All Products
Search

This Product

    Elastic Compute Service:Connect to an instance without Internet connection by using the port forwarding feature of Session Manager CLI

    Document Center

    Elastic Compute Service:Connect to an instance without Internet connection by using the port forwarding feature of Session Manager CLI

    Last Updated:Jan 15, 2025

    You can use Session Manager CLI (ali-instance-cli) to map a port on an Elastic Compute Service (ECS) instance to a port on an on-premises computer. This allows you to access services on the instance without Internet connection by using Cloud Assistant Agent. This topic describes how to use Session Manager CLI to implement the port forwarding feature and access an ECS instance without Internet connection.

    Important

    The port forwarding feature is based on WebSocket at the underlying level and operates over TCP. Therefore, the feature only supports TCP port forwarding and does not support UDP port forwarding.

    What is port forwarding?

    The port forwarding feature of Session Manager CLI (ali-instance-cli) is implemented based on Cloud Assistant. The port forwarding feature can map the port of an instance to a port on an on-premises machine on which ali-instance-cli is installed. The port forwarding feature also allows an instance to serve as a jump server to map an on-premises port to a port of another host for service access in an environment without public network connectivity or over a private network.

    • Scenario 1: Connect to an instance without Internet connection

      You can use the port forwarding feature to map a remote access port of an ECS instance that is not connected to the Internet to an on-premises port. Then, you can use tools to access the on-premises port to connect to the ECS instance without Internet connection.

      If the instance to which you want to log on is assigned a public IP address, you can add a deny rule to the security group to disable the port for remote access to the instance to improve instance security.

    • Scenario 2: Access services on an instance without Internet connection

      You can use the port forwarding feature to map a service port of an ECS instance that is not connected to the Internet, such as an NGINX or Apache port, to an on-premises port. This allows you to access the services deployed on the ECS instance.

    • Scenario 3: Access services on other hosts by using an instance as a jump server

      You can use the port forwarding feature to use an instance as a jump server to access services on a network host that is in the same virtual private cloud (VPC) as the instance. For example, you can access the MySQL service deployed on another instance in a VPC.

    How port forwarding works

    • The following figure shows the principles of port forwarding.

      The port forwarding (ali-instance-cli) feature is implemented based on Cloud Assistant Agent. After you enable port forwarding, you can map a service port on an ECS instance to a port on your PC by using the session management channel. This allows you to access the instance without Internet connection.

    		image

    • The following figure shows how to establish a session management channel between the ali-instance-cli tool and Cloud Assistant Agent.

      After the connection is initiated, the ali-instance-cli tool and Cloud Assistant Agent establish WebSocket connections to the Cloud Assistant server. After the connections are established, the data sent by the ali-instance-cli tool is forwarded to Cloud Assistant Agent by the Cloud Assistant server.

    		image

    Preparations

    Enable Session Manager

    Before you can use ali-instance-cli, use your Alibaba Cloud account to enable Session Manager. You can enable Session Manager only in the ECS console. To enable Session Manager, perform the following steps:

    1. Log on to the ECS console.

    2. In the left-side navigation pane, choose Instances & Images > Instances.

    3. In the upper-left corner of the top navigation bar, select the resource group and region in which the instance that you want to connect to resides.

    4. On the Instance page, find the instance to which you want to connect and click Connect in the Actions column.

    image

    1. Click Show Other Logon Methods.

    2. In the Session Manager section, turn on the switch to the right of Session Management Closed and follow the on-screen instructions to enable Session Manager.

    image

    image

    Check whether the instance to which you want to connect is in the Running state

    You can use Session Manager to connect to only instances in the Running state.

    Use the ECS console

    You can view the status of the instance on the Instance page in the ECS console.

    For information about how to check the status of the instance, see View instance information.

    image

    image

    Use Alibaba Cloud CLI

    If you configured Alibaba Cloud CLI, run a command to call an API operation to query the status of the instance. For information about the parameters of the API operation, see DescribeInstanceStatus.

    For example, to query the status of the instance whose ID is i-bp1****** and that resides in the China (Hangzhou) region, run the following command: 
    aliyun ecs DescribeInstanceStatus --region cn-hangzhou --RegionId 'cn-hangzhou' --InstanceId.1 'i-bp1******'

    If the instance is in the Running state, the value of the Status parameter in the command output is Running. 

