AWS SSH Tunneling

Scenario:

In the corporate, the firewall may prevent HTTP connections to AWS instances. Below is a solution. This solution assumes that you worked with local IP to whitelist SSH connection to the AWS instances. For fixed IP address, use Elastic IP. This will ensure you get a predictable IP addresses. Elastic IP are free if they are associated with an EC2 instance, but chargeable if not associated at 0.001 USD/hr basis. Elastic IPs are region specific, so if you buy Elastic IP in us-west-1 region, you can associate them to EC2 instances within only us-west-1 region.

Let us say, we want to access Spark Web UI which runs on port 4040. Without setting up the channel, you may see the following the error.

Set up

Test SSH Connection. Your EC2 instance may show different banner.

$ chmod 400 iversion_us_west_2.pem
$ ssh -i iversion_us_west_2.pem hadoop@52.52.229.216
Last login: Mon Apr  9 09:21:33 2018
       __|  __|_  )
       _|  (     /   Amazon Linux AMI
      ___|\___|___|
https://aws.amazon.com/amazon-linux-ami/2017.09-release-notes/
8 package(s) needed for security, out of 16 available
Run "sudo yum update" to apply all updates.
                                                                    
EEEEEEEEEEEEEEEEEEEE MMMMMMMM           MMMMMMMM RRRRRRRRRRRRRRR    
E::::::::::::::::::E M:::::::M         M:::::::M R::::::::::::::R   
EE:::::EEEEEEEEE:::E M::::::::M       M::::::::M R:::::RRRRRR:::::R 
  E::::E       EEEEE M:::::::::M     M:::::::::M RR::::R      R::::R
  E::::E             M::::::M:::M   M:::M::::::M   R:::R      R::::R
  E:::::EEEEEEEEEE   M:::::M M:::M M:::M M:::::M   R:::RRRRRR:::::R 
  E::::::::::::::E   M:::::M  M:::M:::M  M:::::M   R:::::::::::RR   
  E:::::EEEEEEEEEE   M:::::M   M:::::M   M:::::M   R:::RRRRRR::::R  
  E::::E             M:::::M    M:::M    M:::::M   R:::R      R::::R
  E::::E       EEEEE M:::::M     MMM     M:::::M   R:::R      R::::R
EE:::::EEEEEEEE::::E M:::::M             M:::::M   R:::R      R::::R
E::::::::::::::::::E M:::::M             M:::::M RR::::R      R::::R
EEEEEEEEEEEEEEEEEEEE MMMMMMM             MMMMMMM RRRRRRR      RRRRRR
                                                                    
[hadoop@ip-172-31-9-221 ~]$

On the server, you might like to test whether the page is active. If the page is inactive, you will see "Connection Refused" error. If the page is active, likely that it will give a status of 20o OK.

$ curl -I http://localhost:4040

Open a new terminal on your laptop and start a dynamic SSH tunnel to AWS. Note the command does not produce any output, the screen will stay blank, but keep the terminal running. Here we are using port 8157 port to channel the traffic, but you can use any other free port for that matter. You can test whether a port is available using telnet some port scanner like nmap.

$ ssh -i iversion_us_west_2.pem -N -D 8157 -C hadoop@52.52.229.216

Open Firefox -> Menu -> Preferences -> Advanced tab > Network Tab > Settings or search for proxy configuration in the latest Firefox app. Set the values as below.

Click on OK to save the settings, restart Firefox and try to access the AWS URL again. For example, when I tried to to access to the page http://52.52.229.216:4040, it redirected to a url internal to AWS cloud, however the page showed up as expected because of SSH tunneling.

Note: since you have set the proxy, normat sites like google.com will not work. Either you can use a seperate browser for normal sites or disable the above proxy. Either way, it will be a good idea to disable the custom proxy, once you are done with your web access to AWS. If you want to have more advanced control like customer pattern based whitelisting, you can use foxyproxy.