Securely Connecting to EC2 Windows Instances Using SSH Port Forwarding
Introduction
SSH port forwarding allows you to securely access an EC2 Windows instance in a private subnet through a bastion host in a public subnet. This approach ensures secure communication between your local machine and the bastion host.
Creating a Private Subnet
Create a private subnet in your VPC. If you already have one, you can skip this step.
Configuring a Route Table
- Create a route table and associate it with the private subnet.
- Ensure the internet gateway is removed from this route table to maintain the privacy of the subnet.
Setting Up a NAT Gateway (Optional)
If your EC2 Windows instance needs internet access, create a NAT gateway in a public subnet and attach it to the route table.
Deploying an SSH Bastion Host
- Launch an EC2 instance in a public subnet to serve as the bastion host.
- Configure the security group to allow inbound traffic on ports 22 (SSH) and 3389 (RDP).
Creating an EC2 Windows Instance
- Launch an EC2 Windows instance in the private subnet.
- Retrieve the remote desktop credentials using the
Get Windows Password
option in the EC2 dashboard. - Restrict security group access to allow inbound traffic on ports 22 and 3389 only from the bastion host.
Testing the Connection
To establish a secure connection to the EC2 Windows instance, execute the following command from your terminal:
ssh -i <YOUR_PRIVATE_KEY> -L 13389:<YOUR_EC2_WINDOWS_IP>:3389 ec2-user@<YOUR_SSH_BASTION_IP>
This command forwards traffic from local port 13389 to the EC2 Windows instance in the private subnet via the bastion host.
Now, initiate a remote desktop session using localhost:13389
.
Conclusion
By leveraging SSH port forwarding, AWS users can securely connect to EC2 Windows instances located in private subnets while minimizing exposure to public access. This method provides an efficient and cost-effective way to maintain secure access within your AWS environment.
Happy Coding! 🚀