SSH to an EC2 instance in VPC private subnet
August 5, 2013 27 Comments
While exploring out AWS VPC, have you wondered about how you would SSH into your instances since any instance launched in VPC does not have internet access directly.
This tutorial will explain connecting to your instances using port forwarding technique.
Step 1 : Creating VPC
Create a VPC with Public & Private subnets using one of the templates provided in VPC Wizard
On the next screen make sure to chose a valid kaypair for which you have the .pem file. You’ll need this to SSH into the NAT instance. Also keep a note of the default IP ranges for private & public subnet.
At this point, the wizard will create following resources for you :
-
VPC (with CIDR 10.0.0.0/16 in our case)
-
Public Subnet (with CIDR 10.0.0.0/24)
-
Private Subnet (with CIDR 10.0.1.0/24)
-
Two Route Tables
-
One Internet Gateway
-
One Network ACL
-
One Elastic IP
-
One Security Group
In addition to this list, you would notice that it has also launched a NAT instance. This is a special type of instance that is used to route traffic for other instances. Also, VPC wizard has already configured the “Route Tables” to route traffic from Public Subnet to Internet Gateway & Private Subnet to NAT instance
Step 2 : SSH into NAT instance
Before you can SSH into NAT instance, you’ll need to change VPC’s Security Group settings to allow inbound traffic over port 22
Now, let’s go to our EC2 service page to get Elastic IP of NAT instance launched by VPC wizard & try to SSH into this instance using the keypair provided earlier.
I’m using Ubuntu’s terminal to connect to my instance using the following command
ssh -i training.pem ec2-user@54.208.114.96
You’ll need to change IP address in the end to Elastic IP assigned to you.
Kindly note the IP address in last line of the screenshot above (10.0.0.236). This is the Private IP that was automatically assigned to our NAT instance. Also note that since NAT instance was launched in public subnet, this IP range falls into CIDR range for our public subnet (10.0.0.0/24).
Step 3 : Launching instances in Private Subnet
We would now launch two instances in private subnet. Later we’ll try to SSH into these instances by redirecting TCP packets through NAT instance. While launching the instances, make sure to launch them in private subnet of the VPC we created (Subnet 10.0.1.0/24 in our case). Once the instances are launched, note down their private IP address. We would use them configure IP tables on our NAT instance.
The launched instances in our case carry the following private IPs
-
10.0.1.234 -
10.0.1.235
Step 4 : Configuring iptable on NAT instance
We will now make some configurations to our NAT instance
sudo iptables -t nat -A PREROUTING -p tcp --dport 10234 -j DNAT --to-destination 10.0.1.234:22
sudo iptables -t nat -A PREROUTING -p tcp --dport 10235 -j DNAT --to-destination 10.0.1.235:22
Here I have updated the IP tables of NAT instance to route incoming traffic on port 10235 to port 22 of first instance in our private subnet & similarly traffic on port 10235 on second instance.
Step 5 : Configuring Security Group
Before we can SSH into instances in private subnet, we’ll need to update security group of NAT instance to accept incoming traffic on ports 10234 & 10235. Also, port 22 should be open for target instances (we have already done this earlier)
Step 6 : SSH into NAT on specified port number
Now we’ll SSH into our NAT instance again from our local system as earlier with some difference this time. We’ll specify port number in our SSH command
ssh -p 10234 -i /home/himanshu/Downloads/training.pem ec2-user@54.208.114.96
ssh -p 10235 -i /home/himanshu/Downloads/training.pem ec2-user@54.208.114.96
This allows us to SSH directly in instance of private subnet. Check out the last line of screenshot below to see that IP address is of one of instances from private subnet.
Tech Trends 
Reblogged this on Sutoprise Avenue, A SutoCom Source.
Hi Sutocom,
Am trying to login in to amazon ec2 instance which is in private subnet using putty by following all the commands which you have mentioned above after making an iptables entry if i try to login it does not login in to the private instance it still remains same on NAT instance if i use port 10234 in putty it says connection timed out.
Please give me your suggestions on that.
Thanks
Santosh
Hi Santosh,
You can try this to debug your issue:
1. SSH into NAT instance & try to ping your private instance
2. If it works, upload your keypair to NAT instance & try to establish SSH connection to your private instance.
If step 2 works fine then there is some problem with ip-table configuration you made.
Also, make sure you have right settings in security groups.
Pingback: SSH to an EC2 instance in VPC private subnet | Tutorials for Linux Administration
Pingback: Procedure for Deploying Hadoop 2.0 Yarn (CDH 4.5.0) Cluster (three EC2 small instances) on AWS | lixuchun
Thanks for the wonderful tutorial. I was struggling to login to by private subnet VPC instance.
