1

I have seen How to SSH to ec2 instance in VPC private subnet via NAT server and was able to SSH in an EC2 in a private subnet through a NAT instance with a public IP.

Assuming I want to install an application with a web interface like Zeppelin or Jupyter in the EC2 instance in the private subnet how would I configure secure access and connect to the web service through my browser in my laptop? I am fairly new to this area, so what would be the correct approach to enable this?

Community
  • 1
and_apo
  • 113
  • 3

1 Answers1

1

You can use ssh with port forwarding.

let's say your EC2 instance's prvate IP is 10.1.1.1 and the web interface listens in port 80, your NAT host has a public IP 198.51.100.13, you can chain two successive forwards:

from your laptop:

ssh -L 8080:127.0.0.1:8080 YOUR_USERNAME@198.51.100.13

from the newly opened shell in your NAT host:

ssh -L 8080:10.1.1.1:80 YOUR_USERNAME@10.1.1.1

Now you can open a browser in your laptop and point it to:

http://127.0.0.1:8080


Actually you can configure your ssh client such as to automatically use a middle box. On your laptop, open ~/.ssh/config and tell ssh to pass through the NAT box when going to 10.1.1.1:

Host 10.1.1.1
ProxyCommand ssh -W %h:%p YOUR_NAT_HOSTS_IP

Now you can ssh directly from your laptop, and ssh will transparently open first a connection to the NAT box and then pass you to the EC2 instance.

Fredi
  • 2,227
  • 9
  • 13
  • But for this to work, it is needed for my EC2 instance to have internet access on its own right? That's why the NAT is there. Unless my laptop is in a connected VPN that can talk to that instance, which it isn't. – and_apo Nov 30 '16 at 15:02
  • So you're saying that to connect to your ec2 instance you first ssh to another host? It can be done nevertheless, just tell me what you're doing to connect to your EC2 host – Fredi Nov 30 '16 at 15:06
  • I am connecting through SSH to the NAT instance and from the NAT instance connecting to the EC2 host in the private subnet – and_apo Nov 30 '16 at 15:08
  • Updated my answer – Fredi Nov 30 '16 at 15:24
  • Thanks the first way works. For the second way(through ~/.ssh/config), after filled in config file would the command to run from my laptop be "ssh -L 8080:127.0.0.1:80 YOUR_USERNAME@10.1.1.1" ? – and_apo Nov 30 '16 at 18:19
  • If your web instance listens to 127.0.0.1 yes, if you bind it only to the private net's IP then use: `ssh -L 8080:PRIVATE_LAN_IP:80 YOUR_USERNAME@EC2_INSTANCE – Fredi Dec 01 '16 at 10:23