I want use to use port forwarding in Session Manager, a capability of AWS Systems Manager, to connect my Amazon Elastic Compute Cloud (Amazon EC2) instance through Remote Desktop Protocol (RDP) without a bastion host.
Resolution
Note: If you receive errors when you run AWS Command Line Interface (AWS CLI) commands, then see Troubleshooting errors for the AWS CLI. Also, make sure that you're using the most recent AWS CLI version.
Use Session Manager port forwarding to connect to your instance through RDP when you block inbound access on security groups. You don't need to open inbound ports or configure bastion hosts to use Session Manager port forwarding.
Prerequisites:
Establish the port forwarding session
Complete the following steps:
-
On your local machine, run the following command to establish a tunnel from port 55678 on your computer to port 3389 on your instance:
aws ssm start-session --target example-instanceid --document-name AWS-StartPortForwardingSession --parameters "example-localPortNumber=55678,example-ec2instance-portNumber=3389"
Note: Replace the example values with your values.
If the connection is successful, then the following message displays:
"Starting session with SessionId: xxxxx-01234567891011abcPort 55678 opened for sessionId xxxxx-01234567891011abc
Waiting for connections..."
-
Use a local RDP client to connect to localhost:55678 so that Session Manager can forward traffic to the remote port 3389 on your instance.
If the connection is successful, then the following message displays:
"Connection accepted for session xxx-01234567891011abc
End the port forwarding session
Complete the following steps:
- Close the RDP session.
- On the AWS CLI, press Ctrl + C to end the port forwarding session. Or, use the AWS Systems Manager console to end the session.
If the session successfully ends, then the following message displays:
"Terminate signal received, exiting. Exiting session with sessionId: xxxxx-01234567891011abc."
Troubleshoot the connection
If your port forwarding session fails to connect, then take the following actions based on the error that you receive.
AccessDeniedException
Verify that the user that starts the session has the necessary permissions for Session Manager.
TargetNotConnected
Verify that you fully configured the target node for Session Manager and the node is reporting as Online on the Systems Manager Fleet Manager console.
This error also occurs when you start a session on a managed node that's located in a different AWS account or AWS Region. For more information, see Managed node not available or not configured for Session Manager.
Session Manager plugin not found
Check that you installed the Session Manager plugin on your local machine. For more information, see Install the Session Manager plugin for the AWS CLI.
RDP client can't connect
If your session connects successfully but the RDP client can't connect, then check whether you changed the default RDP port on your instance. Replace the portNumber parameter value with your value. For more information, see Check the RDP listener port on the Microsoft website.
Related information
Troubleshooting Session Manager