In this post, I'll show you how to use the OpenSSH ProxyJump
command in your SSH Config file for easier SSH tunneling to your instances on private subnets.
For security reasons, most of your EC2 instances should be on private subnets, inaccessible from the Internet. But likely you will still need to SSH to your instances to manage or troubleshoot them. Bastion hosts provide a hardened, auditable entry point to access your EC2 instances on private subnets. AWS has an excellent reference architecture for Linux Bastion Hosts. I recommend this reference architecture if you need SSH bastion hosts in your AWS account.
The SSH bastion host provides a way to access your EC2 instances on private
subnets by jumping through the bastion host to your target EC2 instance. Most
people SSH into the bastion host and then SSH from the bastion host to the
target EC2 instance, a tedious, two-step process. You can also set up an SSH
tunnel as a one-liner, but it's tricky to get right. OpenSSH 7.3, released in
August 2016, provides a ProxyJump
command which makes it trivial to directly tunnel through the bastion host to your target host (instance). Your connection is still logged by the bastion host, so you're not bypassing any security measures. It's just much quicker.
You can use ProxyJump
on the command line with the -J
flag. This is useful for one-off connections through the bastion host to target EC2 instances on private subnets.
The command takes this form: ssh -J user@bastion user@target-ec2-instance
, e.g.
ssh -J ec2-user@mybastion.example.com admin@ip-10-0-0-5.ec2.internal
For more permanent connections you can add an entry to your SSH Config file. For example:
Host mywebserver
HostName ip-10-0-0-5.ec2.internal
User admin
ProxyJump ec2-user@mybastion.example.com
You can now connect to your mywebserver
instance (through the bastion) like this:
ssh mywebserver
In the example above, we are connecting through the bastion host to admin@ip-10-0-0-5.ec2.internal
which is an EC2 Linux instance on a private subnet.
Of course, with the solution above, you still have to distribute and manage SSH keypairs. If you want to avoid this hassle, AWS recently announced an alternative for secure shell access. If you have the SSM Agent installed on all your instances you can use the SSM Session Manager for secure shell access. As an added bonus, it even works with Microsoft Windows servers, providing an interactive PowerShell session.
In this post I showed you how to use the SSH ProxyJump
command to easily tunnel through a bastion host to target EC2 instances. I've personally used the SSH ProxyJump
command with several customers to make jumping through a bastion host much easier, quicker, and more reliable.
If you are interested in learning more about how 1Strategy can help optimize your AWS cloud journey and infrastructure, please contact us for more information at info@1Strategy.com.