3

Launching an AWS EC2 instance seems quite straightforward although when it comes to connecting to the newly launched instance things get sticky. The process for connecting to an instance proposed by such a tech giant is very counter-intuitive.

As a short reminder I should add that an "instance" is technically a virtual machine running on Amazon's Elastic Compute Cloud (EC2), for more info one could have a look at this link.

The ec2 instance referred to in this discussion is Ubuntu Server 20.04 LTS (HVM). The instruction for working with EC2 Linux instances is given here.

AWS EC2 proposes three different ways of connecting to an instance:

  1. EC2 Instance connect (browser-based SSH connection),
  2. Session Manager
  3. SSH Client

Now with regard to connecting to the above-mentioned instance there are only certain connections that establish correctly and the rest of the proposed methods fail, here is the list of connection successes and failures :

  1. Ubuntu instance, security group source "Custom=0.0.0.0/0", Connection establishes using both EC2 Instance Connect (browser-based SSH connection) and SSH client.
  2. Ubuntu instance, security group source "My IP=$IP", Connection establishes only using SSH client (terminal on Ubuntu and PuTTY on windows) and not using EC2 instance connect.

Both above cases have been tried on Ubuntu 20.04 and Windows 10 as local machine and the problem remains similar on both machines. I went through most of the failure cases discussed in the troubleshooting documents proposed here and verified them on my instance. Yet the problem persists. I should also add that I never tried "session manager" connection method although opening its tab already would give some info about "not installed" agents and features.

Any idea regarding this problem? Somebody out there facing the same issue?

Improve this question
5
  • posted a solution, if it helped you in any way you can accept it as answer so that it helps others in the future :) Commented Jun 6, 2021 at 19:19
  • 1
    @JatinMehrotra Thanks for your proposed solution, would you specify where I should run the command you suggested? Should I run it on my local machine? If yes I did run it and it doesn't return any value. Commented Jun 6, 2021 at 19:36
  • if you are using windows use this Get-AWSPublicIpAddressRange -Region us-east-1 -ServiceKey EC2_INSTANCE_CONNECT | select IpPrefix replace us-east-1 with your region where ec2 is launched, else for linuxc or macos use this curl -s https://ip-ranges.amazonaws.com/ip-ranges.json| jq -r '.prefixes[] | select(.region=="us-east-1") | select(.service=="EC2_INSTANCE_CONNECT") | .ip_prefix' ( note linux and macos command will require you to have curl and jq utilities before running this command) Commented Jun 6, 2021 at 19:44
  • @JatinMehrotra, I had a small mistake in typing the name of the region, now it's fixed and it's working like a charm, I can connect using EC2 Instance Connect (browser-based). Thank you again. Commented Jun 6, 2021 at 19:48
  • glad to help :) Commented Jun 6, 2021 at 19:48

1 Answer 1

Reset to default
4

From Docs

(Amazon EC2 console browser-based client) We recommend that your instance allows inbound SSH traffic from the recommended IP block published for the service.

Reason for this -> EC2 Instance Connect works by making an HTTPS connection between your web browser and the backend EC2 Instance Connect service on aws. Then, EC2 Instance Connect establishes a "mostly normal" SSH connection to the target instance in other words the request is going from backend ec2 instance connect and not your browser that is why it needs IP address from accepted ranges of that region .

Browser based EC2 Instance Connect uses specific IP ranges for browser-based SSH connections to your instance. These IP ranges differ between AWS Regions. To find the AWS IP address range for EC2 Instance Connect in a specific Region, use the following( just replace your region with your region) ( for Linux required curl and jq as prerequisite)

 curl -s https://ip-ranges.amazonaws.com/ip-ranges.json| jq -r '.prefixes[] | select(.region=="Your region") | select(.service=="EC2_INSTANCE_CONNECT") | .ip_prefix'

whatever the value is returned just add up to your security rule and it will work.

Ubuntu instance, security group source "Custom=0.0.0.0/0", Connection establishes using both EC2 Instance Connect (browser-based SSH connection) and SSH client.

this works because 0.0.0.0/0 allows connection from all the IP ranges( which includes your region IP too). for more details try reading this troubleshoot

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.