Reputation: 551
How to access to EC2 Instance in private subnet?
I'm going to build a server infrastructure through AWS.
Among them, in order to strengthen the security aspect, we will put all web servers in the private subnet and manage them through the bastion host.
The rough structural map is attached as first photo file. (The ip address is just an example)
To complete this structure, a VPC with one public subnet and one private subnet was created, the public subnet connected to the routing table of the Internet gateway, and the private subnet connected to the routing table of the NAT gateway. The structure is attached as second and third.
In this situation, we created an ec2 on the private subnet and put up a simple Express server for testing purposes, and left port 3000 open. In this situation, I searched for nat gateway's EIP in the Internet address window to access the express server, but it was not accessible.
I allowed 3000 port from anywhere IPv2 addresses.
There are two main questions here.
- I wonder why you can't access the express server.
- NAT Gateway is used to access Private Subnet from outside, and if multiple servers are running on that Private Subnet from different instances (with different Private IP addresses), I wonder if there is any way to access a specific server.
Upvotes: 1
Views: 2119
Answers (1)
Reputation: 238975
These days, a common way of accessing instances in both private and public subnets is through SSM Session Manager. The manager has many benefits over traditional ssh approach. Some of the are:
- no need for a bastion host,
- manage and log SSM Session Manager permissions and activities using IAM and
- works through a browser.
To use SSM Session Manager, the three things are needed:
- SSM Agent on the instance - its preinstalled and running on all popular AMI images (Amazon Linux 2, Ubuntu, ...)
- IAM role with permissions for the agent to allow for SSM access.
- Connectivity to SSM service. Since you have NAT this is not a problem in a case. Other-way would be through VPC interface endpoint, which does not require NAT.
Upvotes: 4
Related Questions
- SSH'ing into AWS EC2 Instance located in Private Subnet in a VPC
- AWS - Accessing instances in private subnet using EIP
- aws private subnets connectivity
- Connecting from public subnet to private subnet
- How to make EC2 instance in private subnet accessible from the internet? (as in being able to visit the website)
- How to connect a webpage behind a AWS EC2 instance in a private subnet in a AWS VPC
- How to connect to an ec2 through SSH that is in a private subnet without using any public subnet?
- Accessing WebApplication exposed by EC2 instance in Private Subnet
- Access Jenkins running in Private subnet AWS
- How to access the internet from VPC private subnet