SSH to an EC2 instance in VPC private subnet

While exploring out AWS VPC, have you wondered about how you would SSH into your instances since any instance launched in VPC does not have internet access directly.

This tutorial will explain connecting to your instances using port forwarding technique.

Step 1 : Creating VPC

Create a VPC with Public & Private subnets using one of the templates provided in VPC Wizard

VPC Wizard

On the next screen make sure to chose a valid kaypair for which you have the .pem file. You’ll need this to SSH into the NAT instance. Also keep a note of the default IP ranges for private & public subnet.

VPC Confirmation Screen

At this point, the wizard will create following resources for you :

  • VPC (with CIDR 10.0.0.0/16 in our case)

  • Public Subnet (with CIDR 10.0.0.0/24)

  • Private Subnet (with CIDR 10.0.1.0/24)

  • Two Route Tables

  • One Internet Gateway

  • One Network ACL

  • One Elastic IP

  • One Security Group

In addition to this list, you would notice that it has also launched a NAT instance. This is a special type of instance that is used to route traffic for other instances. Also, VPC wizard has already configured the “Route Tables” to route traffic from Public Subnet to Internet Gateway & Private Subnet to NAT instance

Step 2 :  SSH into NAT instance

Before you can SSH into NAT instance, you’ll need to change VPC’s Security Group settings to allow inbound traffic over port 22

Now, let’s go to our EC2 service page to get Elastic IP of NAT instance launched by VPC wizard & try to SSH into this instance using the keypair provided earlier.

EC2 NAT Instance

I’m using Ubuntu’s terminal to connect to my instance using the following command

ssh -i training.pem ec2-user@54.208.114.96

You’ll need to change IP address in the end to Elastic IP assigned to you.

NAT Instance Terminal

Kindly note the IP address in last line of the screenshot above (10.0.0.236). This is the Private IP that was automatically assigned to our NAT instance. Also note that since NAT instance was launched in public subnet, this IP range falls into CIDR range for our public subnet (10.0.0.0/24).

Step 3 : Launching instances in Private Subnet

We would now launch two instances in private subnet. Later we’ll try to SSH into these instances by redirecting TCP packets through NAT instance. While launching the instances, make sure to launch them in private subnet of the VPC we created (Subnet 10.0.1.0/24 in our case). Once the instances are launched, note down their private IP address. We would use them configure IP tables on our NAT instance.

EC2 Launch Confirmation

The launched instances in our case carry the following private IPs

  • 10.0.1.234

  • 10.0.1.235

Step 4 : Configuring iptable on NAT instance

We will now make some configurations to our NAT instance

sudo iptables -t nat -A PREROUTING -p tcp --dport 10234 -j DNAT --to-destination 10.0.1.234:22
sudo iptables -t nat -A PREROUTING -p tcp --dport 10235 -j DNAT --to-destination 10.0.1.235:22

Here I have updated the IP tables of NAT instance to route incoming traffic on port 10235 to port 22 of first instance in our private subnet & similarly traffic on port 10235 on second instance.

Step 5 : Configuring Security Group

Before we can SSH into instances in private subnet, we’ll need to update security group of NAT instance to accept incoming traffic on ports 10234 & 10235. Also, port 22 should be open for target instances (we have already done this earlier)

Step 6 : SSH into NAT on specified port number

Now we’ll SSH into our NAT instance again from our local system as earlier with some difference this time. We’ll specify port number in our SSH command

ssh -p 10234 -i /home/himanshu/Downloads/training.pem ec2-user@54.208.114.96
ssh -p 10235 -i /home/himanshu/Downloads/training.pem ec2-user@54.208.114.96

This allows us to SSH directly in instance of private subnet. Check out the last line of screenshot below to see that IP address is of one of instances from private subnet.

Terminal of Private Instance

This completes our tutorial.

Make sure you terminate your instances & delete VPC to avoid any unnecessary charges.

Advertisements

27 Responses to SSH to an EC2 instance in VPC private subnet

    • Santhosh says:

      Hi Sutocom,

      Am trying to login in to amazon ec2 instance which is in private subnet using putty by following all the commands which you have mentioned above after making an iptables entry if i try to login it does not login in to the private instance it still remains same on NAT instance if i use port 10234 in putty it says connection timed out.

      Please give me your suggestions on that.

      Thanks
      Santosh

      • hsachdevah says:

        Hi Santosh,

        You can try this to debug your issue:

        1. SSH into NAT instance & try to ping your private instance
        2. If it works, upload your keypair to NAT instance & try to establish SSH connection to your private instance.

        If step 2 works fine then there is some problem with ip-table configuration you made.

        Also, make sure you have right settings in security groups.

  1. Pingback: SSH to an EC2 instance in VPC private subnet | Tutorials for Linux Administration

  2. Pingback: Procedure for Deploying Hadoop 2.0 Yarn (CDH 4.5.0) Cluster (three EC2 small instances) on AWS | lixuchun

  3. Robert says:

    Thanks for the wonderful tutorial. I was struggling to login to by private subnet VPC instance.

