I'm attempting to scp to an EC2 inside a VPC and getting timed out.
Established facts:
I can ssh into the VPC itself - the keypair works and the instance subnet is open to the internet.
The folder I'm attempting to transfer to on the EC2 has permissions 700
The command I'm running is:
scp -i mykey.pem dumbtest.txt ubuntu#ec2-<my-ip>.compute-1.amazonaws.com:/home/ubuntu
Are there additional steps I need to take to scp into EC2's on a VPC?
Related
Please help! I've spent multiple days trying to ssh into my EC2 instance.
I'd been able to do this for the first 24 or so hours. Then as I was adding dependencies to my instance I got booted. Now I'm unable to get back in. At one point my Public DNS changed but I've accounted for this.
My security groups, VPCs, internet gateways, route tables, subnets, firewall, etc. seem to all be in order too.
What is the issue here? Please advise!
Test connectivity to SSH
Create another EC2 instance in the same subnet of the target EC2.
Make sure the egress rule allow all outbound, and inbound to port 22.
Copy the SSH private key to ~/.ssh/ and make sure to remove group/other rw permissions.
Install telnet or nc if not installed in the new EC2.
Test the connectivity to the target EC2 from the new EC2.
telnet ${TARGET_HOST_IP} 22
If this works and you can connect, then SSH server is up and running. If not, SSH server is not running, or the port 22 is not open.
If somehow the SSH server is down, there could be some ways to try to fix.
See User is reporting that they've unable to SSH into an EC2 instance in AWS?
for the options such as mount the root EBS volume to another EC2, or use USEDATA to reconfigure.
Login to EC2 from EC2 console
Connect Using the Browser-based Client
If you can login, then make sure SSH server is up and running. Then make sure ~/.ssh/authorized_key has the public key. Verify /var/log/auth or /var/log/security to verify if login gets denied if try to ssh into the EC2 from outside.
Clone to investigate or to replace
If you can, shut the EC2 instance, take a ELB snapshot of the root volume, then mount it to another EC2 you can SSH into, and investigate dmesg, /var/log files for any errors that may prevent SSH connections. Verify ssh server configuration, ~/.ssh/ files.
Or simply copy the contents you need from the ELB snapshot to a new EC2 instance and replace the original one with the new one.
AWS is clear that to create a snapshot of the root ELB volume, the instance needs to be shutdown. Otherwise the integrity of the snapshot is not assured.
Update
To restore the SSH public key or permission of the ~/.ssh folder, also see [User is reporting that they've unable to SSH into an EC2 instance in AWS?
I created a Cluster and an Instance of DocumentDB in amazon. When I try to connect to my Local SSH (MacOS) it displays the following message:
When I try for the MongoDB Compass Community:
mongodb://Mobify:<My-Password>#docdb-2019-04-07-23-28-45.cluster-cmffegva7sne.us-east-2.docdb.amazonaws.com:27017/?ssl=true&ssl_ca_certs=rds-combined-ca-bundle.pem&replicaSet=rs0
It loads many minutes and in the end it has this result:
After solving this problem, I would like to know if it is possible to connect a cluster of documentDB to an instance in another zone of availability ... I have my DocumentDB in Ohio and I have an EC2 in São Paulo ... is it possible?
Amazon DocumentDB clusters are deployed in a VPC to provide strong network isolation from the Internet. To connect to your cluster from outside of the VPC, please see the following: https://docs.aws.amazon.com/documentdb/latest/developerguide/connect-from-outside-a-vpc.html
AWS document DB is hosted on a VPC (virtual private cloud) which has its own specific subnets and security groups; basically, anything that resides in a VPC is not publicly accessible.
Document DB is deployed in a VPC. In order to access it, you need to create an EC2 instance or AWS Could9.
Let's access it from the EC2 instance and access AWS document DB using SSH tunneling.
Create an EC2 instance (preferably ubuntu) of any configuration and select the same VPC in which your document DB cluster is hosted.
After the EC2 is completely initialized, start an SSH tunnel and bind the local port # 27017 with document DB cluster host # 27017.
ssh -i "<ec2-private-key>" -L 27017:docdb-2019-04-07-23-28-45.cluster-cmffegva7sne.us-east-2.docdb.amazonaws.com:27017 ubuntu#<ec2-host> -N
Now your localhost is tunneled to ec2 on port 27017. Connect from mongosh or mongo, enter your cluster password and you will be logged in and execute any queries.
mongosh --sslAllowInvalidHostnames --ssl --sslCAFile rds-combined-ca-bundle.pem --username Mobify --password
Note: SSL will be deprecated. Use tls, just replace SSL with tls in the above command.
