0

I've created an ec2 instance with AWS CDK in python. I've added a security group and allowed ingress rules for ipv4 and ipv6 on port 22. The keypair that I specified, with the help of this stack question has been used in other EC2 instances set up with the console with no issue.

Everything appears to be running, but my connection keeps timing out. I went through the checklist of what usually causes this provided by amazon, but none of those common things seems to be the problem (at least to me).

Why can't I connect with my ssh keypair from the instance I made with AWS CDK? I'm suspecting the KeyName I am overriding is not the correct name in Python, but I can't find it in the cdk docs.

Code included below.

vpc = ec2.Vpc.from_lookup(self, "VPC", vpc_name=os.getenv("VPC_NAME"))

sec_group = ec2.SecurityGroup(self, "SG", vpc=vpc, allow_all_outbound=True)
sec_group.add_ingress_rule(ec2.Peer.any_ipv4(), connection=ec2.Port.tcp(22))
sec_group.add_ingress_rule(ec2.Peer.any_ipv6(), connection=ec2.Port.tcp(22))

instance = ec2.Instance(
    self,
    "name",
    vpc=vpc,
    instance_type=ec2.InstanceType.of(ec2.InstanceClass.T2, ec2.InstanceSize.MICRO),
    machine_image=ec2.AmazonLinuxImage(
        generation=ec2.AmazonLinuxGeneration.AMAZON_LINUX_2
    ),
    security_group=sec_group,
)
instance.instance.add_property_override("KeyName", os.getenv("KEYPAIR_NAME"))
elastic_ip = ec2.CfnEIP(self, "EIP", domain="vpc", instance_id=instance.instance_id)
gshpychka
  • 8,523
  • 1
  • 11
  • 31
A Simple Programmer
  • 494
  • 4
  • 15
  • I tried changing "KeyName" to "key_name" as indicated in the CfnInstance code I found, but I got a "Encountered unsupported property key_name" error when deploying to aws. https://docs.aws.amazon.com/cdk/api/v1/python/aws_cdk.aws_ec2/CfnInstance.html – A Simple Programmer Jan 31 '23 at 22:20
  • 1
    Timeout doesn't mean issue with keypair. It's security group issue. Your instance has internet access? – Riz Jan 31 '23 at 22:24
  • Yes. When I look at the security group rules for outbound I am allowing all traffic and for inbound I have ipv4 and ipv6 open on port 22 (for ssh) – A Simple Programmer Jan 31 '23 at 22:26
  • 2
    do 'telnet $yourec2ip 22'. If you get a timeout, it's intenet access. You can set up ssm access to login to it and troubleshoot. – Riz Jan 31 '23 at 22:32
  • That's a handy one to know. I did get a timeout, so I guess I need to figure out where the internet access issue is. However, I don't get how I can set up ssm when I can't get into my instance in the first place? – A Simple Programmer Jan 31 '23 at 22:41
  • SSM agent is usually pre installed. https://docs.aws.amazon.com/systems-manager/latest/userguide/ami-preinstalled-agent.html ami's have it already isntalled. You just need to give extra policy for ssm to your instance role. Give the policies mentioned here https://docs.aws.amazon.com/systems-manager/latest/userguide/setup-instance-profile.html. – Riz Jan 31 '23 at 23:02
  • I got pulled away from this, but I will get back to it soon if you want to keep an eye on the post. – A Simple Programmer Mar 17 '23 at 21:37

1 Answers1

2

This is an issue with internet reachability, not your SSH key.

By default, your instance is placed into a private subnet (docs), so it will not have inbound connectivity from the internet. Place it into a public subnet and it should work.

Also, you don't have to use any overrides to set the key - use the built-in key_name argument. And you don't have to create the security group - use the connections abstraction. Here's the complete code:

vpc = ec2.Vpc.from_lookup(self, "VPC", vpc_name=os.getenv("VPC_NAME"))

instance = ec2.Instance(
    self,
    "name",
    vpc=vpc,
    instance_type=ec2.InstanceType.of(ec2.InstanceClass.T2, ec2.InstanceSize.MICRO),
    machine_image=ec2.AmazonLinuxImage(
        generation=ec2.AmazonLinuxGeneration.AMAZON_LINUX_2
    ),
    key_name=os.getenv("KEYPAIR_NAME"),
    vpc_subnets=ec2.SubnetSelection(subnet_type=ec2.SubnetType.PUBLIC),
)

instance.connections.allow_from_any_ipv4(ec2.Port.tcp(22))

elastic_ip = ec2.CfnEIP(self, "EIP", domain="vpc", instance_id=instance.instance_id)
gshpychka
  • 8,523
  • 1
  • 11
  • 31
  • 1
    Thanks for the reply, but I need the instance to be in a private vpc. I thought the security group took care of allowing inbound from set IPs? This is what I did. – A Simple Programmer Mar 02 '23 at 16:19
  • 1
    No, it doesn't. An instance in a private subnet cannot be reached from outside the VPC. You will either need to use SSM Session Manager or a Bastion Host that's in a Public subnet to connect through. – gshpychka Mar 02 '23 at 17:35
  • Hey @gshpychka, thank you so much for your help on this one. Sorry for the late reply. Your code works perfectly, and I think I can manage not having it in private a private vpc. – A Simple Programmer Mar 28 '23 at 19:33