    {
  "TotalCount": 1,
  "RequestId": "A413****-****-****-****-****611B",
  "PageSize": 1,
  "PageNumber": 1,
  "InstanceStatuses": {
    "InstanceStatus": [
      {
        "Status": "Running",
        "InstanceId": "i-bp1******"
      }
    ]
  }
}

    You can also run commands to call other operations to query the status of the instance, such as DescribeInstances. For more information, see DescribeInstances.

    Call an API operation

    Call the DescribeInstanceStatus or DescribeInstances operation to query the status of the instance. For more information, see DescribeInstanceStatus or DescribeInstances.

    Check whether Cloud Assistant Agent is installed on the instance to which you want to connect

    Session Manager depends on Cloud Assistant. You can use one of the following methods to check whether Cloud Assistant Agent is installed on the instance.

    Cloud Assistant Agent is pre-installed on ECS instances that are created from Alibaba Cloud public images on or after December 1, 2017. For ECS instances created before December 1, 2017, you must manually install Cloud Assistant Agent. For more information, see Install Cloud Assistant Agent.

    Use the ECS console

    Session Manager is implemented based on Cloud Assistant. You need to install Cloud Assistant Agent on the instance. You can view the status of Cloud Assistant Agent on the ECS Cloud Assistant page in the ECS console.

    Cloud Assistant Agent is pre-installed on ECS instances that are created from Alibaba Cloud public images on or after December 1, 2017. For ECS instances created before December 1, 2017, you must manually install Cloud Assistant Agent. For more information, see Install Cloud Assistant Agent.

    image

    image

    For information about how to view the status of the Cloud Assistant Agent and handle anomalies, see View the status of Cloud Assistant and handle anomalies.

    Use Alibaba Cloud CLI

    If you configured Alibaba Cloud CLI, run a command to call the DescribeCloudAssistantStatus operation to check whether Cloud Assistant Agent is installed on the instance and supports Session Manager. For information about the parameters of the DescribeCloudAssistantStatus operation, see DescribeCloudAssistantStatus.

    For example, if the instance is assigned an ID of i-bp1****** and resides in the China (Hangzhou) region, run the following command to check whether Cloud Assistant Agent is installed on the instance and supports Session Manager: 
    aliyun ecs DescribeCloudAssistantStatus --region cn-hangzhou --RegionId 'cn-hangzhou' --InstanceId.1 'i-bp1******'

    If Cloud Assistant Agent is installed on the instance and supports Session Manager, the values of the CloudAssistantStatus and SupportSessionManager parameters in the command output are true. 

    {
  "TotalCount": 1,
  "PageSize": 1,
  "RequestId": "DB34****-****-****-****-****A749",
  "NextToken": "",
  "PageNumber": 1,
  "InstanceCloudAssistantStatusSet": {
    "InstanceCloudAssistantStatus": [
      {
        "CloudAssistantVersion": "2.2.3.857",
        "SupportSessionManager": true,
        "InstanceId": "i-bp1******",
        "InvocationCount": 4,
        "OSType": "Linux",
        "CloudAssistantStatus": "true",
        "LastHeartbeatTime": "2024-12-10T02:38:04Z",
        "LastInvokedTime": "2024-12-08T16:02:45Z",
        "ActiveTaskCount": 0
      }
    ]
  }
}

    Call an API operation

    Call the DescribeCloudAssistantStatus operation to check whether Cloud Assistant Agent is installed on the instance. For more information, see DescribeCloudAssistantStatus.

    Prepare the credentials of the Resource Access Management (RAM) user as whom you want to use Session Manager

    When you use ali-instance-cli, you must specify the AccessKey pair and Security Token Service (STS) token of the RAM user. When you connect to an instance by using Session Manager, the system verifies whether the RAM user who has the credentials also has the ecs:StartTerminalSession permission.

    When you configure a custom policy, you can configure the Resource parameter to specify the ECS instances to which a RAM user can connect by using Session Manager. Sample policy:

    {
  "Version": "1",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "ecs:StartTerminalSession",
      "Resource": "*"
    }
  ]
}

    For information about the CredentialsURI and STS Token parameters, see Create an AccessKey pair and What is STS?

