Reputation: 111
AWS : SSH to private subnet EC2 instance from public subnet EC2 instance via NAT GATEWAY is not happening
I have set up below VPC configuration but the SSH to the instance is not happening at the moment:
- Created a new VPC
- Created a public and private subnet
- Launched an ec2 instance to the public subnet updated route tables for internet gateway
- Launched ec2 instance to private subnet.
- Associated a natgateway to the public subnet with in EIP
- Route table updated for private subnet with natgateway
SSH from public instance to private instance is not happening with keypair. Can you let me know what have I missed here.
Upvotes: 3
Views: 6311
Answers (4)
Reputation: 1
copy th ssh public key of the private instance to the public instance. open the ssh key material using vscode then use nano or vim to paste the content of the public key the save and exit. Now you can ssh into your private instance given the SG of the private instance allows traffic from the public instance.
Upvotes: 0
Reputation: 111
First things first:
NAT Gateway in Public Subnet allows Instances from Private Subnet to reach internet for software updates etc via Internet Gateway.
NAT Gateway doesn't play any role in SSHing into an Instance.
Try this to test:
- Attach Default NACL(allows all inbound and outbound) on Public and Private Subnet where your EC2 Instances resides.
- Create 2 security groups for public(lets say Pub-SG) and private subnets(Prv-SG).
- Allow SSH from everywhere/specific ip on Pub-SG.
- On Prv-SG allow SSH from Pub-SG as source for better security reasons.
- If both instances are launched using same key pair then with SSH-Agent Forwarding You can connect Private Instance through Public Instance.
Upvotes: 2
Reputation: 1321
When it comes to one EC2 instance communicating with another EC2 instance within a VPC, NAT Gateway has no role.
Make sure that the Security Group to which the private subnet instance belongs, allows SSH protocol from the Security Group to which the public subnet instance belongs.
Also, the NACL associated with the private subnet should allow inbound and outbound SSH traffic from CIDR block to which the public subnet instance belongs.
Upvotes: 0
Reputation: 11638
I suspect you are missing a security group that permits SSH traffic between the instances on the two subnets.
AWS is secure by default - you need to explicitly permit traffic, roles, etc.
So in this case, the easiest thing to do would be to create a security group that spans the CIDR block of the VPC, and assign this to both instances.
Edit: I just noticed you say you added your NAT gateway to the public subnet - I presume you mean private.
This guide covers a similar scenario - public web subnet and private db subnet, and discusses all the routes + ACLs you need.
Also, when you say ssh with the keypair isn't happening - are you connecting at all, or does the connection time out?
Upvotes: 1
Related Questions
- SSH'ing into AWS EC2 Instance located in Private Subnet in a VPC
- <AWS VPC> Unable to ping private subnet instance from a public subnet instance
- Connecting from public subnet to private subnet
- SSH to EC2 instance running in a private subnet in a VPC over VPN : connection timed out
- unable to ssh to EC2 instance inside public subnet in custom vpc
- Unable to ssh into private subnet using Elastic IP
- Getting issue while trying to access internet from private-subnet instance via nat intance in aws?
- ssh private instance in a subnet through public instance in same subnet AWS
- AWS VPC using EC2 as NAT not working
- AWS Public/Private subnet not accessible to internet with NAT setup