Configure EC2 Instance Connect via CDK

0

I have a CDK deployment that includes an Elastic Beanstalk environment. I'd like to move the EC2 instances in the Beanstalk ASG to a private subnet while allowing SSH via EC2 Instance Connect. I know this is possible based on this AWS blog entry and this LinkedIn article, but I'm struggling to get things configured correctly.

My VPC definition looks like:

        vpc = aws_ec2.Vpc(
            self,
            "Vpc",
            vpc_name="vpc_name",
            max_azs=4,
            subnet_configuration=[
                aws_ec2.SubnetConfiguration(
                    name="Public",
                    subnet_type=aws_ec2.SubnetType.PUBLIC,
                ),
                aws_ec2.SubnetConfiguration(
                    name="Egress",
                    subnet_type=aws_ec2.SubnetType.PRIVATE_WITH_EGRESS,
                ),
                aws_ec2.SubnetConfiguration(
                    name="Isolated",
                    subnet_type=aws_ec2.SubnetType.PRIVATE_ISOLATED,
                ),
            ],
        )

I then have a security group that looks like:

        self.eb_security_group = aws_ec2.SecurityGroup(
            scope,
            "SecurityGroup",
            vpc=self.vpc,
        )
        self.eb_security_group.add_ingress_rule(peer=aws_ec2.Peer.ipv4("0.0.0.0/0"), connection=aws_ec2.Port.tcp(22))

This security group is associated with the EC2 instances in the Auto Scaling Group. When I configured the Elastic Beanstalk environment, I include:

                    "aws:autoscaling:launchconfiguration": {
                        "InstanceType": "t3.medium",
                        "IamInstanceProfile": instance_profile.ref,
                        "SecurityGroups": vpc_resources.eb_security_group.security_group_id,
                    },
                    "aws:ec2:vpc": {
                        "VPCId": vpc_resources.vpc.vpc_id,
                        "Subnets": ",".join([subnet.subnet_id for subnet in vpc_resources.vpc.private_subnets]),
                        "ELBSubnets": ",".join([subnet.subnet_id for subnet in vpc_resources.vpc.public_subnets]),
                    },

That all works, but if I try to connect to the instance using the EC2 Instance Connect CLI, there's no response and the connection times out. I think I need to modify the security group configuration to allow traffic to the EC2 Instance Connect service, but I don't know how to do that.

I do something that might be similar with the ALB security group, which only allows traffic from CloudFront:

        self.load_balancer_security_group = aws_ec2.SecurityGroup(
            scope,
            "AlbBalancerSecurityGroup",
            vpc=self.vpc,
        )
        self.load_balancer_security_group.add_ingress_rule(
            peer=aws_ec2.Peer.prefix_list(cloudfront_prefix_list.get_response_field("PrefixLists.0.PrefixListId")),
            connection=aws_ec2.Port.tcp(443),
            description="Limit ALB access to CloudFront prefix list",
        )

Is there a similar ingress rule I need to add for EC2 Instance Connect, maybe?

1 Answer
1
Accepted Answer

Actually I found that Session Manager is probably a better solution for me. All I needed to do to get that working was add the AmazonSSMManagedInstanceCore manged policy to my instance profile, and it works on the private subnet with no additional configuration.

answered a year ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions