According this AWS doc: Scenario 2: VPC with Public and Private Subnets (NAT) I have my own VPC with two subnets: private and public. In public subnet I have deployed an Ubuntu 16.04 Instance with assigned EIP. It also has next security group inbound rules:
Type Protocol Port Range Source Description
SSH TCP 22 xx.xx.xx.xx/32 Home IP
and outbound accordingly:
Type Protocol Port Range Source Description
SSH TCP 22 sg-xxprivatexx Security group ID for instance in private subnet
Looks nice, I can ssh
it externally from my home. No problem.
In private subnet I have deployed another one Ubuntu 16.04 machine with next security group (inbound rules):
Type Protocol Port Range Source Description
HTTP TCP 80 sg-xxpublicxxx Security Group ID for bastion instance in public subnet
SSH TCP 22 sg-xxpublicxxx -
and no outbound rules (actually it has 80, 443 outbound ports opened, but its not an interesting part as I guess). And I still can reach this virtual machine using ssh
from my bastion.
Right now I just want to make only one simple thing - run ssh port forwarding so I can run localhost:8080 on my home PC browser and see the webpage I published on my private instance. If I understand it correctly from here and here (and from here as well) I have to run something like:
ssh -N -v -L 8080:10.0.1.112:80 [email protected]
Which as I guess basically means: just forward a traffic from private subnet instance with IP 10.0.1.112:80
to my localhost:8080
through my bastion VM with username ubuntu
hosted on EIP 3.121.46.99
.
Debug ends with lines:
debug1: Authentications that can continue: publickey
debug1: Next authentication method: publickey
debug1: Offering public key: RSA SHA256:ZyVHgnF8z5vE5gfNr1S2JDfjhdydZVTNevPRgJZ+sRA /home/matterai/.ssh/key.pem
debug1: Authentications that can continue: publickey
debug1: Trying private key: /home/matterai/.ssh/id_rsa
debug1: Trying private key: /home/matterai/.ssh/id_dsa
debug1: Trying private key: /home/matterai/.ssh/id_ecdsa
debug1: Trying private key: /home/matterai/.ssh/id_ed25519
debug1: No more authentication methods to try.
[email protected]: Permission denied (publickey).
I am playing around it few days and I still can't get what am I doing wrong. Its so strange: I can ssh -A
(to allow forwarding) to my bastion, I can ssh
to my private instance from bastion. But I cant establish SSH tunnel to see my webpage (in the future it will be mongodb) without an error. Need some advice or point to the right direction, please! Thank you.
UPD#1
Ok then. If I make manual forwarding using my local machine and my bastion, I get an expected result. Basically it means run this command on bastion:
ubuntu@bastion: ssh -v -N -L 5000:localhost:8000 [email protected]
After that runs command on local/home machine:
matterai@homepc: ssh -v -N -L 5000:localhost:5000 [email protected]
When I make a request to localhost:5000
on my local machine, I can see the result page. May I and how if it's possible to combine this two commands? (spoiler: yes, it's possible: see the answer!)