I have a CDK deployment that includes an Elastic Beanstalk environment. I'd like to move the EC2 instances in the Beanstalk ASG to a private subnet while allowing SSH via EC2 Instance Connect. I know this is possible based on this AWS blog entry and this LinkedIn article, but I'm struggling to get things configured correctly.
My VPC definition looks like:
vpc = aws_ec2.Vpc(
self,
"Vpc",
vpc_name="vpc_name",
max_azs=4,
subnet_configuration=[
aws_ec2.SubnetConfiguration(
name="Public",
subnet_type=aws_ec2.SubnetType.PUBLIC,
),
aws_ec2.SubnetConfiguration(
name="Egress",
subnet_type=aws_ec2.SubnetType.PRIVATE_WITH_EGRESS,
),
aws_ec2.SubnetConfiguration(
name="Isolated",
subnet_type=aws_ec2.SubnetType.PRIVATE_ISOLATED,
),
],
)
I then have a security group that looks like:
self.eb_security_group = aws_ec2.SecurityGroup(
scope,
"SecurityGroup",
vpc=self.vpc,
)
self.eb_security_group.add_ingress_rule(peer=aws_ec2.Peer.ipv4("0.0.0.0/0"), connection=aws_ec2.Port.tcp(22))
This security group is associated with the EC2 instances in the Auto Scaling Group. When I configured the Elastic Beanstalk environment, I include:
"aws:autoscaling:launchconfiguration": {
"InstanceType": "t3.medium",
"IamInstanceProfile": instance_profile.ref,
"SecurityGroups": vpc_resources.eb_security_group.security_group_id,
},
"aws:ec2:vpc": {
"VPCId": vpc_resources.vpc.vpc_id,
"Subnets": ",".join([subnet.subnet_id for subnet in vpc_resources.vpc.private_subnets]),
"ELBSubnets": ",".join([subnet.subnet_id for subnet in vpc_resources.vpc.public_subnets]),
},
That all works, but if I try to connect to the instance using the EC2 Instance Connect CLI, there's no response and the connection times out. I think I need to modify the security group configuration to allow traffic to the EC2 Instance Connect service, but I don't know how to do that.
I do something that might be similar with the ALB security group, which only allows traffic from CloudFront:
self.load_balancer_security_group = aws_ec2.SecurityGroup(
scope,
"AlbBalancerSecurityGroup",
vpc=self.vpc,
)
self.load_balancer_security_group.add_ingress_rule(
peer=aws_ec2.Peer.prefix_list(cloudfront_prefix_list.get_response_field("PrefixLists.0.PrefixListId")),
connection=aws_ec2.Port.tcp(443),
description="Limit ALB access to CloudFront prefix list",
)
Is there a similar ingress rule I need to add for EC2 Instance Connect, maybe?