Securely Connecting to EC2 Windows Instances Using SSH Port Forwarding

Securely Connecting to EC2 Windows Instances Using SSH Port Forwarding

Takahiro Iwasa
Takahiro Iwasa
3 min read
EC2

Introduction

SSH port forwarding allows you to securely access an EC2 Windows instance in a private subnet through a bastion host in a public subnet. This approach ensures secure communication between your local machine and the bastion host.

Architecture Diagram

Creating a Private Subnet

Create a private subnet in your VPC. If you already have one, you can skip this step.

Private Subnet

Configuring a Route Table

  1. Create a route table and associate it with the private subnet.

Route Table Configuration

  1. Ensure the internet gateway is removed from this route table to maintain the privacy of the subnet.

Setting Up a NAT Gateway (Optional)

If your EC2 Windows instance needs internet access, create a NAT gateway in a public subnet and attach it to the route table.

NAT Gateway

Deploying an SSH Bastion Host

  1. Launch an EC2 instance in a public subnet to serve as the bastion host.
  2. Configure the security group to allow inbound traffic on ports 22 (SSH) and 3389 (RDP).

Creating an EC2 Windows Instance

  1. Launch an EC2 Windows instance in the private subnet.
  2. Retrieve the remote desktop credentials using the Get Windows Password option in the EC2 dashboard.
  3. Restrict security group access to allow inbound traffic on ports 22 and 3389 only from the bastion host.

EC2 Windows Security Group

Testing the Connection

To establish a secure connection to the EC2 Windows instance, execute the following command from your terminal:

ssh -i <YOUR_PRIVATE_KEY> -L 13389:<YOUR_EC2_WINDOWS_IP>:3389 ec2-user@<YOUR_SSH_BASTION_IP>

This command forwards traffic from local port 13389 to the EC2 Windows instance in the private subnet via the bastion host.

Now, initiate a remote desktop session using localhost:13389.

Remote Desktop Connection

Conclusion

By leveraging SSH port forwarding, AWS users can securely connect to EC2 Windows instances located in private subnets while minimizing exposure to public access. This method provides an efficient and cost-effective way to maintain secure access within your AWS environment.

Happy Coding! 🚀

Takahiro Iwasa

Takahiro Iwasa

Software Developer at KAKEHASHI Inc.
Involved in the requirements definition, design, and development of cloud-native applications using AWS. Now, building a new prescription data collection platform at KAKEHASHI Inc. Japan AWS Top Engineers 2020-2023.