I am trying to provision 2 ec2 instances on a private subnet using Ansible playbooks. My infrastructure includes:
Bastion Host on a public subnet
2 EC2 instances on 2 private subnets
NAT Gate for outgoing connections
Application Load Balancer
My question is how to run the Ansible playbook from localhost to affect the private instances. Can I SSH forward the playbook or does the playbook have to reside in the bastion host and then use the private IPs as hosts?
Create ssh-config file ~/.ssh/config and then add the following line to config file
host bastion
HostName bastion_ip
User bastion_user
identityFile ~/.ssh/mykey.pem
host private_instance
HostName 10.0.0.11
user private_ec2_user
ProxyCommand ssh bastion -W %h:%p
identityFile ~/.ssh/mykey.pem
My question is how to run the Ansible playbook from localhost to
affect the private instances.
Now you have configured ssh config file all you need to type
ssh private_instance
this will create SSH tunneling to your private instance, you do not need complex or lengthy command to type every time.
Ansible allows the use of SSH configuration options and ProxyCommand can come to rescue when trying to forward the command from bastion to private subnet hosts. Here is an example
ssh -o ProxyCommand="ssh ubuntu#52.50.10.5 'nc 192.168.0.20 22'" ubuntu#nothing
The above command will, for example, first connect to 52.50.10.5 via SSH, and then open a socket to 192.168.0.20 on port 22. The socket connection (which is connected to the remote SSH server) is then passed to the original SSH client command invocation to utilize.
Source : https://spin.atomicobject.com/2016/05/16/ansible-aws-ec2-vpc/
Related
My currently working SSH tunnel into a private EC2 instance's postgreSQL server is:
ssh -N -i my-keypair.pem -L 5555:10.1.22.67:5432 ec2-user#14.229.71.224
The keypairs were the same for both the bastion jump host and the private instance (my-keypair.pem).
However, now we use different keypairs, one for bastion host (my-keypair.pem) and another for private instance (my-different-keypair.pem). How can I amend the above SSH tunnel command, so that I can still use DBeaver to connect into postgreSQL on the private instance?
I have 2 EC2 Ubuntu instances: Instance-A and Instance-B. Both's ufw shows inactive and they are in the same subnet of a VPC. Both's security group allows all inbound and outbound traffic from anywhere. And they have identical ssh_config.
From command line of Instance-B, I can ssh to any of my SSH servers, either they are in the same VPC or non-AWS server.
However, from commaind line of Instance-A, I can only ssh to Instance-A and Instance-B using their private IP. I cannot ssh either (even Instance-A itself) using their public IP. Neither can I log in to any non-AWS server. The error is 'connection timeout'.
How can I make Instance-A' ssh client work?
[added facts]
In Instance-A, I can ping google.com, A's public IP, B's public IP
ssh client used to work well in Instance-A. I don't know what has changed.
I'm trying to establish a port forwarding to my RDS in a private subnet via a bastion host in a public subnet with the following command:
ssh -A -NL 3007:mydb3.co2qgzotzkku.eu-west-1.rds.amazonaws.com:3306 ubuntu#ec2-562243-250-177.eu-west-1.compute.amazonaws.com
but cant get a connection to the rds instance.
The security group for the Bastion Host allows only SSH on port 22 from my IP
and the security group for the RDS allows traffic from the bastion hosts security group and SSH from my iP
Besides the ACL for the subnets are open to all traffic for TCP.
anybody a tip what is missing to get the tunnel running?
merci A
I think you are missing the port 3306 and 3307. Allow that port in the both security group and it will work.
As you said you are accessing the bastion via key-pair, your new command must be:
ssh -N -L 3007:mydb3.co2qgzotzkku.eu-west-1.rds.amazonaws.com:3306 ubuntu#ec2-562243-250-177.eu-west-1.compute.amazonaws.com -i /path/to/key.pem
I would suggest removing A from the command as it Enables forwarding of the authentication agent connection. This can also be specified on a per-host basis in a configuration file.
Agent forwarding should be enabled with caution. Users with the ability to bypass file permissions on the remote host (for the agent's UNIX-domain socket) can access the local agent through the forwarded connection. An attacker cannot obtain key material from the agent, however they can perform operations on the keys that enable them to authenticate using the identities loaded into the agent.
because i am running an application (airflow) in a python virtual environment on my ec-2 instance and i want to run a command in my default python environment on the same ec2-instance, i thought it was easier to ssh to my own instance and execute the command.
the problem i have is that i cannot connect to my own instance.
i added my security group id of my ec2-instance to my inbound configuration (ssh on port 22) but this did not work.
it does work when i set my ssh inbound configuration on port 22 from anywhere, but i don't want to do that.
my outbound config allows all traffic.
If you are connecting from another EC2 instance in the same subnet, you'll want to allow the private IP of that EC2 instance, not your local address.
I have two instances
1. Bastion host instance
2. Amazon linux instance.
I can login in to bastion host instance and have added key of another Amazon linux instance in which i want to allow ssh access but when i try to run command in bastion host instance it doesn't work.My security group of both ec2 instances bastion host instance and amazon linux have set inbound traffic allow to all, more over VPC and subnet are also set with proper internet gateway.
ssh -A ec2-user#ip
Can any one tell what am i missing?
You have to use the path to key of the instance you are trying to connect and "-i" instead of "-A" check below command.
ssh -i /path-to-key/key.pem ec2-user#ip
You can run ssh in verbose mode (-v) to see if the relevant key is getting used or if any other issue:
ssh -v -A ec2-user#ip
Also the #IP in use is instance private IP address?
you have to use private key of the ec2 instance to login into it from the bastion host instance. You have to set the pem file to have permissions of 600. Also you can rename the key-file.pem to key-file just to avoid any unwanted attention to it. So the command would be :
ssh -i /path_to_key-file/key-file ec2-user#ec2_instance_ip