How do I use Systems Manager Session Manager port forwarding without a bastion host to connect to my EC2 instance through RDP?

Resolution

Port forwarding is a feature of Systems Manager Session Manager. This feature allows you to create tunnels between your local system and instances that are deployed in private subnets. You don't need to open inbound ports or configure bastion hosts. You can use this feature to connect to your Amazon EC2 Windows instances through RDP when keeping inbound access blocked on security groups.

Note: If you receive errors when running AWS Command Line Interface (AWS CLI) commands, make sure that you're using the most recent AWS CLI version.

Check the prerequisites

Prerequisites:

• You installed AWS CLI version 1.16.12 or later on your local computer and configured it with the required permissions for Session Manager.
• You installed the Session Manager plugin that's specific to your operating system on your local computer.
• The target EC2 instance is managed by AWS Systems Manager. For more information, review the Systems Manager prerequisites.
• AWS Systems Manager Agent (SSM Agent) version 2.3.672.0 or later is installed and running.

Establish the connection

1.    Establish the port forwarding session from your local computer to the EC2 instance:

Run the following command on your local computer:

aws ssm start-session --target <instanceid> --document-name AWS-StartPortForwardingSession --parameters "localPortNumber=55678,portNumber=3389"

This establishes a tunnel from port 55678 in your local computer to port 3389 (RDP port) in the remote EC2 instance.

This command also assumes that the EC2 instance operating system is configured to accept RDP connections on the default port 3389. Replace the values for localPortNumber and portNumber with your values.

If your session connection is successful, then you get the following message:

Starting session with SessionId: xxxxx-01234567891011abc
Port 55678 opened for sessionId xxxxx-01234567891011abc
Waiting for connections...

2.    Use the tunnel to connect to the remote EC2 instance through RDP:

Using a local RDP client, connect to localhost:55678. This forwards traffic to the remote port 3389 on the EC2 instance.

After connecting to the RDP session, AWS CLI indicates that the connection is established over the tunnel with the following message:

Connection accepted for session [xxxxx-01234567891011abc]

3.    End the port forwarding session:

After you close the RDP session, press Ctrl + C on the AWS CLI to end the port forwarding session. Or, you can end the session from the AWS Systems Manager console.

You see a message that's similar to the following:

Terminate signal received, exiting.  
Exiting session with sessionId: xxxxx-01234567891011abc.

Troubleshoot the connection

If your session fails to connect, then it might be because of the following reasons:

• Insufficient permissions (AccessDeniedException): Verify that the user that's starting the session has the necessary permissions for Session Manager.
• Instance not connected (TargetNotConnected): The specified target node isn't configured for Session Manager. Verify that the target node is fully configured for Session Manager and is reporting as Online in the Systems Manager Fleet Manager console. For more information, see Managed node not available or not configured for Session Manager. This error also occurs if you try to start a session on a managed node that's located in a different AWS account or AWS Region.
• Session Manager plugin not found: Make sure that the Session Manager plugin is installed on your local machine. For more information, see Install the Session Manager plugin for the AWS CLI.
• Session connects successfully, but RDP client can’t connect: Check if the default RDP port was changed in the target instance. Replace the portNumber parameter value with your value. For more information, see Check the RDP listener port on the Microsoft website.

For more information, see Troubleshooting Session Manager.