Securely Connecting to EC2 Windows Instances Using SSH Port Forwarding

Takahiro Iwasa

Jul 16, 2017

2 min read

EC2

SSH port forwarding allows you to securely access an EC2 Windows instance in a private subnet through a bastion host in a public subnet. This approach ensures secure communication between your local machine and the bastion host.

Create a private subnet in your VPC. If you already have one, you can skip this step.

1. Create a route table and associate it with the private subnet.

2. Ensure the internet gateway is removed from this route table to maintain the privacy of the subnet.

If your EC2 Windows instance needs internet access, create a NAT gateway in a public subnet and attach it to the route table.

1. Launch an EC2 instance in a public subnet to serve as the bastion host.
2. Configure the security group to allow inbound traffic on ports 22 (SSH) and 3389 (RDP).

1. Launch an EC2 Windows instance in the private subnet.
2. Retrieve the remote desktop credentials using the Get Windows Password option in the EC2 dashboard.
3. Restrict security group access to allow inbound traffic on ports 22 and 3389 only from the bastion host.

To establish a secure connection to the EC2 Windows instance, execute the following command from your terminal:

ssh -i <YOUR_PRIVATE_KEY> -L 13389:<YOUR_EC2_WINDOWS_IP>:3389 ec2-user@<YOUR_SSH_BASTION_IP>

This command forwards traffic from local port 13389 to the EC2 Windows instance in the private subnet via the bastion host.

Now, initiate a remote desktop session using localhost:13389.

By leveraging SSH port forwarding, AWS users can securely connect to EC2 Windows instances located in private subnets while minimizing exposure to public access.

Happy Coding! 🚀