    For information about how to grant permissions to a RAM user, see Grant permissions to a RAM user.

    1. Install and configure ali-instance-cli

    Note

    If you already installed and configured ali-instance-cli, skip this step.

    1.1 Install ali-instance-cli

    Install ali-instance-cli on your computer. The installation operations vary based on the operating system.

    Windows

    Click here to download ali-instance-cli for Windows and save it to a folder on your computer.

    In this example, ali-instance-cli is saved to the C:\Users\test folder on your computer.

    macOS

    Run the following command in the macOS terminal to download ali-instance-cli for macOS: 

    curl -O https://aliyun-client-assist.oss-accelerate.aliyuncs.com/session-manager/mac/ali-instance-cli

    Run the following command to grant execute permissions on ali-instance-cli: 

    chmod a+x ali-instance-cli

    Linux

    Run the following command to install ali-instance-cli for Linux: 

    curl -O https://aliyun-client-assist.oss-accelerate.aliyuncs.com/session-manager/linux/ali-instance-cli

    Run the following command to grant execute permissions on ali-instance-cli: 

    chmod a+x ali-instance-cli

    1.2 Configure ali-instance-cli

    When you use ali-instance-cli on your computer to connect to an instance, you must configure identity credentials, such as an AccessKey pair. An AccessKey pair consists of an AccessKey ID and an AccessKey secret. For more information, see the Prepare the credentials of the Resource Access Management (RAM) user as whom you want to use Session Manager section of this topic.

    Windows

    1. Right-click the Start icon and select Run. In the Run dialog box, enter cmd and press the Enter key to open a Command Prompt window.

    2. Run the following command to switch to the directory in which ali-instance-cli.exe resides. In this example, the C:\Users\test directory is used. 

      cd C:\Users\test

    3. Configure credentials. The following types of credentials are supported:

      AccessKey pair

      Run the following command and configure the Access Key Id, Access Key Secret, and Region Id parameters as prompted: 

      ali-instance-cli.exe configure --mode AK
      STS token

      Run the following command to configure credentials:

      ali-instance-cli.exe configure set --mode StsToken --region "<region>" --access-key-id "<ak>"  --access-key-secret "<sk>"   --sts-token "<sts_token>"

      Replace <region>, <ak>, <sk>, and <sts_token> with the actual region ID, AccessKey ID, AccessKey secret, and Security Token Service (STS) token.

      Credentials URI

      Run the following command and configure the Credentials URI and Region Id parameters as prompted: 

      ali-instance-cli.exe configure --mode=CredentialsURI

      The following command output indicates that credentials are configured.

      image

    macOS or Linux

    1. Go to the directory in which ali-instance-cli resides. In this example, the root directory (~) of the current user is used. 

      cd ~

    2. Configure credentials.

      AccessKey pair

      Run the following command and configure the Access Key Id, Access Key Secret, and Region Id parameters as prompted: 

      ./ali-instance-cli configure --mode AK
      STS token

      Run the following command to configure credentials:

      ./ali-instance-cli configure set --mode StsToken --region "<region>" --access-key-id "<ak>"  --access-key-secret "<sk>"   --sts-token "<sts_token>"

      Replace <region>, <ak>, <sk>, and <sts_token> with the actual region ID, AccessKey ID, AccessKey secret, and STS token.

      Credentials URI

      Run the following command and configure the Credentials URI and Region Id parameters as prompted: 

      ./ali-instance-cli configure --mode=CredentialsURI

      The following command output indicates that credentials are configured.

      image

    2. Use the port forwarding feature

    2.1 Obtain the ID of the instance whose port is mapped to an on-premises port

    Before you use the port forwarding feature, obtain the instance ID of the port for subsequent steps.

    Use the ECS console

    1. Log on to the ECS console.

    2. In the left-side navigation pane, choose Instances & Images > Instances.

    3. In the upper-left corner of the top navigation bar, select the resource group and region where the instance to which you want to connect resides.

