Amazon EC2 Instance Connect - CLI error

0

I have followed all the instructions to connect to my EC2 instance Private IP (No Public IP) as described here - https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-instance-connect-methods.html#connect-linux-inst-eic-cli-ssh

It always ends with the following error -

Websocket Closure Reason: Unable to connect to target kex_exchange_identification: Connection closed by remote host Connection closed by UNKNOWN port 65535

Any help will be highly appreciated.

KrisL
질문됨 2달 전246회 조회
5개 답변
0
수락된 답변

Steve - I think you hit the nail on the head. I had to set the preserveClientIp to true and after that everything works as expected.

Thanks you!

KrisL
답변함 2달 전
profile picture
전문가
검토됨 2달 전
0

Hello.

As mentioned in the prerequisites, are you using an OS supported by EC2 Instance Connect?
https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-instance-connect-prerequisites.html

  • AL2023
  • Amazon Linux 2 2.0.20190618 or later
  • macOS Sonoma 14.2.1 or later
  • macOS Ventura 13.6.3 or later
  • macOS Monterey 12.7.2 or later
  • Ubuntu 20.04 or later

By the way, you need to install EC2 Instance Connect for the following OS.

EC2 Instance Connect is not preinstalled on the following AMIs, but you can install it on instances that are launched using the following AMIs:

  • Amazon Linux 2 prior to version 2.0.20190618
  • CentOS Stream 8 and 9
  • macOS Sonoma prior to 14.2.1, Ventura prior to 13.6.3, and Monterey prior to 12.7.2
  • Red Hat Enterprise Linux (RHEL) 8 and 9
  • Ubuntu 16.04 or 18.04
profile picture
전문가
답변함 2달 전
profile picture
전문가
검토됨 2달 전
0

I created a new Ubuntu instance from amazon/ubuntu/images/hvm-ssd/ubuntu-jammy-22.04-amd64-server-20240301 So I am guessing that "EC2 Instance Connect" is already available.

Also when I run the aws command with --debug I see that eventually it figures out the InstanceConnectEndpointId and adds the appropriate options to the ssh command. Here are some of the details from the debug output -

debug1: Executing proxy command: exec aws ec2-instance-connect open-tunnel --instance-id REDACTED --private-ip-address 10.0.1.246 --remote-port 22 --instance-connect-endpoint-id eice-REDACTED --instance-connect-endpoint-dns-name eice-REDACTED-instance-connect-endpoint.us-east-1.amazonaws.com

debug1: identity file ....

Finally the same error that I posted in the original post

Websocket Closure Reason: Unable to connect to target kex_exchange_identification: Connection closed by remote host Connection closed by UNKNOWN port 65535

KrisL
답변함 2달 전
0

Thanks for helping here. My Inbound rules for the security group attached to this eice endpoint allow SSH traffic on port 22 from my specific IP. From the documentation link that you posted, I guess I am using the "Allow inbound traffic from the client IP address.". I dont have any restrictions on the Outbound rules for this security group.

SG Inbound rules

KrisL
답변함 2달 전
0

There are two separate security groups that have be considered here.

The security group associated with the instance endpoint (not the instance itself) should allow inbound from the client IP address, and outbound to all (actually you can tighten up the outbound rule to just the CIDR range of the VPC) https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/eice-security-groups.html#eice-security-group-rules

The security group associated with the instance itself (not the endpoint) needs at least two inbound rules, the first of which the source is the EC2 Instance Connect Endpoint security group.

And a second rule whose setting is dependent on the value of Preserve Client IP (this is a value you would have set when you created the endpoint, the default is that the box is unchecked and so the parameter is set to false)

Enter image description here

https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/eice-security-groups.html#resource-security-group-rules

  • if preserveClientIp is false (the default) then the security group associated with the instance must allow inbound traffic from the VPC CIDR.
  • if preserveClientIp is true then allow inbound traffic from the client IP address.

Also worth noting here that, depending on the EC2 instance type, you may not have a choice https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/connect-using-eice.html#ec2-instance-connect-endpoint-limitations

The following instance types do not support client IP preservation: C1, CG1, CG2, G1, HI1, M1, M2, M3, and T1. If you are using these instance types, set the preserveClientIp parameter to false

profile picture
전문가
Steve_M
답변함 2달 전
profile picture
전문가
검토됨 2달 전

로그인하지 않았습니다. 로그인해야 답변을 게시할 수 있습니다.

좋은 답변은 질문에 명확하게 답하고 건설적인 피드백을 제공하며 질문자의 전문적인 성장을 장려합니다.

질문 답변하기에 대한 가이드라인

관련 콘텐츠