-1

i have an ec2 instance running ubuntu and im trying to restrict ssh access to only my ip address, im using both the security on the ec2 and the network acl, i have multiple ip addresses

192.168.1.233: the one on my computer in system prefrences -> network under the name of the wifi network

157.100.197.222/32: the one in the ec2 when i edit inbound rules under the option my ip address https://i.stack.imgur.com/WXCxh.png

172.31.30.243: the one when i connect to the ec2 and type hostname -I | awk '{print $1}' https://i.stack.imgur.com/oHuc5.png

im able to connect to the ec2 when in the network acl inbound rules i deny ssh acces to /8, /16, and /24 and then allow all other sources and in the security of the ec2 i allow all sources to connect via ssh https://i.stack.imgur.com/zOuhS.png https://i.stack.imgur.com/tOkcL.png

but right now im allowing access from all 3 of my ip addresses and denying everything else and it wont connect https://i.stack.imgur.com/AnyVI.png https://i.stack.imgur.com/RM3YA.png

i know it has something to do with the network ip address vs the device ip address and using the right ip with the right cidr block but i dont know exactly what to put, can someone help me

eitan
  • 27
  • 6
  • There is no need for deny rules. Remove them. Only add the allow rules that you need e.g. SSH inbound from your public IP. – jarmod Jul 11 '22 at 00:37
  • 1
    Do not modify the NACLs from their default "Allow All" settings unless you have a very specific network requirement (eg creating a DMZ). You should only need to modify the Inbound rules on the Security Group(s) associated with the instance. You have shown us a mixture of private IP addresses (`192.168.1.233`, `172.31.30.243`) and a public IP address (`157.100.197.222`). From where are you attempting to connect to the EC2 instance -- from your own computer on the Internet, or from an EC2 instance in the same VPC? – John Rotenstein Jul 11 '22 at 01:22
  • im trying to connect to the ec2 from my computer on the internet via ssh – eitan Jul 11 '22 at 01:55
  • Are you attempting to connect via an SSH client, or are you trying to connect via **EC2 Instance Connect**? The configuration would be different depending upon this choice. – John Rotenstein Jul 11 '22 at 08:24
  • either one, for what im doing it doesnt matter EC2 Instance Connect or connect from my terminal, can you explain to me what the config should be for each one – eitan Jul 11 '22 at 12:05
  • can we have a zoom/skype/google hangouts meeting and we can work on this together, my email is eitanschreiber97@gmail.com – eitan Jul 11 '22 at 21:55

2 Answers2

0

You have to check what is your outgoing IP address. You do this by going to any "check my ip" website. This will be the address you have to allow in your security groups.

Also do not modify network ACL. Default NACL is all that you need. Only use Security Groups to control access to your instance from your IP.

Marcin
  • 215,873
  • 14
  • 235
  • 294
  • still didnt work – eitan Jul 10 '22 at 22:52
  • @eitan Then you have to provide more details. All VPC setup. Is your instance in public subnet? Route tables and everything related to VPC, SGs and NACLs. – Marcin Jul 10 '22 at 22:53
  • in the security groups i changed the inbound rules to allow access from any source ending in /32 like this 0.0.0.0/32 and it still doesnt work – eitan Jul 10 '22 at 23:04
0

The error message appears to indicate that you are attempting to connect to the Amazon EC2 instance by using EC2 Instance Connect.

EC2 Instance Connect works as follow:

  • It uses a web connection (port 443) from your browser to the EC2 Instance Connect service
  • The EC2 Instance Connect service then establishes an SSH connection (port 22) from the EC2 Instance Connect service to your Amazon EC2 instance

Therefore, the Security Group sees your connection as coming from the EC2 Instance Connect service rather than the public IP address of your computer.

You would need to add the IP address ranges of the EC2 Instance Connect service the Security Group to permit access to the EC2 instance (see Set up EC2 Instance Connect - Amazon Elastic Compute Cloud). However, this would permit an inbound connection from any computer that successfully authenticates via the EC2 Instance Connect service.

Thus, it is not possible to restrict access to the EC2 Instance to your own IP address while using EC2 Instance Connect to connect to the instance.

However, it is worth noting that EC2 Instance Connect uses IAM to authenticate access to the instance, so you should trust this authentication. Rather that restricting by IP address of computers, you could restrict to the IP address ranges of the EC2 Instance Connect service and then use IAM permissions to control access to the instance.

See also: EC2 Instance Connect - Which AWS IPs For Inbound For Browser Console Access?

John Rotenstein
  • 241,921
  • 22
  • 380
  • 470
  • can we have a zoom/skype meeting and we can work on this together – eitan Jul 11 '22 at 19:04
  • Your basic choice is to use normal SSH (in which case your current configuration is correct) or, if you want to use EC2 Instance Connect, then use IAM permissions to control access and configure the Security Groups to restrict access to the IP address ranges used by EC2 Instance Connect. Or, frankly, you could use **AWS Systems Manager Session Manager** and it doesn't require any Inbound security group configurations because it works via an Agent installed on the instance. It even works on private EC2 instances as long as they can reach the Internet! – John Rotenstein Jul 12 '22 at 01:24