7

I'm using the new (june 2019) EC2 browser SSH connect feature to shell into a EC2. This is very convenient, since I'm on Windows and it's annoying to configure PuTTy with AWS auth and the legacy browser SSH offering never worked right for me.

I can connect to an EC2 instance through AWS console as below

enter image description here

and it works perfectly if SSH is enabled for any IP address. However, when I set SSH security group to my IP address, the SSH shell simply hangs.

enter image description here

I've confirmed this is my correct public IP address, and I've also tried with my private IPV4 address - no luck. However, when setting the CIDR block to anywhere, the connection works fine.

enter image description here

enter image description here

Figured maybe this new feature uses a proxy shell somewhere, so I'd have to allow access to the address of this intermediary.

Am doing this from my home office desktop, not from an enterprise or sophisticated environment, and using my root AWS credentials (yes I know this is a worst-practice).

Adam Hughes
  • 14,601
  • 12
  • 83
  • 122
  • Theres no way to post a minimal example of the Amazon dashboard. The question was clear enough to get an immediate and correct answer. Look again, I did not post an image of code, errors or output - merely configuration from AWS dashboards – Adam Hughes Jul 15 '19 at 15:04

1 Answers1

21

Ah! The wonderful new AWS EC2 Instance Connect service. Good to see you're using it!

EC2 Instance Connect works by establishing an HTTPS connection between your web browser (running on your computer) and the backend EC2 Instance Connect service. Then, EC2 Instance Connect establishes a "mostly normal" SSH connection to the target instance. (The slight difference is the way a temporary key is pushed to the instance.)

As a result, the connection appears to be coming from the EC2 Instance Connect service rather than your own computer!

Therefore, instead of accepting a connection from "My IP", the security group on the EC2 instance should allow inbound connections from the EC2 Instance Connect service.

You can obtain the relevant IP address range from AWS IP Address Ranges. This is a JSON file that provides IP ranges for each AWS service.

For example, here is the range for the Sydney region:

{
"ip_prefix": "13.239.158.0/29",
"region": "ap-southeast-2",
"service": "EC2_INSTANCE_CONNECT"
},

Thus, you could put this CIDR in the security group and it would enable EC2 Instance Connect within the Sydney region. (Consult the https://ip-ranges.amazonaws.com/ip-ranges.json file for the relevant range in your region.)

John Rotenstein
  • 241,921
  • 22
  • 380
  • 470
  • I think this is impractical to constantly monitor changes in the json file to find the current IP range that needs to be configured in the security group to allow SSH using EC2 instance connect. How can we practically ensure a one time security group configuration that would not break in future? – ACloudRoamer Jan 22 '23 at 05:40
  • @ACloudRoamer See [AWS IP address ranges - AWS IP address ranges notifications](https://docs.aws.amazon.com/general/latest/gr/aws-ip-ranges.html#subscribe-notifications) "Whenever there is a change to the AWS IP address ranges, we send notifications to subscribers of the _AmazonIpSpaceChanged_ topic." – John Rotenstein Jan 22 '23 at 05:54