    4. On the Instance page, find the instance to which you want to connect and click the instance ID.

    image

    Use Alibaba Cloud CLI

    If you configured Alibaba Cloud CLI, run a command to call the DescribeInstances operation to query the ID of the instance to which you want to connect. For information about the parameters of the DescribeInstances operation, see DescribeInstances.

    For example, run the following command to query the ID of an instance named SessionManager-example that resides in the China (Hangzhou) region: 
    aliyun ecs DescribeInstances --region cn-hangzhou --RegionId 'cn-hangzhou' --InstanceName 'SessionManager-example'

    The value of the InstanceId parameter in the command output is the ID of the instance.

    image

    Call API operations

    Call the DescribeInstances operation to query the ID of the instance to which you want to connect. For more information, see DescribeInstances.

    2.2 Use port forwarding

    Method 1: Directly use the port forwarding feature on an instance

    Windows computer

    Important

    Do not close the Command Prompt window when you use port forwarding. If the Command Prompt window is closed, port forwarding is also terminated.

    Open the Command Prompt window, go to the directory in which ali-instance-cli.exe is stored, and then run the following command to enable port forwarding: 

    ali-instance-cli.exe portforward -i <instance_id> -r <target_port> -l <local_port>
    Note

    Replace <instance_id> with the ID of the instance that requires port forwarding, <target_port> with the port of the destination ECS instance, and <local_port> with an on-premises port to which the instance port is mapped.

    As shown in the following figure, after the port forwarding feature is performed as expected, the system enters the Waiting for connections state. In this case, accessing 127.0.0.1:<local_port> on the on-premises machine is equivalent to accessing the service on the <ecs_port> port of the instance.

    image

    macOS or Linux computer

    Important

    Do not close the current terminal when you use port forwarding. If the terminal is closed, port forwarding is also terminated.

    In the terminal, go to the directory in which ali-instance-cli.exe is stored and run a command to connect to the instance. 

    ./ali-instance-cli portforward -i <instance_id> -r <target_port> -l <local_port>
    Note

    Replace <instance_id> with the ID of the instance that requires port forwarding, <target_port> with the port of the destination ECS instance, and <local_port> with an on-premises port to which the instance port is mapped.

    As shown in the following figure, after the port forwarding feature is performed as expected, the system enters the Waiting for connections state. In this case, accessing 127.0.0.1:<local_port> on the on-premises machine is equivalent to accessing the service of the <target_port> port of the instance.

    image

    Method 2: Use an ECS instance as a jump server to forward traffic to other hosts

    You can use Session Manager CLI to establish a connection to an ECS instance and use the ECS instance as a jump server to access a port of another host.

    Windows computer

    Important

    Do not close the Command Prompt window when you use port forwarding. If the Command Prompt window is closed, port forwarding is also terminated.

    Open the Command Prompt window, go to the directory in which ali-instance-cli.exe is stored, and then run the following command to enable port forwarding: 

    ali-instance-cli.exe portforward -i <instance_id> -r <target_ip>:<target_port> -l <local_port>
    Note

    Replace <instance_id> with the ID of the jump server instance, <target_ip> with the IP address of the destination host, <target_port> with the port of the destination host, and <local_port> with the on-premises port to which the instance port is mapped.

    As shown in the following figure, after the port forwarding feature is performed as expected, the system enters the Waiting for connections state. In this case, accessing 127.0.0.1:<local_port> is equivalent to accessing the service whose host address is <target_ip> and port number is <target_port>.

    image

    macOS or Linux computer

    Important

    Do not close the current terminal when you use port forwarding. If the terminal is closed, port forwarding is also terminated.

    In the terminal, go to the directory in which ali-instance-cli.exe is stored and run the following command to connect to the instance: 

    ./ali-instance-cli portforward -i <instance_id> -r <target_ip>:<target_port> -l <local_port>
    Note

    Replace <instance_id> with the ID of the jump server instance, <target_ip> with the IP address of the destination host, <target_port> with the port of the destination host, and <local_port> with the on-premises port to which the instance port is mapped.

