I’ve been going at this problem for a couple of hours and maybe its not possible, maybe it is.
I have a VPC in AWS, with a couple of EC2 instances and Lambda Instances.
As of right now, The lambda can invoke, ssh and so on to the EC2 server without a problem.
My lambdas are using a security group with only HTTP, HTTPS AND SSH in “Outbound”.
My ec2 default security group only accepts 22 inbound (From my Lambda security group, AND my office IP).
If i create an ec2 instance on my public subnet, both me and my lambda functions can access it through ssh.
If i create it on my PRIVATE subnet, my lambdas can ssh but i CANT…
Do i really have to have a NAT SERVER in order to achieve this?
TL:DR; Only my office and my lambdas should have access to my ec2 instances.
The 1st option to consider for SSH access to EC2 instances is EC2 Instance Connect which allows you to control access to your EC2 instances using IAM and provides access from either the AWS console or your regular command line SSH tools.
The 2nd option is AWS Systems Manager Session Manager for Shell Access to EC2 Instances. You basically run an SSH session in your browser and it can target all EC2 instances, regardless of public/private IP or subnet. EC2 instances have to be running an up to date version of the SSM Agent and must have been launched with an appropriate IAM role (including the key policies from AmazonEC2RoleForSSM). No need for a bastion host or firewall rules allowing inbound port 22.
The 3rd option to consider is AWS Systems Manager Run Command which allows you to run commands remotely on your EC2 instances. It’s not interactive like SSH but if you simply want to run a sequence of scripts then it’s very good. Again, the instance has to be running the SSM Agent and have an appropriate IAM policy, and this option avoids the need to tunnel through bastion hosts.
Finally, if you really must SSH from your office laptop to an EC2 instance in a private subnet, you can do so via a bastion host. You need a few things:
- IGW and NAT in the VPC
- bastion host with public IP in the VPC’s public subnet
- security group on the bastion allowing inbound SSH from your laptop
- a default route from the private subnet to the NAT
- security group on the private EC2 instance that allows inbound SSH from the bastion
Then you have to tunnel through the bastion host. See Securely Connect to Linux Instances Running in a Private Amazon VPC for more.