Elastic Beanstalk & EC2 Instance Connect: Can't connect

1
votes

I created an Elastic Beanstalk environment from Visual Studio and need to login to service the underlying ec2 vm.

I don't have an credentials for the server, so I wanted to use EC2 Instance Connect.

When I click connect, I get an error message:

We were unable to connect to your instance. Make sure that your instance’s network settings are configured correctly for EC2 Instance Connect. For more information, see Task 1: Configure network access to an instance.

Following the link, I found the instructions:

  • Ensure that the security group associated with your instance allows inbound SSH traffic on port 22 from your IP address or from your network.
  • (Amazon EC2 console browser-based client) We recommend that your instance allows inbound SSH traffic from the recommended IP block published for the service. Use the EC2_INSTANCE_CONNECT filter for the service parameter to get the IP address ranges in the EC2 Instance Connect subset.

How do I connect to the Elastic Beanstalk underlying EC2 via EC2 Instance Connect?

What I've tried:

I created a new security group that contains my client IP address, but that didn't work. Which makes sense, as it's the EC2 Instance Connect app running in the Console making the SSH connection, not my local machine.

Also looked at the the ip ranges json file (https://ip-ranges.amazonaws.com/ip-ranges.json), but not sure what to do with that.

enter image description here

2
amazon-web-servicesamazon-ec2amazon-elastic-beanstalkaws-visual-studio-toolkit
"my client IP address" - it must be much more than your IP address as connection will come from AWS servers not your home/work. The easiest way is to use 0.0.0.0/0.Marcin
I tried it with 0.0.0.0/0 and it did work!! But that allows access from any host? I'd rather not have my firewall open that much, and my ops guys would probably agree. Is there a way to open it to just the AWS Console?Philip Pittle

2 Answers

4
votes

I misunderstood the Set up EC2 Instance Connect instructions. This support article had clearer instructions: https://aws.amazon.com/premiumsupport/knowledge-center/ec2-instance-connect-troubleshooting/

Browser-based SSH connections require that your instance's security group inbound rules allow EC2 Instance Connect access to SSH on TCP port 22.

The key was to find the IP for EC2 Instance Connect and then create a security group to whitelist that ip address.

EC2 Instance Connect IP can be retrieved via PowerShell by using Get-AWSPublicIpAddressRange (or curl). For us-west-2:

> Get-AWSPublicIpAddressRange -Region us-west-2 -ServiceKey EC2_INSTANCE_CONNECT | select IpPrefix


IpPrefix
--------
18.237.140.160/29

Once I configured my Security Group to use that Source I could connect.

enter image description here

2
votes

Generally better way then using EC2 Instance Connect is through SSM System Manager. It does not require opening any inbound ports. Instead you should add/modify your install role to allow SSM to work. What's more you can control access to your instance using regular IAM permissions, unlike for EC2 Instance Connect.

Connection through SSM is in the same menu in the AWS console as EC2 Instance Connect. Thus, once you setup your instance role, wait few minutes for the instance to register with SSM, and once this happens you should be able to use SSM System Manager to connect to your instance from the console.

Regarding EC2 Instance Connect IP range. I don't know which range published applies only to EC2 Instance Connect. You would have to filter it by region probably and then find one which works. In worse case scenario its try-and-see approach.