    As shown in the following figure, after the port forwarding feature is performed as expected, the system enters the Waiting for connections state. In this case, accessing 127.0.0.1:<local_port> is equivalent to accessing the service whose host address is <target_ip> and port number is <target_port>.

    image

    Example scenarios

    Example 1: Connect to an instance without Internet connection

    Sample architecture

    The port forwarding feature allows you to connect to an ECS instance without Internet connection.

    image

    Procedure

    Connect to a Linux instance

    1. Enable port forwarding.

      Map the SSH port (22 by default) of the instance to port 8080 of the on-premises machine. The operations vary based on the operating system.

      Important

      After port forwarding is enabled, closing the Command Prompt window or the terminal causes the connection to be interrupted.

      Windows computer

      Open the Command Prompt window, go to the directory in which the ali-instance-cli.exe tool is stored, and then run the following command to perform port forwarding: 

      ali-instance-cli.exe portforward -i i-bp1****** -r 22 -l 8080
      In this command, the -i parameter is set to i-bp1******, which is the ID of the instance to which you want to connect. The -r parameter is set to 22, which is the SSH service of the instance. The -l parameter is set to 8080, which is port 8080 on the on-premises computer.

      macOS or Linux computer

      Open the terminal, go to the directory in which the ali-instance-cli tool is stored, and then run the following command to perform port forwarding: 

      ./ali-instance-cli portforward -i i-bp1****** -r 22 -l 8080
      In this command, the -i parameter is set to i-bp1******, which is the ID of the instance to which you want to connect. The -r parameter is set to 22, which is the SSH service of the instance. The -l parameter is set to 8080, which is port 8080 on the on-premises computer.

    2. Connect to the instance.

      After port forwarding is enabled, you can directly access port 8080 on the on-premises machine to access the destination instance.

      • Remote host IP address: 127.0.0.1.

      • SSH port of the remote host: 8080.

      In this example, the OpenSSH client is used. You can select an appropriate connection tool based on your business requirements.

      Port forwarding.

      image

      Use 127.0.0.1:8080 to connect to an instance.

      image

    Use ssh of the ali-instance-cli tool to simplify operations

    When you connect to an instance by using OpenSSH, you can run the ali-instance-cl i ssh command to simplify the operation. This allows the underlying layer to use the port forwarding feature.

    In this example, the macOS and Linux operating systems are used.

    1. Modify the .ssh/config configuration file and add the following content:

      Replace <cli_path> with the absolute path in which the ali-instance-cli tool is stored. 

      host i-*
    ProxyCommand sh -c "<cli_path> ssh -i '%h' --port  '%p'"

    2. Run the ssh command to connect to the instance.

      Replace the following parameters in the command:

      • <private_key_path>: Replace this parameter with the path in which the private key is stored.

      • <ssh_port>: Replace this parameter with the actual remote access port of the SSH service on the ECS instance.

      • <ecs_username>: Replace this parameter with the logon name of the ECS instance.

      • <instance_id: Replace this parameter with the actual ID of the ECS instance.

        Important

        The instance ID instead of the IP address of the instance is used. 

      ssh -i <private_key_path> -p <ssh_port> <ecs_username>@<instance_id>

      image

    Connect to a Windows instance

    1. Enable port forwarding.

      Mape the RDP port (3389 by default) to port 8080 of the on-premises machine. The operations vary based on the operating system.

      Important

      After port forwarding is enabled, closing the Command Prompt window or the terminal causes the connection to be interrupted.

      Windows computer

      Open the Command Prompt window, go to the directory in which the ali-instance-cli.exe tool is stored, and then run the following command to perform port forwarding: 

      ali-instance-cli.exe portforward -i i-bp1****** -r 3389 -l 8080
      In this command, the -i parameter value is i-bp1******, which is the ID of the instance to which you want to connect. The -r parameter is set to 3389, which is the RDP service of the instance. The -l parameter is set to 8080, which is port 8080 on the on-premises computer.

      macOS or Linux computer

      Open the terminal, go to the directory in which the ali-instance-cli tool is stored, and then run the following command to perform port forwarding: 

      ./ali-instance-cli portforward -i i-bp1****** -r 3389 -l 8080
      In this command, the -i parameter value is i-bp1******, which is the ID of the instance to which you want to connect. The -r parameter is set to 3389, which is the RDP service of the instance. The -l parameter is set to 8080, which is port 8080 on the on-premises computer.

    2. Connect to the instance.

      After port forwarding is enabled, you can directly access port 8080 on the on-premises machine to access the destination instance.

