About Tunnels in Session Manager

Question

Hi,

I am actually able to make the connection, but I could not explain it well when explaining it to others, so I would like to know more.

Related equipment：
(1) Client terminals (e.g., laptops)
(2) EC2 (SSM Managed Instance) on a private subnet as a relay device
(3) servers that are networked to the EC2 (these are in an on-premise environment and are NOT AWS resources).

(2) does not open inbound, but allows outbound connections any port to (3), and (3) allows connections to any port from only (2).

I won't post the detailed commands, but I used AWS-StartPortForwardingSession to connect from (1) to (2) ("portNumber=22, localPortNumber=22"),
The ssh command with the NL option is used to set up port forwarding (from any local port in (1) to any port in (3)), and localhost is specified from (1) to allow access to any port in(3).

I have confirmed the information that (1) accesses the Session Manager endpoint via HTTPS, and (2) polls there, creating a TLS tunnel between the two.
I am not able to understand this in detail (I cannot draw how and where the tunnel will be created),
I am not able to draw a detailed image of this area, but I wonder if the communication described above, "accessing any port at (1) and going to any port at (3)", is encapsulated and passes through the TLS tunnel.

Best Regards,

Accepted Answer

When using Session Manager with AWS Systems Manager, the communication between the client terminal (1), the EC2 instance acting as a relay (2), and the on-premise servers (3) is established using a secure TLS tunnel.

Here's a high-level overview of how the communication works:

The client terminal (1) initiates a connection to the Session Manager endpoint via HTTPS. This connection is established securely using SSL/TLS.

The EC2 instance (2) polls the Session Manager endpoint to check for any active sessions. Once a session is requested, the EC2 instance opens a bidirectional TLS tunnel with the Session Manager service.

After the TLS tunnel is established, the client terminal (1) sends commands or requests through the tunnel to the EC2 instance (2). These commands could include starting a port forwarding session.

The EC2 instance (2) receives the commands and establishes a port forwarding session using the SSH protocol. This creates a secure connection between the client terminal (1) and the EC2 instance (2).

The EC2 instance (2) acts as a relay and forwards the network traffic between the client terminal (1) and the on-premise servers (3). The traffic is encapsulated within the TLS tunnel, ensuring secure communication.

In summary, the communication between the client terminal (1) and the on-premise servers (3) is encapsulated within a TLS tunnel that is established between the client terminal (1) and the EC2 instance acting as a relay (2). This ensures secure and encrypted communication between the client and the on-premise servers.

About Tunnels in Session Manager

관련 콘텐츠