I've been going at this problem for a couple of hours and maybe its not possible, maybe it is.
I have a VPC in AWS, with a couple of EC2 instances and Lambda Instances.
As of right now, The lambda can invoke, ssh and so on to the EC2 server without a problem.
My lambdas are using a security group with only HTTP, HTTPS AND SSH in "Outbound".
My ec2 default security group only accepts 22 inbound (From my Lambda security group, AND my office IP).
If i create an ec2 instance on my public subnet, both me and my lambda functions can access it through ssh.
If i create it on my PRIVATE subnet, my lambdas can ssh but i CANT...
Do i really have to have a NAT SERVER in order to achieve this?
TL:DR; Only my office and my lambdas should have access to my ec2 instances.
The 1st option to consider for SSH access to EC2 instances is EC2 Instance Connect which allows you to control access to your EC2 instances using IAM and provides access from either the AWS console or your regular command line SSH tools.
The 2nd option is AWS Systems Manager Session Manager for Shell Access to EC2 Instances. You basically run an SSH session in your browser and it can target all EC2 instances, regardless of public/private IP or subnet. EC2 instances have to be running an up to date version of the SSM Agent and must have been launched with an appropriate IAM role (including the key policies from AmazonEC2RoleForSSM). No need for a bastion host or firewall rules allowing inbound port 22.
The 3rd option to consider is AWS Systems Manager Run Command which allows you to run commands remotely on your EC2 instances. It's not interactive like SSH but if you simply want to run a sequence of scripts then it's very good. Again, the instance has to be running the SSM Agent and have an appropriate IAM policy, and this option avoids the need to tunnel through bastion hosts.
Finally, if you really must SSH from your office laptop to an EC2 instance in a private subnet, you can do so via a bastion host. You need a few things:
IGW and NAT in the VPC
bastion host with public IP in the VPC's public subnet
security group on the bastion allowing inbound SSH from your laptop
a default route from the private subnet to the NAT
security group on the private EC2 instance that allows inbound SSH from the bastion
Then you have to tunnel through the bastion host. See Securely Connect to Linux Instances Running in a Private Amazon VPC for more.
Create a Bastion host.
This would be a public EC2 instance in a public subnet having the same security group as your private ec2 instance.
Ensure that traffic within the security group is allowed. You can do this by creating an inbound rule for your security-group.
Now in Windows 10, you can run the following though your command prompt :
ssh -i your_private_key.pem ec2-user#private_ip -o "proxycommand ssh -W
%h:%p -i your_private_key.pem ec2-user#public_ip"
Replace the following 3 things in the command posted above :
your_private_key
private_ip
public_ip
You can refer to this: https://docs.aws.amazon.com/vpc/latest/userguide/VPC_Scenario2.html
You will have to use NAT Gateway to access anything in the Private Subnet.
I have two instances
1. Bastion host instance
2. Amazon linux instance.
I can login in to bastion host instance and have added key of another Amazon linux instance in which i want to allow ssh access but when i try to run command in bastion host instance it doesn't work.My security group of both ec2 instances bastion host instance and amazon linux have set inbound traffic allow to all, more over VPC and subnet are also set with proper internet gateway.
ssh -A ec2-user#ip
Can any one tell what am i missing?
You have to use the path to key of the instance you are trying to connect and "-i" instead of "-A" check below command.
ssh -i /path-to-key/key.pem ec2-user#ip
You can run ssh in verbose mode (-v) to see if the relevant key is getting used or if any other issue:
ssh -v -A ec2-user#ip
Also the #IP in use is instance private IP address?
you have to use private key of the ec2 instance to login into it from the bastion host instance. You have to set the pem file to have permissions of 600. Also you can rename the key-file.pem to key-file just to avoid any unwanted attention to it. So the command would be :
ssh -i /path_to_key-file/key-file ec2-user#ec2_instance_ip
I am following instructions on:
https://github.com/GoogleCloudPlatform/kubernetes/blob/master/docs/getting-started-guides/coreos/coreos_multinode_cluster.md
I am trying to launch a Master with master.yaml file as a UserData. I am able to successfully launch the instance in EC2 but i cant seem to ssh to it via aws ssh key..
backend-service viralcarpenter$ ssh -i ~/Downloads/viral-kubernetes-acad-key.pem core#54.153.63.240
core#54.153.63.240's password:
Is there something that i am missing?
You need to have a Key Pair configured in your EC2 region and specify it when creating the instance in order to be able to SSH into it.
--key-name <keypair>