      • Remote computer: 127.0.0.1:8080.

      The following example shows how to use Windows Remote Desktop (RDP) to connect to an ECS instance. You can select an appropriate connection tool based on your business requirements.

      Port forwarding.

      image

      Use 127.0.0.1:8080 to connect to a Windows instance.

      image

    Example 2: Access the NGINX service from an ECS instance without Internet connection

    Sample architecture

    image

    Procedure

    1. Enable port forwarding.

      Map the NGINX port (80 by default) to port 8080 of the on-premises machine. The operations vary based on the operating system.

      Important

      After port forwarding is enabled, closing the Command Prompt window or the terminal causes the connection to be interrupted.

      Windows computer

      Open the Command Prompt window, go to the directory in which the ali-instance-cli.exe tool is stored, and then run the following command to perform port forwarding: 

      ali-instance-cli.exe portforward -i i-bp1****** -r 80 -l 8080
      In this command, the -i parameter is set to i-bp1******, which is the ID of the instance to which you want to connect. The -r parameter is set to 80, which is the NGINX port of the instance. The -l parameter is set to 8080, which is port 8080 on the on-premises computer.

      macOS or Linux computer

      Open the terminal, go to the directory in which the ali-instance-cli tool is stored, and then run the following command to perform port forwarding: 

      ./ali-instance-cli portforward -i i-bp1****** -r 80 -l 8080
      In this command, the -i parameter is set to i-bp1******, which is the ID of the instance to which you want to connect. The -r parameter is set to 80, which is the NGINX port of the instance. The -l parameter is set to 8080, which is port 8080 on the on-premises computer.

    2. Access the NGINX service.

      The following example shows how to access the default page of the NGINX service in a browser.

      Port forwarding.

      image

      Use http://127.0.0.1:80 to access the default NGINX service page.

      image

    Example 3: Use an ECS instance as a jump server to access a private MySQL instance

    Example description

    As shown in the following figure, this example uses the instance whose ID is i-bp1****** as the jump server to access the MySQL database instance of ApsaraDB RDS for MySQL over the internal network. The endpoint of the RDS instance is rm-******.mysql.rds.aliyuncs.com.

    In this example, network connectivity between the ECS instance and the RDS instance is ensured.
    image

    Procedure

    1. Enable port forwarding.

      Map the MySQL port (3306 by default) to port 13306 of the on-premises machine. The operations vary based on the operating system.

      Important

      After port forwarding is enabled, closing the Command Prompt window or the terminal causes the connection to be interrupted.

      Windows computer

      Open the Command Prompt window, go to the directory in which the ali-instance-cli.exe tool is stored, and then run the following command to perform port forwarding: 

      ali-instance-cli.exe portforward -i i-bp1****** -r rm-******.mysql.rds.aliyuncs.com:3306 -l 13306
      In this command, the -i parameter is set to i-bp1******, which is the ID of the jump server ECS instance. The -r parameter is set to rm-******.mysql.rds.aliyuncs.com:3306, which is the endpoint of MySQL. The -l parameter is set to 13306, which is port 13306 on the on-premises machine.

      macOS or Linux computer

      Open the terminal, go to the directory in which the ali-instance-cli tool is stored, and then run the following command to perform port forwarding: 

      ./ali-instance-cli portforward -i i-bp1****** -r rm-******.mysql.rds.aliyuncs.com:3306 -l 13306
      In this command, the -i parameter is set to i-bp1******, which is the ID of the jump server ECS instance. The -r parameter is set to rm-******.mysql.rds.aliyuncs.com:3306, which is the endpoint of MySQL. The -l parameter is set to 13306, which is port 13306 on the on-premises machine.

    2. Use the MySQL client to access the MySQL database.

      After port forwarding is enabled, you can use port 13306 on the on-premises machine to access MySQL.

      The MySQL client is used as an example. You can select an appropriate connection tool based on your business requirements.

      Port forwarding.

      image

      Use 127.0.0.1:13306 to access the MySQL service.

      image

    FAQ

    What do I do if the command line does not respond after I run an ali-instance-cli command? (The instance may not be in the Running state)

    If the command line does not respond after you run an ali-instance-cli command, the corresponding instance may not be in the Running state. Check the status of the instance. For more information, see the Check whether the instance to which you want to connect is in the Running state section of this topic.