Is it possible to control the ip address to private subnet instance? What I mean is, when I start a new instance into private subnet, can i specify the IP assigned to it?
Yes definitely. When you launch instances in a VPC you can specify their private addresses.
Pingback: AWS Elastic Load Balancer setup for VPC with Multi-Availability Zones | i-proving.com
Pingback: Flux 7 - Performance Simplified
I was able to find gߋod info from your blog articles.
Hi
mY ISSUE IS NOT SOLVE..I M CREATING THE SAME STRUCTURE BUT I M NOT ABLE TO PING AND SSH MY PRIVATE DATABASE SERVER FROM NAT INSTANCE..PLZ HELP ME..HOW I DO THAT..
I M CREATING THE VPC INSIDE ONE SERVICE GROUP AND CREATE THE 3 INSTANCE..ONE IS WEB , DATABASE AND NAT..I WANT TO ACCESS THE DATABASE SERVER FROM WEB SERVER..HOW I DO THE NATTING..
HOW I PERFORM THE NATING BETWEEN 2 SERVER..WEB IS ON PUBLIC AND DATABASE IS ON PRIVATE. ?
In the security group of the NAT ensure:
– It has the rule to allow communication by port 22 (to perform ssh to private instances)
In the security group of the private instances ensure:
– It has the rule to allow communication by port 22 (to perform communication to NAT instance)
Maybe that’s what you’re missing and that’s why you aren’t able to ping private instances from NAT.
Hey there I amm so thrilled I found your webpage, I really found you by error, while I was looking on Yahoo for something
else, Anyhow I amm here now and would just like to say mzny thanks for a fantastic post and a all round enjoyable blog (I also love the theme/design),
I don’t have time to look over it all at the minute but I
have bookmarked it and also added in your RSS feeds, so when
I have time I will bee back to read a great deal more, Please do
keep up the fantastic b.
plz answer my queried..if anybody know..
If some one needs to be updated with newest technologies
then he must be pay a quick visit this site and be up to date every day.
Hey! This is my first comment here so I just wanted to give a quick shout out and tell you I really enjoy
reading your posts. Can you suggest any other blogs/websites/forums that cover the same topics?
Thanks a ton!
Awsome, this worked for me! Needed it for a temp solution!
I don’t even know how I ended up here, but I thought
this post was good. I don’t know who you are but certainly
you’re going to a famous blogger if you are not already 😉 Cheers!
Great blog you have here but I was wondering if you knew of any forums that cover the same
topics talked about here? I’d really love to be a
part of community where I can get feedback from
other experienced individuals that share the same interest.
If you have any suggestions, please let me know.
Thank you!
First off I want to say fantastic blog! I had a quick question that I’d like to ask if you do not mind.
I was interested to know how you center yourself and clear your head prior to writing.
I have had trouble clearing my mind in getting my thoughts out.
I truly do enjoy writing however it just seems like
the first 10 to 15 minutes are generally wasted just trying to figure out how to begin. Any recommendations or hints?
Cheers!
Hello, the whole thing is going well here and ofcourse every one
is sharing data, that’s genuinely fine, keep up writing.
Hey There. I found your weblog the usage of msn. This
is a really neatly written article. I will make sure to bookmark it and come back to learn extra of your
useful information. Thanks for the post. I’ll certainly return.
Hi,
i have created ec2 instance and from that instance i have created ami . i have to create daily one ec2 instance from that ami and do some testing on that instance . in that case i want to stop previous days ec2 instance and start newly created instance from ami & i want to keep the private ip of every day instance same.
But when i create new instance from ami it gives error that ip address u want to assign is not available because this is assigned to other instance.but prevoios ec2 instance is in stop state.but if i remove that previous day ec2 instance it work fine but i want that previous 4-5 days instances for backup or other purpose.So is there any solution for that so that i can assign same private ip to newly created instances while previous day instances are also present but in stop states……..i.e can we deallocate private ip address of previous days instances and assign it to newly created ec2 instance
if anyone knows solution plz …..relpy to me.
Thanks
Spot on with this write-up, I really believe that this website needs
much more attention. I’ll probably be returning to see more,
thanks for the advice!
Awesome tutorial! You have saved me many hours of frustration..
One thing worth mentioning is that your instance and NAT might have different user names, for example I’ve created my NAT as Amazon linux with user ec2-user but the private instance was ubuntu 14 with user ubuntu, so in that case you need to use ubuntu when connecting to the instance:
ssh -p 10234 -i /home/himanshu/Downloads/training.pem ubuntu@54.208.114.96
Thnx Amit.. You have solved our use case.