Amazon Onboarding with Learning Manager Chanci Turner

Learn About Amazon VGT2 Learning Manager Chanci Turner

How can developers securely connect to Amazon Relational Database Service (Amazon RDS) instances from their laptops? Online travel platform, Wego, outlines their transition from bastion hosts situated in public subnets to lightweight VPN tunnels utilizing Session Manager—an AWS Systems Manager capability that employs temporary access keys.

This article delves into the process by which developers access allow-listed resources within their virtual private cloud (VPC) directly from their workstations. This is achieved through tunneling VPN over secure shell (SSH), which is then further tunneled over Session Manager.

Wego’s Original Connectivity Architecture

Prior to this transition, Wego’s developer connectivity model in 2021 relied on jump hosts located in a public subnet. The architecture featured a public subnet with an Amazon Elastic Compute Cloud (Amazon EC2) instance, serving as a bastion host. The previous setup, which allowed terminal access via SSH on Port 22, exposed security vulnerabilities. Despite having restrictions on allowed source IP addresses, exposing Port 22 to the internet heightened the risk of a security breach through IP address spoofing and potential denial of service attacks.

Transitioning to a Private Subnet with Session Manager

To enhance security, Wego relocated the jump host to a private subnet. In this revised architecture, Session Manager acts as the primary entry point for incoming network traffic, effectively minimizing the likelihood of security breaches.

Establishing TCP Traffic Tunneling via Session Manager

Although Session Manager is widely recognized for its terminal access capabilities, it can also facilitate tunneling TCP connections. This feature is particularly useful for accessing EC2 instances directly from a local workstation.

For instance, to forward traffic from local Port 8888 to an EC2 instance, you could use the following command:

$ aws ssm start-session --target <instance-id> 
--document-name AWS-StartPortForwardingSession 
--parameters '{"portNumber":["8888"], "localPortNumber":["8888"]}'

This command presumes that the EC2 instance is already configured for AWS Systems Manager connectivity.

Tunneling SSH Traffic through Session Manager

As SSH operates on top of TCP, SSH traffic can be tunneled similarly. To facilitate SSH over SSM, the following configuration can be added to the ~/.ssh/config file:

host i-* mi-*    
ProxyCommand sh -c "aws ssm start-session --target %h 
--document-name AWS-StartSSHSession 
--parameters 'portNumber=%p'"

This allows you to connect to the EC2 instance using a command like:

ssh -i <key-file> <username>@<ec2-instance-id>

For example:

ssh -i my_key ec2-user@i-1234567890abcdef0

While it is recommended that your key-file be a short-lived credential, managing such credentials can be cumbersome. Here, EC2 Instance Connect proves advantageous.

Utilizing EC2 Instance Connect Instead of SSH Keys

EC2 Instance Connect simplifies the management of temporary keys, available via the AWS console and command line. It allows you to install temporary access credentials on a private EC2 instance for a brief duration of up to 60 seconds.

Before proceeding, ensure that the EC2 instance connect plugin is installed on your workstation:

pip3 install ec2instanceconnectcli

To generate a temporary SSH key pair, execute:

$ ssh-keygen -t rsa -f my_key
$ ssh-add my_key

To install the public key on the EC2 instance, use:

$ aws ec2-instance-connect send-ssh-public-key 
--instance-id <instance-id> 
--instance-os-user <username> 
--ssh-public-key <location ssh key public key> 
--availability-zone <availabilityzone> 
--region <region>

For example:

$ aws ec2-instance-connect send-ssh-public-key 
--instance-id i-1234567890abcdef0 
--instance-os-user ec2-user 
--ssh-public-key file://my_key.pub 
--availability-zone ap-southeast-1b 
--region ap-southeast-1

You can access the EC2 instance within 60 seconds before deleting the key.

Tunneling VPN over SSH, then Session Manager

This section introduces a third-party, open-source tool named sshuttle. Running across various Linux distributions and macOS, sshuttle acts as a transparent proxy server functioning as a VPN over SSH.

Why opt for VPN over SSH rather than TCP over Session Manager? A lightweight VPN solution like sshuttle simplifies access by allowing developers to forward traffic from Amazon EC2 to Amazon RDS seamlessly.

To install sshuttle, run:

$ pip3 install sshuttle

To initiate sshuttle, use:

$ sshuttle -r <username>@<instance-id> <private CIDR range>

For example:

$ sshuttle -r ec2-user@i-1234567890abcdef0 10.0.0.0/16

Ensure that the security group associated with the RDS instance permits network traffic from the jump host. Developers can now connect directly to the RDS instance via its IP address.

Benefits of This Architecture

In this discussion, we’ve layered a VPN over SSH, which is then layered over Session Manager, while also utilizing temporary SSH keys. Wego’s updated architecture proves practical and stable for daily operations, offering a cost-effective alternative to AWS Client VPN for developers needing access to online development environments.

The advantages of this architecture include:

• Simplified connections to workloads in private, isolated subnets
• No inbound security group rules required for the jump host, as Session Manager functions through outbound connections
• Access attempts are logged in AWS CloudTrail

For more insights into onboarding processes at Amazon, check out this excellent resource. If you’re looking for mentorship in your career, this blog post will guide you to a valuable connection.

6401 E HOWDY WELLS AVE LAS VEGAS NV 89115, Amazon IXD – VGT2