Complete a 3 Question Survey and Earn a re:Post Badge

Help improve AWS Support Official channel in re:Post and share your experience - complete a quick three-question survey to earn a re:Post badge!

How do I use Systems Manager Session Manager port forwarding without a bastion host to connect to my EC2 instance through RDP?

3 minute read

I want use to use port forwarding in Session Manager, a capability of AWS Systems Manager, to connect my Amazon Elastic Compute Cloud (Amazon EC2) instance through Remote Desktop Protocol (RDP) without a bastion host.

Resolution

Note: If you receive errors when you run AWS Command Line Interface (AWS CLI) commands, then see Troubleshooting errors for the AWS CLI. Also, make sure that you're using the most recent AWS CLI version.

Use Session Manager port forwarding to connect to your instance through RDP when you block inbound access on security groups. You don't need to open inbound ports or configure bastion hosts to use Session Manager port forwarding.

Prerequisites:

You configured the AWS CLI with the required permissions for Session Manager.
You installed the Session Manager plugin that's specific to your operating system (OS) on your local machine.
AWS Systems Manager manages your instance. For more information, see Setting up managed nodes for AWS Systems Manager.
You installed AWS Systems Manager Agent (SSM Agent) version 2.3.672.0 or later, and SSM Agent is running.
You configured your instance's OS to accept RDP connections on default port 3389.

Establish the port forwarding session

Complete the following steps:

On your local machine, run the following command to establish a tunnel from port 55678 on your computer to port 3389 on your instance:

aws ssm start-session --target example-instanceid --document-name AWS-StartPortForwardingSession --parameters "example-localPortNumber=55678,example-ec2instance-portNumber=3389"

Note: Replace the example values with your values.
If the connection is successful, then the following message displays:
"Starting session with SessionId: xxxxx-01234567891011abcPort 55678 opened for sessionId xxxxx-01234567891011abc
Waiting for connections..."

Use a local RDP client to connect to localhost:55678 so that Session Manager can forward traffic to the remote port 3389 on your instance.
If the connection is successful, then the following message displays:
"Connection accepted for session xxx-01234567891011abc

End the port forwarding session

Complete the following steps:

Close the RDP session.
On the AWS CLI, press Ctrl + C to end the port forwarding session. Or, use the AWS Systems Manager console to end the session.
If the session successfully ends, then the following message displays:
"Terminate signal received, exiting. Exiting session with sessionId: xxxxx-01234567891011abc."

Troubleshoot the connection

If your port forwarding session fails to connect, then take the following actions based on the error that you receive.

AccessDeniedException

Verify that the user that starts the session has the necessary permissions for Session Manager.

TargetNotConnected

Verify that you fully configured the target node for Session Manager and the node is reporting as Online on the Systems Manager Fleet Manager console.

This error also occurs when you start a session on a managed node that's located in a different AWS account or AWS Region. For more information, see Managed node not available or not configured for Session Manager.

Session Manager plugin not found

Check that you installed the Session Manager plugin on your local machine. For more information, see Install the Session Manager plugin for the AWS CLI.

RDP client can't connect

If your session connects successfully but the RDP client can't connect, then check whether you changed the default RDP port on your instance. Replace the portNumber parameter value with your value. For more information, see Check the RDP listener port on the Microsoft website.