Securely Accessing EC2 Windows Instances via SSH Port Forwarding
This note describes how to securely access an EC2 Windows instance in a private subnet through a bastion host in a public subnet.
This method secures only the connection between your PC and the bastion host. There is no encryption applied between the bastion host and the EC2 Windows instance.
Building Backend
VPC
Create a private subnet in your VPC. If you already have one, you can skip this step.
Create a route table and associate it with the private subnet.
Ensure the internet gateway is removed from this route table, otherwise the internet gateway will make the subnet public.
If your EC2 Windows instance needs internet access, create a NAT gateway in a public subnet and attach it to the route table.
Running NAT gateway instances incurs additional costs.
SSH Bastion Host
- Launch an EC2 instance in the public subnet to serve as the bastion host.
- Configure the security group to allow inbound traffic on ports 22 (SSH) and 3389 (RDP).
Assigning an Elastic IP (EIP) makes access to the bastion host easy.
EC2 Windows Instance
- Launch an EC2 Windows instance in the private subnet.
- Retrieve the remote desktop credentials using the
Get Windows Passwordoption in the EC2 dashboard. - Restrict security group access to allow inbound traffic on ports 22 and 3389 only from the bastion host.
Testing the Connection
To establish a secure connection to the EC2 Windows instance, execute the following command from your terminal:
ssh -i <YOUR_PRIVATE_KEY> -L 13389:<YOUR_EC2_WINDOWS_IP>:3389 ec2-user@<YOUR_SSH_BASTION_IP>This command forwards traffic from local port 13389 to the EC2 Windows instance in the private subnet via the bastion host.
Initiate a remote desktop session using localhost:13389.
