Club Cloud Stories #3

on
Nov 25, 2021
in

Demo Time

This time, on Club Cloud Stories, Jacco will show demo some interesting AWS feature using the AWS console. We hope you will be able to replicate the steps learn something new in the process!

The demo shows how to run an EC2 instance in a fully private network (no internet connectivity in or out) while still being able to log into it using the AWS Session Manager. We will then use a bash script to create a MySQL tunnel to the Aurora Serverless database. Magic. There are a few hoops you have to jump through to get it working!

Have fun watching!

Video

List of ingredients

  • 1 VPC (no NATS or IGW, with 2 private subnets)
  • 1 EC2 Instance (t3.micro, Amazon Linux 2, tweaked)
  • 1 IAM Role / instance profile
  • 3 VPC EndPoints (ssm, ec2messages, ssmmessages)
  • 1 RDS with Aurora Serverless
  • 2 Security Groups (self referencing)
  • 1 bash script (pre-cooked)

…and here is the final script that was used to create the tunnel to the database! The commands listed assume you have set things up in eu-central-1, that the EC2 is named bastio, and that the Linux image used has an ec2-user login.

INSTANCE=$(aws ec2 describe-instances --region eu-central-1 --query "Reservations[*].Instances[*].{Instance:InstanceId}" --filter Name=tag:Name,Values=bastion --output text)
ENDPOINT=$(aws rds describe-db-cluster-endpoints --region eu-central-1 --query "DBClusterEndpoints[*].Endpoint" --output text)

echo $INSTANCE

ssh-keygen -N '' -f /tmp/temp <<< y

aws ec2-instance-connect send-ssh-public-key \
  --instance-id $INSTANCE \
  --availability-zone eu-central-1a \
  --instance-os-user ec2-user \
  --ssh-public-key file:///tmp/temp.pub --region eu-central-1

PROCESS=$(lsof -t -i :5432)

if [ ! -z "$PROCESS" ]
then
    kill $PROCESS
fi

ssh -i /tmp/temp \
  -Nf -M \
  -L 5432:$ENDPOINT:3306 \
  -o "UserKnownHostsFile=/dev/null" \
  -o "StrictHostKeyChecking=no" \
  -o ProxyCommand="aws ssm start-session --target %h --document AWS-StartSSHSession --parameters portNumber=%p --region=eu-central-1" \
  ec2-user@$INSTANCE

And the user data used for the EC2 booting:

#!/usr/bin/env bash
exec > >(tee /var/log/user-data.log | logger -t user-data -s 2>/dev/console) 2>&1

##
## Setup SSH Config
##
cat <<"__EOF__" > /home/${ssh_user}/.ssh/config
Host *
    StrictHostKeyChecking no
__EOF__
chmod 600 /home/${ssh_user}/.ssh/config
chown ${ssh_user}:${ssh_user} /home/${ssh_user}/.ssh/config

##
## Attention!! We are allowing portforwarding
##
sed -i -e '/^#AllowTcpForwarding/s/^.*$/AllowTcpForwarding yes/' /etc/ssh/sshd_config

##
## Enable SSM
##
systemctl enable amazon-ssm-agent
systemctl start amazon-ssm-agent
systemctl status amazon-ssm-agent

Previous episodes

Cloud Club Stories #2

Cloud Club Stories #1

July 2021

May 2021

April 2021

Jacco is a Cloud Consultant at Binx.io. As an experienced development team lead he coded for the banking- and hospitality- and media-industries. He is a big fan of serverless architectures. In his free time he reads science fiction, contributes to open source projects and enjoys being a life-long-learner.
Luca is a Software Engineer and Trainer with full-stack experience ranging from distributed systems to cross-platform apps. He is currently interested in building modern, serverless solutions on Google Cloud using Golang, Rust and React and leveraging SRE and Agile practices. Luca holds 3 Google Cloud certifications, he is part of the Google Developers Experts community and he is the co-organizer of the Google Cloud User Group that Binx.io holds with Google.
Share this article: Tweet this post / Post on LinkedIn