the EC2 Instances, provisioned within your AWS Account, you need to use a Bastion host.
A Linux Bastion allows you to securely connect to all Linux-based instances, in your account, without exposing the environment to the Internet. Once connected to the bastion host, you can access the other instances in your VPC through Secure Shell (SSH) connections on Linux. The Linux Bastion is also configured with a security group which allows us to limit connections to white-listed IP Addresses only.
Connecting from a Linux Based machine
If connecting from a Unix operating system, such as Ubuntu or Mac OS X, you can set up a ~/.ssh/config file which will make the process of connecting to your EC2 instances much easier.
First, visit the AWS Console and head to the EC2 Dashboard. From here, visit the Instances section, found on the left:
In the Instances section, you should be able to see the "LinuxBastion" instance. Click on this and look for the IPv4 Public IP address and the Private IP, and note these down. In our example, these are 123.123.123.123 and 10.1.1.10.
Next, ensure that the key, provided by ClearCloud, is stored within your ~/.ssh directory and has "rw-------" permissions. If you are unsure with this, you can perform the following command:
chmod 600 ~/.ssh/my_private_rsa
Now, we can begin to setup your ~/.ssh/config file.
The config file contains a few key elements:
- Host: The host declares the Private IP Range to look out for when you initiate a SSH Connection. If the IP matches this pattern, it will follow the next set of commands in the file. This should be changed according to your setup. In our example, our VPC has been given a IP range of 10.1.0.0/16 so, we write: "10.1.*.*".
- ProxyCommand: This tells the machine to connect to the specified host by tunnelling through the server declared.
- "ssh -i ~/.ssh/my_private_rsa ec2-user@123.123.123.123": These are the connection details for the Bastion Host. In here, you would replace this with the path to your Private Key and the Public IP captured earlier.
- "-W %h:%p": These flags simply pass the host name and port of the instance you wish to connect to.
Your Config file should look a little like this:
~/.ssh/config:
Host 10.1.*.*
ProxyCommand ssh -i ~/.ssh/my_private_rsa ec2-user@123.123.123.123 -W %h:%p
Once this is setup, you should be able to connect to any Linux EC2 Instance in your account by using it's Private IP address. For example, if our Web Server had a private IP of: 10.1.40.23, you would type:
ssh ec2-user@10.1.40.23 -i ~/.ssh/my_private_rsa
This will then use the config file to tunnel through the Bastion and connect you to the Web instance.