3

I have set up below VPC configuration but the SSH to the instance is not happening at the moment:

  • Created a new VPC
  • Created a public and private subnet
  • Launched an ec2 instance to the public subnet updated route tables for internet gateway
  • Launched ec2 instance to private subnet.
  • Associated a natgateway to the public subnet with in EIP
  • Route table updated for private subnet with natgateway

SSH from public instance to private instance is not happening with keypair. Can you let me know what have I missed here.

Sanjeev Sachdev
  • 1,241
  • 1
  • 15
  • 23
narayanan s
  • 101
  • 2
  • 11

4 Answers4

2

First things first:

  • NAT Gateway in Public Subnet allows Instances from Private Subnet to reach internet for software updates etc via Internet Gateway.

  • NAT Gateway doesn't play any role in SSHing into an Instance.

Try this to test:

  • Attach Default NACL(allows all inbound and outbound) on Public and Private Subnet where your EC2 Instances resides.
  • Create 2 security groups for public(lets say Pub-SG) and private subnets(Prv-SG).
  • Allow SSH from everywhere/specific ip on Pub-SG.
  • On Prv-SG allow SSH from Pub-SG as source for better security reasons.
  • If both instances are launched using same key pair then with SSH-Agent Forwarding You can connect Private Instance through Public Instance.
jestadi
  • 96
  • 6
  • How to you create security group for a subnet? – Eric Xin Zhang Jul 06 '19 at 03:58
  • Subnets do not use security groups, they use "Network Access Control Lists" (NACL) – Alex Jun 01 '21 at 19:01
  • I think when @jestadi said create security groups, he means the SG for EC2 instance in public subnet needs to have a rule to allow you to SSH into the box. The SG for EC2 instance in private subnet must have a rule to allow the SG above SSH access. The idea is for you to SSH into the EC2 instance in the public subnet, then through that box, SSH into the EC2 instance in private subnet. If the PEM keys are the same, you should be able to forward the key to the private subnet EC2 instance and thus gain seamless access. – Alex Jun 01 '21 at 19:12
1

I suspect you are missing a security group that permits SSH traffic between the instances on the two subnets.

AWS is secure by default - you need to explicitly permit traffic, roles, etc.

So in this case, the easiest thing to do would be to create a security group that spans the CIDR block of the VPC, and assign this to both instances.

Edit: I just noticed you say you added your NAT gateway to the public subnet - I presume you mean private.

This guide covers a similar scenario - public web subnet and private db subnet, and discusses all the routes + ACLs you need.

Also, when you say ssh with the keypair isn't happening - are you connecting at all, or does the connection time out?

mcfinnigan
  • 11,442
  • 35
  • 28
  • Hi Thanks, I redid the configuration. – narayanan s Mar 02 '18 at 09:39
  • Hi Thanks, I redid the configuration but even now after adding the security group with SSH,ICMP,HTTP and HTTPS for the CIDR block, I am not able to ping successfully to the private instance from the internet facing instance. Any suggestions! – narayanan s Mar 02 '18 at 10:20
  • @narayanans I've amended my answer with more information. – mcfinnigan Mar 02 '18 at 10:50
0

When it comes to one EC2 instance communicating with another EC2 instance within a VPC, NAT Gateway has no role.

Make sure that the Security Group to which the private subnet instance belongs, allows SSH protocol from the Security Group to which the public subnet instance belongs.

Also, the NACL associated with the private subnet should allow inbound and outbound SSH traffic from CIDR block to which the public subnet instance belongs.

Sanjeev Sachdev
  • 1,241
  • 1
  • 15
  • 23
0

copy th ssh public key of the private instance to the public instance. open the ssh key material using vscode then use nano or vim to paste the content of the public key the save and exit. Now you can ssh into your private instance given the SG of the private instance allows traffic from the public instance.

Desmond Fon tamukong
  • 1