Amazon EC2 Instance Connect - CLI error

0

I have followed all the instructions to connect to my EC2 instance Private IP (No Public IP) as described here - https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-instance-connect-methods.html#connect-linux-inst-eic-cli-ssh

It always ends with the following error -

Websocket Closure Reason: Unable to connect to target kex_exchange_identification: Connection closed by remote host Connection closed by UNKNOWN port 65535

Any help will be highly appreciated.

KrisL
posta 2 mesi fa246 visualizzazioni
5 Risposte
0
Risposta accettata

Steve - I think you hit the nail on the head. I had to set the preserveClientIp to true and after that everything works as expected.

Thanks you!

KrisL
con risposta 2 mesi fa
profile picture
ESPERTO
verificato 2 mesi fa
0

Hello.

As mentioned in the prerequisites, are you using an OS supported by EC2 Instance Connect?
https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-instance-connect-prerequisites.html

  • AL2023
  • Amazon Linux 2 2.0.20190618 or later
  • macOS Sonoma 14.2.1 or later
  • macOS Ventura 13.6.3 or later
  • macOS Monterey 12.7.2 or later
  • Ubuntu 20.04 or later

By the way, you need to install EC2 Instance Connect for the following OS.

EC2 Instance Connect is not preinstalled on the following AMIs, but you can install it on instances that are launched using the following AMIs:

  • Amazon Linux 2 prior to version 2.0.20190618
  • CentOS Stream 8 and 9
  • macOS Sonoma prior to 14.2.1, Ventura prior to 13.6.3, and Monterey prior to 12.7.2
  • Red Hat Enterprise Linux (RHEL) 8 and 9
  • Ubuntu 16.04 or 18.04
profile picture
ESPERTO
con risposta 2 mesi fa
profile picture
ESPERTO
verificato 2 mesi fa
0

I created a new Ubuntu instance from amazon/ubuntu/images/hvm-ssd/ubuntu-jammy-22.04-amd64-server-20240301 So I am guessing that "EC2 Instance Connect" is already available.

Also when I run the aws command with --debug I see that eventually it figures out the InstanceConnectEndpointId and adds the appropriate options to the ssh command. Here are some of the details from the debug output -

debug1: Executing proxy command: exec aws ec2-instance-connect open-tunnel --instance-id REDACTED --private-ip-address 10.0.1.246 --remote-port 22 --instance-connect-endpoint-id eice-REDACTED --instance-connect-endpoint-dns-name eice-REDACTED-instance-connect-endpoint.us-east-1.amazonaws.com

debug1: identity file ....

Finally the same error that I posted in the original post

Websocket Closure Reason: Unable to connect to target kex_exchange_identification: Connection closed by remote host Connection closed by UNKNOWN port 65535

KrisL
con risposta 2 mesi fa
0

Thanks for helping here. My Inbound rules for the security group attached to this eice endpoint allow SSH traffic on port 22 from my specific IP. From the documentation link that you posted, I guess I am using the "Allow inbound traffic from the client IP address.". I dont have any restrictions on the Outbound rules for this security group.

SG Inbound rules

KrisL
con risposta 2 mesi fa
0

There are two separate security groups that have be considered here.

The security group associated with the instance endpoint (not the instance itself) should allow inbound from the client IP address, and outbound to all (actually you can tighten up the outbound rule to just the CIDR range of the VPC) https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/eice-security-groups.html#eice-security-group-rules

The security group associated with the instance itself (not the endpoint) needs at least two inbound rules, the first of which the source is the EC2 Instance Connect Endpoint security group.

And a second rule whose setting is dependent on the value of Preserve Client IP (this is a value you would have set when you created the endpoint, the default is that the box is unchecked and so the parameter is set to false)

Enter image description here

https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/eice-security-groups.html#resource-security-group-rules

  • if preserveClientIp is false (the default) then the security group associated with the instance must allow inbound traffic from the VPC CIDR.
  • if preserveClientIp is true then allow inbound traffic from the client IP address.

Also worth noting here that, depending on the EC2 instance type, you may not have a choice https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/connect-using-eice.html#ec2-instance-connect-endpoint-limitations

The following instance types do not support client IP preservation: C1, CG1, CG2, G1, HI1, M1, M2, M3, and T1. If you are using these instance types, set the preserveClientIp parameter to false

profile picture
ESPERTO
Steve_M
con risposta 2 mesi fa
profile picture
ESPERTO
verificato 2 mesi fa

Accesso non effettuato. Accedi per postare una risposta.

Una buona risposta soddisfa chiaramente la domanda, fornisce un feedback costruttivo e incoraggia la crescita professionale del richiedente.

Linee guida per rispondere alle domande