    What do I do if the command line does not respond after I run an ali-instance-cli command? (The required ports may not be open in security groups)

    If the command line does not respond after you run an ali-instance-cli command, the required ports may not be open for outbound traffic in the security groups of the corresponding instance. By default, basic security groups open all ports for outbound traffic. The preceding issue may occur if you modify the outbound rules of basic security groups or use advanced security groups for the instance.

    When you use Session Manager to connect to an ECS instance, make sure that Cloud Assistant Agent running on the ECS instance is connected to the Cloud Assistant server by adding the following rules to an outbound security group:

    Compared with connection methods, such as SSH and Remote Desktop Protocol (RDP), Cloud Assistant Agent actively establishes a WebSocket connection to the Session Manager server. You need to only open the outbound WebSocket port of the Cloud Assistant server in a security rule. For information about how Session Manager works, see the How Session Manager works section of this topic.
    Important

    • If you use basic security groups including the default security group, all outbound traffic is allowed. No additional configuration is required.

    • If you use an advanced security group, all outbound traffic is denied. You must configure the relevant rules. The following table describes the rules. For information about security groups, see Basic security groups and advanced security groups.

    For information about how to add rules to a security group, see Add a security group rule.

    Action

    Priority

    Protocol type

    Port range

    Authorization object

    Description

    Allow

    1

    Custom TCP

    443

    100.100.0.0/16

    This port is used to access the Cloud Assistant server.

    Allow

    1

    Custom TCP

    443

    100.0.0.0/8

    This port is used to access the server on which the Cloud Assistant Agent installation package is stored when you want to install or update Cloud Assistant Agent.

    Allow

    1

    Custom UDP

    53

    0.0.0.0/0

    This port is used to resolve domain names.

    If you want to connect to an instance by using only Session Manager, delete the inbound rules that allow the SSH port (default 22) and RDP port (default 3389) from a security group to improve the security of the ECS instance.

    What do I do if the DeliveryTimeout error is reported after I run an ali-instance-cli command?

    If the DeliveryTimeout error is reported as shown in the following figure after you run an ali-instance-cli command, Cloud Assistant Agent may be unavailable on the corresponding instance. Check the status of Cloud Assistant Agent. For more information, see the Check whether Cloud Assistant Agent is installed on the instance to which you want to connect section of this topic.

    image

    image

    What do I do if the session manager is disabled, please enable first error message appears after I run an ali-instance-cli command?

    If the session manager is disabled, please enable first error message appears after you run an ali-instance-cli command, Session Manager is disabled. Enable Session Manager in the ECS console. For more information, see the Enable Session Manager section of this topic.

    What do I do if a connection established to an instance by using Session Manager is automatically closed due to inactivity for an extended period of time?

    After you connect to an instance by using Session Manager, the connection is automatically closed if you do not perform operations for an extended period of time. By default, the idle timeout period for a connection is 3 minutes. You can use the --idle-timeout parameter to specify a custom idle timeout period.

    For example, run the following command to connect to an instance and configure the connection to be automatically closed after 10 minutes of inactivity. 

    ./ali-instance-cli session --instance instance-id --idle-timeout 600
    Note

    Make sure that the version of ali-instance-cli is not earlier than the following versions:

    • Linux: 1.2.0.48

    • Windows: 1.1.0.48

    • macOS: 1.3.0.48

    How do I view logs about ali-instance-cli?

    If an error occurs when you use ali-instance-cli, you can view logs to identify and troubleshoot the issue.

    • View the logs of ali-instance-cli. When you use ali-instance-cli, a log directory is generated in the directory in which ali-instance-cli resides. Example: ~/log/aliyun_ecs_session_log.2022XXXX. You can view the logs of ali-instance-cli in the log directory.

    • View the logs of Cloud Assistant Agent in one of the following directories based on the operating system:

      • Linux

        /usr/local/share/aliyun-assist/<Version number of Cloud Assistant Agent>/log/

      • Windows

        C:\ProgramData\aliyun\assist\<Version number of Cloud Assistant Agent>\log