2

I have a private VPC with private subnets a private jumpbox in 1 private subnet and my private RDS aurora MySql serverless instance in another private subnet.

I did those commands on my local laptop to try to connect to my RDS via port forwarding:

aws ssm start-session --target i-0d5470040e7541ab9 --document-name AWS-StartPortForwardingSession --parameters "portNumber"=["5901"],"localPortNumber"=["9000"] --profile myProfile

aws ssm start-session --target  i-0d5470040e7541ab9 --document-name AWS-StartPortForwardingSession --parameters "portNumber"=["22"],"localPortNumber"=["9999"] --profile myProfile 

aws ssm start-session --target  i-0d5470040e7541ab9 --document-name AWS-StartPortForwardingSession --parameters "portNumber"=["3306"],"localPortNumber"=["3306"] --profile myProfile

The connection to the server hangs.

I had this error on my local laptop:

Starting session with SessionId: myuser-09e5cd0206cc89542
Port 3306 opened for sessionId myuser-09e5cd0206cc89542.
Waiting for connections...

Connection accepted for session [myuser-09e5cd0206cc89542]

Connection to destination port failed, check SSM Agent logs.

and those errors in /var/log/amazon/ssm/errors.log:

2021-11-29 00:50:35 ERROR [handleServerConnections @ port_mux.go.278] [ssm-session-worker] [myuser-017cfa9edxxxx] [DataBackend] [pluginName=Port] Unable to dial connection to server: dial tcp :3306: connect: connection refused
2021-11-29 14:13:07 ERROR [transferDataToMgs @ port_mux.go.230] [ssm-session-worker] [myuser-09e5cdxxxxxx] [DataBackend] [pluginName=Port] Unable to read from connection: read unix @->/var/lib/amazon/ssm/session/3366606757_mux.sock: use of closed network connection

and I try to connect to RDS like this :

enter image description here

I even tried to put the RDS Endpoint using ssh Tunnel, but it doesn't work:

enter image description here

Are there any additional steps to do on the remote server ec2-instance?

It seems the connection is accepted but the connection to the destination port doesn't work.

Thank you for your help on this!!

John Rotenstein
  • 241,921
  • 22
  • 380
  • 470
jesse
  • 41
  • 7

1 Answers1

2

The start-session command tunnels the port from the target EC2 instance to localhost. The RDS instance is on another host, so you must use SSH tunneling.

Send your public key to the EC2 instance. Fill in the region and availability zone parameters.

aws ec2-instance-connect send-ssh-public-key --region us-west-2 --instance-id i-0d5470040e7541ab9 --availability-zone us-west-2a --instance-os-user ec2-user --ssh-public-key file://~/.ssh/id_rsa.pub

Forward the SSH port 22 from the EC2 instance to 9999 locally.

aws ssm start-session --target i-0d5470040e7541ab9 --document-name AWS-StartPortForwardingSession --parameters "portNumber"=["22"],"localPortNumber"=["9999"] --profile myProfile

SSH into the instance with tunneling (in another terminal). Fill in rds-instance-dns with the DNS of your RDS instance.

ssh ec2-user@localhost -L 6606:rds-instance-dns:3306  -i ~/.ssh/id_rsa -p 9999

Access RDS

mysql -h localhost -p 6606

You also need to ensure that your EC2 instance has the correct permissions to access the RDS instance by configuring the security group.

Druska
  • 4,752
  • 2
  • 30
  • 34