Club Cloud Stories #3

25 Nov, 2021
Xebia Background Header Wave

Demo Time

This time, on Club Cloud Stories, Jacco will show demo some interesting AWS feature using the AWS console. We hope you will be able to replicate the steps learn something new in the process!
The demo shows how to run an EC2 instance in a fully private network (no internet connectivity in or out) while still being able to log into it using the AWS Session Manager. We will then use a bash script to create a MySQL tunnel to the Aurora Serverless database. Magic. There are a few hoops you have to jump through to get it working!
Have fun watching!


List of ingredients

  • 1 VPC (no NATS or IGW, with 2 private subnets)
  • 1 EC2 Instance (t3.micro, Amazon Linux 2, tweaked)
  • 1 IAM Role / instance profile
  • 3 VPC EndPoints (ssm, ec2messages, ssmmessages)
  • 1 RDS with Aurora Serverless
  • 2 Security Groups (self referencing)
  • 1 bash script (pre-cooked)
    …and here is the final script that was used to create the tunnel to the database! The commands listed assume you have set things up in eu-central-1, that the EC2 is named bastio, and that the Linux image used has an ec2-user login.
INSTANCE=$(aws ec2 describe-instances --region eu-central-1 --query "Reservations[*].Instances[*].{Instance:InstanceId}" --filter Name=tag:Name,Values=bastion --output text)
ENDPOINT=$(aws rds describe-db-cluster-endpoints --region eu-central-1 --query "DBClusterEndpoints[*].Endpoint" --output text)


ssh-keygen -N '' -f /tmp/temp <<< y

aws ec2-instance-connect send-ssh-public-key \
  --instance-id $INSTANCE \
  --availability-zone eu-central-1a \
  --instance-os-user ec2-user \
  --ssh-public-key file:///tmp/ --region eu-central-1

PROCESS=$(lsof -t -i :5432)

if [ ! -z "$PROCESS" ]
    kill $PROCESS

ssh -i /tmp/temp \
  -Nf -M \
  -L 5432:$ENDPOINT:3306 \
  -o "UserKnownHostsFile=/dev/null" \
  -o "StrictHostKeyChecking=no" \
  -o ProxyCommand="aws ssm start-session --target %h --document AWS-StartSSHSession --parameters portNumber=%p --region=eu-central-1" \

And the user data used for the EC2 booting:

#!/usr/bin/env bash
exec > >(tee /var/log/user-data.log | logger -t user-data -s 2>/dev/console) 2>&1

## Setup SSH Config
cat <<"__EOF__" > /home/${ssh_user}/.ssh/config
Host *
    StrictHostKeyChecking no
chmod 600 /home/${ssh_user}/.ssh/config
chown ${ssh_user}:${ssh_user} /home/${ssh_user}/.ssh/config

## Attention!! We are allowing portforwarding
sed -i -e '/^#AllowTcpForwarding/s/^.*$/AllowTcpForwarding yes/' /etc/ssh/sshd_config

## Enable SSM
systemctl enable amazon-ssm-agent
systemctl start amazon-ssm-agent
systemctl status amazon-ssm-agent

Previous episodes

Cloud Club Stories #2
Cloud Club Stories #1
July 2021
May 2021
April 2021

Jacco Kulman
Jacco is a Cloud Consultant at As an experienced development team lead he coded for the banking- and hospitality- and media-industries. He is a big fan of serverless architectures. In his free time he reads science fiction, contributes to open source projects and enjoys being a life-long-learner.

Get in touch with us to learn more about the subject and related solutions

Explore related posts