Accessing the tomcat manager console in an EC2 instance in the private subnet of VPC

0
votes

We have an environment where in we have two EC2 instances, one in the public subnet of the VPC which is our web server and the other in the private subnet of the VPC, which is pur Application server. The EC2 instance in the private subnet is running tomcat. How can we access the tomcat manager console from the browser?

Our security groups are as follows:

For the Web server, which has a public IP, we have allowed ports 22, 80 and 8080 from 0.0.0.0/0 (from anywhere). These are the inbound rules. The outbound rule is such that port 22 is allowed to the security group of the private subnet. This will allow ssh from web server to the application server.

The inbound for the private subnet allows 22 from the public subnet, as well as 80 and 8080.

A NAT gateway allows outbound traffic to the Internet. Internet is accessible from the application server.

How do I now:

  1. Access the tomcat manager console using the browser? (Tomcat already configured on the application server. We created an image of an old instance and spun this one up)

  2. In case we need to do any war file deployment to the application server, how do we do it?

Thank you..

1
tomcatamazon-ec2vpc

1 Answers

0
votes

Solution with your current design:

The plan is not secure, because you need expose port 22 on webserver to internet, but will resolve your issue. You can limit the source IPs in inbound role.

In current design, there is no bastion (jumphost), so you have to use webserver (which has Elastic IP) as bastion to jump to application (tomcat) server.

You need ssh socket proxy set in your browser to access tomcat manage console, search in google with key world ssh socket proxy you will get a lot of documents to teach you how to do that.

Two improve ways:

Way #1, install vpn.

create a new ec2 instance in public subnet with EIP and install VPN on it. For example, openvpn. Set security group that only allow login from that jumphost to other ec2 instances

After login openvpn, your browser should work directly to access tomcat manager console.

Way #2, use ssh socket proxy

create one ec2 instance in public subnet with EIP, micro type should be good enough in current design.

With new Bastion instance, you should be fine to set ssh socket proxy in your browser to access tomcat manager console.

Another improvement but not related to browser issue

add ELB in your VPC, then you can move webserver to private subnet.