    Is it possible to control the ip address to private subnet instance? What I mean is, when I start a new instance into private subnet, can i specify the IP assigned to it?

  4. Pingback: AWS Elastic Load Balancer setup for VPC with Multi-Availability Zones | i-proving.com

  5. Pingback: Flux 7 - Performance Simplified

  6. I was able to find gߋod info from your blog articles.

  7. amit says:

    mY ISSUE IS NOT SOLVE..I M CREATING THE SAME STRUCTURE BUT I M NOT ABLE TO PING AND SSH MY PRIVATE DATABASE SERVER FROM NAT INSTANCE..PLZ HELP ME..HOW I DO THAT..
    I M CREATING THE VPC INSIDE ONE SERVICE GROUP AND CREATE THE 3 INSTANCE..ONE IS WEB , DATABASE AND NAT..I WANT TO ACCESS THE DATABASE SERVER FROM WEB SERVER..HOW I DO THE NATTING..
    HOW I PERFORM THE NATING BETWEEN 2 SERVER..WEB IS ON PUBLIC AND DATABASE IS ON PRIVATE. ?

    • In the security group of the NAT ensure:
      – It has the rule to allow communication by port 22 (to perform ssh to private instances)

      In the security group of the private instances ensure:
      – It has the rule to allow communication by port 22 (to perform communication to NAT instance)

      Maybe that’s what you’re missing and that’s why you aren’t able to ping private instances from NAT.

  8. Hey there I amm so thrilled I found your webpage, I really found you by error, while I was looking on Yahoo for something
    else, Anyhow I amm here now and would just like to say mzny thanks for a fantastic post and a all round enjoyable blog (I also love the theme/design),
    I don’t have time to look over it all at the minute but I
    have bookmarked it and also added in your RSS feeds, so when
    I have time I will bee back to read a great deal more, Please do
    keep up the fantastic b.

  9. amit says:

    plz answer my queried..if anybody know..

  10. If some one needs to be updated with newest technologies
    then he must be pay a quick visit this site and be up to date every day.

  11. Hey! This is my first comment here so I just wanted to give a quick shout out and tell you I really enjoy
    reading your posts. Can you suggest any other blogs/websites/forums that cover the same topics?
    Thanks a ton!

  12. Awsome, this worked for me! Needed it for a temp solution!

  13. Garmin nuvi lmt 2555 says:

    I don’t even know how I ended up here, but I thought
    this post was good. I don’t know who you are but certainly
    you’re going to a famous blogger if you are not already 😉 Cheers!

  14. fifa15ultimateteamcheats.wordpress.com says:

    Great blog you have here but I was wondering if you knew of any forums that cover the same
    topics talked about here? I’d really love to be a
    part of community where I can get feedback from
    other experienced individuals that share the same interest.
    If you have any suggestions, please let me know.
    Thank you!

  15. Poker Bank BCA says:

    First off I want to say fantastic blog! I had a quick question that I’d like to ask if you do not mind.
    I was interested to know how you center yourself and clear your head prior to writing.

    I have had trouble clearing my mind in getting my thoughts out.
    I truly do enjoy writing however it just seems like
    the first 10 to 15 minutes are generally wasted just trying to figure out how to begin. Any recommendations or hints?
    Cheers!

  16. Hello, the whole thing is going well here and ofcourse every one
    is sharing data, that’s genuinely fine, keep up writing.

  17. well drilling and completion costs says:

    Hey There. I found your weblog the usage of msn. This
    is a really neatly written article. I will make sure to bookmark it and come back to learn extra of your
    useful information. Thanks for the post. I’ll certainly return.

  18. Dipak says:

    Hi,
    i have created ec2 instance and from that instance i have created ami . i have to create daily one ec2 instance from that ami and do some testing on that instance . in that case i want to stop previous days ec2 instance and start newly created instance from ami & i want to keep the private ip of every day instance same.
    But when i create new instance from ami it gives error that ip address u want to assign is not available because this is assigned to other instance.but prevoios ec2 instance is in stop state.but if i remove that previous day ec2 instance it work fine but i want that previous 4-5 days instances for backup or other purpose.So is there any solution for that so that i can assign same private ip to newly created instances while previous day instances are also present but in stop states……..i.e can we deallocate private ip address of previous days instances and assign it to newly created ec2 instance
    if anyone knows solution plz …..relpy to me.

    Thanks

  19. xbox live kody z allegro says:

    Spot on with this write-up, I really believe that this website needs
    much more attention. I’ll probably be returning to see more,
    thanks for the advice!

  20. Amit says:

    Awesome tutorial! You have saved me many hours of frustration..

    One thing worth mentioning is that your instance and NAT might have different user names, for example I’ve created my NAT as Amazon linux with user ec2-user but the private instance was ubuntu 14 with user ubuntu, so in that case you need to use ubuntu when connecting to the instance:

    ssh -p 10234 -i /home/himanshu/Downloads/training.pem ubuntu@54.208.114.96

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: