Perform port forwarding by using ali-instance-cli - Elastic Compute Service

Session Manager is a feature provided by Cloud Assistant that allows you to connect to Elastic Compute Service (ECS) instances in a secure and convenient manner. ali-instance-cli is a CLI tool provided by Session Manager. This topic describes how to use ali-instance-cli to forward network traffic from a port on your computer to an ECS instance.

Prerequisites

Cloud Assistant Agent is installed on the instance to which you want to connect. If the instance is a Windows instance, the installed Cloud Assistant Agent version must be 2.1.3.256 or later. If the instance is a Linux instance, the installed Cloud Assistant Agent version must be 2.2.3.256 or later. For information about how to install Cloud Assistant Agent, see Install Cloud Assistant Agent.
Session Manager is enabled. For information about how to enable Session Manager, see Connect to an instance by using Session Manager.

Background information

When you use ali-instance-cli to set up port forwarding to an ECS instance, you do not need to provide the public IP address of the instance but need to provide the ID and a port number of the instance. Then, you can use Session Manager Client to forward network traffic from a port on your computer to the specified port on the ECS instance. This way, you can access services on the ECS instance in a secure and convenient manner. For more information about Session Manager, see Session Manager.

Linux and macOS operating systems

Note

In this example, the test user is used. The operations that you need to perform may vary based on the actual user and directories.

Log on to Session Manager Client.

Install ali-instance-cli on Session Manager Client.

Run one of the following commands based on the operating system to install ali-instance-cli.

Linux

curl -O https://aliyun-client-assist.oss-accelerate.aliyuncs.com/session-manager/linux/ali-instance-cli
chmod a+x ali-instance-cli

macOS:

curl -O https://aliyun-client-assist.oss-accelerate.aliyuncs.com/session-manager/mac/ali-instance-cli
chmod a+x ali-instance-cli

Configure an AccessKey pair, a Security Token Service (STS) token, or CredentialsURI.
For information about how to obtain an AccessKey pair or STS token, see Create an AccessKey pair or What is STS?
1. Switch to the test directory.
```
cd /home/test
```
2. Configure an authentication method.
  The following authentication methods are supported:
  - AccessKey pair-based authentication
    Run the following command and enter an AccessKey ID, AccessKey secret, and region ID as prompted:
    ./ali-instance-cli configure --mode AK
  - STS token-based authentication
    Note
    In the following command, replace region, ak, sk, and token with the actual region ID, AccessKey ID, AccessKey secret, and STS token.
```
./ali-instance-cli configure set --mode StsToken --region "region" --access-key-id "ak"  --access-key-secret "sk"   --sts-token "token"
```
  - CredentialsURI-based authentication
    Run the following command and specify CredentialsURI and RegionID as prompted.
    Note
    Set the CredentialsURI value to the IP address of the authentication server that you configure.
    ./ali-instance-cli configure --mode=CredentialsURI
  The following command output indicates that the AccessKey pair-based authentication method is configured.
Run the following command to forward network traffic from a port on your computer to a port on an ECS instance:
```
./ali-instance-cli portforward -i "instance id" -l 8080 -r 80
```
Note
This example demonstrates how to use Session Manager to perform port forwarding. In this example, port 8080 on your computer and port 80 on an ECS instance are used. You can specify other ports based on your business requirements. Replace instance id with the actual instance ID.
The following command output indicates that a forwarding path is established from the specified port on your computer to the specified port on the ECS instance by Session Manager.
Run the following command to forward network traffic from a port on your computer to a port on a specific host that is accessible to an ECS instance.
Make sure that the version of ali-instance-cli is not earlier than the following versions:
- Linux: 1.2.0.48
- macOS: 1.3.0.48
```
./ali-instance-cli portforward -i "instance-id" -l 8080 -r <IP>:80
```
Note
In this example, port 8080 on your computer and port 80 on a specific host that is accessible to an ECS instance are used. You can specify other ports based on your business requirements. Replace instance-id with the actual instance ID. Replace <IP> with the IP address of the host that you want to access.
The following command output indicates that a forwarding path is established from the specified port on your computer to the specified port on the destination host by Session Manager.

Windows operating systems

Note

In this example, the test user is used. The operations that you need to perform may vary based on the actual user and directories.

Log on to Session Manager Client.
For more information, see Connection method overview.
Download ali-instance-cli on Session Manager Client.
Download and save ali-instance-cli.exe for Windows to a directory on your computer. In this example, the C:\Users\test directory is used.
Configure an AccessKey pair or an STS token.
For information about how to obtain an AccessKey pair or STS token, see Create an AccessKey pair or What is STS?
1. Choose Start > Run to open the Run dialog box. Enter cmd and press the Enter key to open the command prompt window.
2. Switch to the test directory.
```
cd C:\Users\test
```
3. Configure an authentication method.
  The following authentication methods are supported:
  - AccessKey pair-based authentication
    Run the following command and enter an AccessKey ID, AccessKey secret, and region ID as prompted:
    ali-instance-cli.exe configure --mode AK
  - STS token-based authentication
    Note
    In the following command, replace region, ak, sk, and token with the actual region ID, AccessKey ID, AccessKey secret, and STS token.
```
ali-instance-cli.exe configure set --mode StsToken --region "region" --access-key-id "ak"  --access-key-secret "sk"   --sts-token "token"
```
  The following command output indicates that the AccessKey pair-based authentication method is configured.
Run the following command to forward network traffic from a port on your computer to a port on an ECS instance:
```
ali-instance-cli.exe portforward -i "instance id" -l 8080 -r 80
```
Note
This example demonstrates how to use Session Manager to perform port forwarding. In this example, port 8080 on your computer and port 80 on an ECS instance are used. You can specify other ports based on your business requirements. Replace instance id with the actual instance ID.
The following command output indicates that a forwarding path is established from the specified port on your computer to the specified port on the ECS instance by Session Manager.
Run the following command to forward network traffic from a port on your computer to a port on a specific host that is accessible to an ECS instance.
Make sure that the version of ali-instance-cli is not earlier than version 1.1.0.48.
```
ali-instance-cli.exe portforward -i "instance-id" -l 8080 -r <IP>:80
```
Note
In this example, port 8080 on your computer and port 80 on a specific host that is accessible to an ECS instance are used. You can specify other ports based on your business requirements. Replace instance-id with the actual instance ID. Replace <IP> with the IP address of the host that you want to access.
The following command output indicates that a forwarding path is established from the specified port on your computer to the specified port on the destination host by Session Manager.

Use case: Access the MySQL service on an ECS instance

Assume that the MySQL service uses port 3306 on your ECS instance. Your computer on which Session Manager Client is installed runs a Linux operating system. You can use ali-instance-cli to access services on the ECS instance from port 33306 on your computer.

Run the following command to forward network traffic from port 33306 on your computer to port 3306 on the ECS instance:
```
./ali-instance-cli portforward -i "instance id" -l 33306 -r 3306
```
The following command output indicates that a forwarding path is established from the specified port on your computer to the specified port on the ECS instance by Session Manager.
Run the following command to access the MySQL service on the ECS instance from your computer:
```
mysql -uroot -h127.0.0.1 -ppassword --port=33306
```
Note
Replace password with the MySQL password.
The following command output indicates that the MySQL service on the ECS instance is accessed.
The ali-instance-cli log indicates that a new connection is accepted, which is the connection initiated by the MySQL client.
Run the exit command to close the connection to MySQL.
The ali-instance-cli log indicates that the connection is closed.

FAQ

If an error occurs when you use Session Manager Client, you can view logs to identify and analyze the issue.

View the log generated at the current time for Session Manager Client. Example: /home/test/log/aliyun_ecs_session_log.2022XXXX.

View the logs of Cloud Assistant Agent in one of the following directories based on the operating system.

Linux

/usr/local/share/aliyun-assist/<Version number of Cloud Assistant>/log/

Windows

C:\ProgramData\aliyun\assist\<Version number of Cloud Assistant>\log

If Session Manager is not enabled when you use Session Manager Client to connect to an instance, the ssh_exchange_identification: Connection closed by remote host error message appears. Additionally, the session manager is disabled, please enable first entry appears in the Session Manager Client log. You can enable Session Manager in the ECS console. For more information, see Connect to an instance by using Session Manager.