4

I have instance connect working fine from the CLI on my local machine as I have my ip added to the security group for the ec2 instance for inbound ssh access.

However, the browser-based version in the EC2 Console seems to need me to add all internet for inbound access to make it work! I am sure it just needs to be certain AWS IP ranges, but there is no documentation anywhere that I can find to tell me what they are. Also, I have no idea how much of a pain this might be to maintain if those ranges are dynamic or something.

Can anyone help?

Thanks

danrockcoll
  • 173
  • 2
  • 10

1 Answers1

6

From Set Up EC2 Instance Connect - Amazon Elastic Compute Cloud:

(Browser-based client) We recommend that your instance allows inbound SSH traffic from the recommended IP block published for the service. Use the EC2_INSTANCE_CONNECT filter for the service parameter to get the IP address ranges in the EC2 Instance Connect subset.

This is because the web browser client connects via HTTPS to the EC2 Instance Connect "service" in AWS. This service then makes the actual SSH connection to the instance.

A sample of the IP address file is:

{
  "ip_prefix": "18.252.4.0/30",
  "region": "us-gov-east-1",
  "service": "EC2_INSTANCE_CONNECT",
  "network_border_group": "us-gov-east-1"
}
{
  "ip_prefix": "15.200.28.80/30",
  "region": "us-gov-west-1",
  "service": "EC2_INSTANCE_CONNECT",
  "network_border_group": "us-gov-west-1"
}
{
  "ip_prefix": "13.244.121.196/30",
  "region": "af-south-1",
  "service": "EC2_INSTANCE_CONNECT",
  "network_border_group": "af-south-1"
}
{
  "ip_prefix": "3.112.23.0/29",
  "region": "ap-northeast-1",
  "service": "EC2_INSTANCE_CONNECT",
  "network_border_group": "ap-northeast-1"
}
{
  "ip_prefix": "13.209.1.56/29",
  "region": "ap-northeast-2",
  "service": "EC2_INSTANCE_CONNECT",
  "network_border_group": "ap-northeast-2"
}
{
  "ip_prefix": "13.233.177.0/29",
  "region": "ap-south-1",
  "service": "EC2_INSTANCE_CONNECT",
  "network_border_group": "ap-south-1"
}
{
  "ip_prefix": "3.0.5.32/29",
  "region": "ap-southeast-1",
  "service": "EC2_INSTANCE_CONNECT",
  "network_border_group": "ap-southeast-1"
}
{
  "ip_prefix": "13.239.158.0/29",
  "region": "ap-southeast-2",
  "service": "EC2_INSTANCE_CONNECT",
  "network_border_group": "ap-southeast-2"
}
{
  "ip_prefix": "35.183.92.176/29",
  "region": "ca-central-1",
  "service": "EC2_INSTANCE_CONNECT",
  "network_border_group": "ca-central-1"
}
{
  "ip_prefix": "3.120.181.40/29",
  "region": "eu-central-1",
  "service": "EC2_INSTANCE_CONNECT",
  "network_border_group": "eu-central-1"
}
{
  "ip_prefix": "13.48.4.200/30",
  "region": "eu-north-1",
  "service": "EC2_INSTANCE_CONNECT",
  "network_border_group": "eu-north-1"
}
{
  "ip_prefix": "15.161.135.164/30",
  "region": "eu-south-1",
  "service": "EC2_INSTANCE_CONNECT",
  "network_border_group": "eu-south-1"
}
{
  "ip_prefix": "18.202.216.48/29",
  "region": "eu-west-1",
  "service": "EC2_INSTANCE_CONNECT",
  "network_border_group": "eu-west-1"
}
{
  "ip_prefix": "3.8.37.24/29",
  "region": "eu-west-2",
  "service": "EC2_INSTANCE_CONNECT",
  "network_border_group": "eu-west-2"
}
{
  "ip_prefix": "35.180.112.80/29",
  "region": "eu-west-3",
  "service": "EC2_INSTANCE_CONNECT",
  "network_border_group": "eu-west-3"
}
{
  "ip_prefix": "18.228.70.32/29",
  "region": "sa-east-1",
  "service": "EC2_INSTANCE_CONNECT",
  "network_border_group": "sa-east-1"
}
{
  "ip_prefix": "18.206.107.24/29",
  "region": "us-east-1",
  "service": "EC2_INSTANCE_CONNECT",
  "network_border_group": "us-east-1"
}
{
  "ip_prefix": "3.16.146.0/29",
  "region": "us-east-2",
  "service": "EC2_INSTANCE_CONNECT",
  "network_border_group": "us-east-2"
}
{
  "ip_prefix": "13.52.6.112/29",
  "region": "us-west-1",
  "service": "EC2_INSTANCE_CONNECT",
  "network_border_group": "us-west-1"
}
{
  "ip_prefix": "18.237.140.160/29",
  "region": "us-west-2",
  "service": "EC2_INSTANCE_CONNECT",
  "network_border_group": "us-west-2"
}

Thus, these are the ranges you should add to the Security Group. Just use the range(s) for the region where you are invoking EC2 Instance Connect.

NOTE: This IPs get updated, you can fetch an updated version by running (required: curl and jq):

curl -f -s -# https://ip-ranges.amazonaws.com/ip-ranges.json | jq -r '.prefixes[] | select(.service == "EC2_INSTANCE_CONNECT")'

or

curl -f -s -# https://ip-ranges.amazonaws.com/ip-ranges.json | jq -r '.prefixes[] | select(.service == "EC2_INSTANCE_CONNECT") | .ip_prefix'

to only have the IP range list

William Desportes
  • 1,412
  • 1
  • 22
  • 31
John Rotenstein
  • 241,921
  • 22
  • 380
  • 470
  • 1
    Hi John, I am guessing these ranges don't change that often so it is ok to hardcode them in the security group? – danrockcoll Feb 24 '20 at 15:03
  • 1
    That choice is yours. They will stay the same until they don't. If the change will be easily detected and will not impact many people, then you could choose to hardcode them. The alternative is to write a small program that will retrieve the ranges and update the security group, then schedule it to run daily. Your choice! – John Rotenstein Feb 24 '20 at 20:33
  • 1
    yeah i think its not worth the effort to try and keep it updated automatically, it will be easy to detect when it has changed as someone will inevitably scream! many thanks for your help on this :) – danrockcoll Feb 25 '20 at 11:54
  • I posted an update to add a nice command to fetch the IPs – William Desportes Jul 04 '23 at 21:36