Setting up SSH tunnel through AWS SSM proxycommand

0
votes

My "problem":

I want to connect to my DocumentDB via an SSH tunnel. I'm not sure if it's possible, but I wanted to give it a try.

What's keeping me from doing it:

I can't wrap my head around forwarding the DocumentDB port while supplying both my EC2 pem file as well as that of the DB (generic RDS pem).

My setup:

I've set up my infrastructure in ECS Fargate, connecting to a DocumentDB. The only ports made available to the public are 80 and 443 (80 to re-route to 443) and I want to keep it that way. I've set up a EC2 instance (no outgoing routes) I'm powering up when needed to connect via AWS SSM (and I want to keep it that way).

The EC2 Instance is an Amazon Linux 2 AMI.

Now I have set up a proxycommand to connect via SSH without having a port opened using SSM in my ~/.ssh/config file.

# --- SSH over AWS Session Manager ---
host i-*
    ProxyCommand sh -c "aws ssm start-session --target %h --document-name AWS-StartSSHSession --parameters 'portNumber=%p'"

That's working as expected and I am able to connect via SSH and copy files from and to the EC2 instance via SCP. I can use this SSH connection (or the unaltered AWS SSM connection) to access my DocumentDB via the mongoshell, but now I'm asking myself if it would be possible to open a SSH tunnel to it.

What I've tried:

ssh -L 8022:my-document-db-instance.amazonaws.com:27017 ssm-user@i-ec2-instance -i ~/.ssh/ec2-instance.pem -v

The SSH tunnel to the EC2 instance has been created successfully (at least it seems so) and it's not showing any errors, but I can't connect to the database via Robo3T (or mongoshell). I suspect opening the connection in the tunnel is wrong, but I've got no clue how to start it.

I've tried opening a tunnel to the EC2 instance, then tunneling from there via Robo3T, but that didn't work as well (partially because I don't know which port to connect to on the EC2).

I have to admit I'm not the Linux admin I'd like to be.

1
amazon-web-servicesamazon-ec2sshssh-tunnelaws-ssm
You are timing out or getting some other errors? - Marcin
I don't think so, at least I'm not seeing any error messages. I've been trying ssh -N -L 27018:localhost:27017 ssm-user@i-0abeā€¦3a1 -i ~/.ssh/sos-key-dev.pem -v and received an error channel 2: open failed: connect failed: Connection refused debug1: channel 2: free: direct-tcpip: listening port 27018 for localhost port 27017, connect from 127.0.0.1 port 58127 to 127.0.0.1 port 27018, nchannels 3 And it seems I'm not able to format in here. - Ben
To be honest, I barely have any clue on what I'm doing here (with the tunneling) and I'm just shooting at anything I can think of trying to get it working. - Ben

1 Answers

0
votes

I faced the similar issue with port forwarding to rds(mysql) via aws session manager. You may try following options

  1. Ensure that DocumentDB is up and running.
  2. Ensure that the security group attached to DocumentDB has inbound port(27017) open from the security group of bastion host only.
  3. Ensure that the security group attached to the EC2 instance has outbound port(27017) open
  4. Changing localhost to loop back address(127.0.0.1) while connecting via Robo3T.
  5. Use ec2-user instead of ssm-user.