You can use Session Manager CLI (ali-instance-cli) to map a port on an Elastic Compute Service (ECS) instance to a port on an on-premises computer. This allows you to access services on the instance without Internet connection by using Cloud Assistant Agent. This topic describes how to use Session Manager CLI to implement the port forwarding feature and access an ECS instance without Internet connection.
The port forwarding feature is based on WebSocket at the underlying level and operates over TCP. Therefore, the feature only supports TCP port forwarding and does not support UDP port forwarding.
What is port forwarding?
The port forwarding feature of Session Manager CLI (ali-instance-cli) is implemented based on Cloud Assistant. The port forwarding feature can map the port of an instance to a port on an on-premises machine on which ali-instance-cli is installed. The port forwarding feature also allows an instance to serve as a jump server to map an on-premises port to a port of another host for service access in an environment without public network connectivity or over a private network.
Scenario 1: Connect to an instance without Internet connection
You can use the port forwarding feature to map a remote access port of an ECS instance that is not connected to the Internet to an on-premises port. Then, you can use tools to access the on-premises port to connect to the ECS instance without Internet connection.
If the instance to which you want to log on is assigned a public IP address, you can add a deny rule to the security group to disable the port for remote access to the instance to improve instance security.
Scenario 2: Access services on an instance without Internet connection
You can use the port forwarding feature to map a service port of an ECS instance that is not connected to the Internet, such as an NGINX or Apache port, to an on-premises port. This allows you to access the services deployed on the ECS instance.
Scenario 3: Access services on other hosts by using an instance as a jump server
You can use the port forwarding feature to use an instance as a jump server to access services on a network host that is in the same virtual private cloud (VPC) as the instance. For example, you can access the MySQL service deployed on another instance in a VPC.
How port forwarding works
| |
|
Preparations
Enable Session Manager
Check whether the instance to which you want to connect is in the Running state
Check whether Cloud Assistant Agent is installed on the instance to which you want to connect
Prepare the credentials of the Resource Access Management (RAM) user as whom you want to use Session Manager
1. Install and configure ali-instance-cli
If you already installed and configured ali-instance-cli, skip this step.
1.1 Install ali-instance-cli
Install ali-instance-cli on your computer. The installation operations vary based on the operating system.
Windows
Click here to download ali-instance-cli for Windows and save it to a folder on your computer.
In this example, ali-instance-cli is saved to the C:\Users\test
folder on your computer.
macOS
Run the following command in the macOS terminal to download ali-instance-cli for macOS:
curl -O https://aliyun-client-assist.oss-accelerate.aliyuncs.com/session-manager/mac/ali-instance-cli
Run the following command to grant execute permissions on ali-instance-cli:
chmod a+x ali-instance-cli
Linux
Run the following command to install ali-instance-cli for Linux:
curl -O https://aliyun-client-assist.oss-accelerate.aliyuncs.com/session-manager/linux/ali-instance-cli
Run the following command to grant execute permissions on ali-instance-cli:
chmod a+x ali-instance-cli
1.2 Configure ali-instance-cli
When you use ali-instance-cli on your computer to connect to an instance, you must configure identity credentials, such as an AccessKey pair. An AccessKey pair consists of an AccessKey ID and an AccessKey secret. For more information, see the Prepare the credentials of the Resource Access Management (RAM) user as whom you want to use Session Manager section of this topic.
Windows
Right-click the Start icon and select Run. In the Run dialog box, enter cmd and press the
Enter
key to open a Command Prompt window.Run the following command to switch to the directory in which ali-instance-cli.exe resides. In this example, the
C:\Users\test
directory is used.cd C:\Users\test
Configure credentials. The following types of credentials are supported:
AccessKey pair
Run the following command and configure the Access Key Id, Access Key Secret, and Region Id parameters as prompted:
ali-instance-cli.exe configure --mode AK
STS token
Run the following command to configure credentials:
ali-instance-cli.exe configure set --mode StsToken --region "<region>" --access-key-id "<ak>" --access-key-secret "<sk>" --sts-token "<sts_token>"
Replace
<region>
,<ak>
,<sk>
, and<sts_token>
with the actual region ID, AccessKey ID, AccessKey secret, andSecurity Token Service (STS) token
.Credentials URI
Run the following command and configure the Credentials URI and Region Id parameters as prompted:
ali-instance-cli.exe configure --mode=CredentialsURI
The following command output indicates that credentials are configured.
macOS or Linux
Go to the directory in which ali-instance-cli resides. In this example, the root directory (
~
) of the current user is used.cd ~
Configure credentials.
AccessKey pair
Run the following command and configure the Access Key Id, Access Key Secret, and Region Id parameters as prompted:
./ali-instance-cli configure --mode AK
STS token
Run the following command to configure credentials:
./ali-instance-cli configure set --mode StsToken --region "<region>" --access-key-id "<ak>" --access-key-secret "<sk>" --sts-token "<sts_token>"
Replace
<region>
,<ak>
,<sk>
, and<sts_token>
with the actual region ID, AccessKey ID, AccessKey secret, andSTS token
.Credentials URI
Run the following command and configure the Credentials URI and Region Id parameters as prompted:
./ali-instance-cli configure --mode=CredentialsURI
The following command output indicates that credentials are configured.
2. Use the port forwarding feature
2.1 Obtain the ID of the instance whose port is mapped to an on-premises port
Before you use the port forwarding feature, obtain the instance ID of the port for subsequent steps.
Use the ECS console
|
Use Alibaba Cloud CLI
If you configured Alibaba Cloud CLI, run a command to call the DescribeInstances operation to query the ID of the instance to which you want to connect. For information about the parameters of the DescribeInstances operation, see DescribeInstances.
For example, run the following command to query the ID of an instance named SessionManager-example
that resides in the China (Hangzhou) region:
aliyun ecs DescribeInstances --region cn-hangzhou --RegionId 'cn-hangzhou' --InstanceName 'SessionManager-example'
The value of the InstanceId
parameter in the command output is the ID of the instance.
Call API operations
Call the DescribeInstances operation to query the ID of the instance to which you want to connect. For more information, see DescribeInstances.
2.2 Use port forwarding
Method 1: Directly use the port forwarding feature on an instance
Windows computer
Do not close the Command Prompt window when you use port forwarding. If the Command Prompt window is closed, port forwarding is also terminated.
Open the Command Prompt window, go to the directory in which ali-instance-cli.exe is stored, and then run the following command to enable port forwarding:
ali-instance-cli.exe portforward -i <instance_id> -r <target_port> -l <local_port>
Replace <instance_id>
with the ID of the instance that requires port forwarding, <target_port>
with the port of the destination ECS instance, and <local_port>
with an on-premises port to which the instance port is mapped.
As shown in the following figure, after the port forwarding feature is performed as expected, the system enters the Waiting for connections state. In this case, accessing 127.0.0.1:<local_port>
on the on-premises machine is equivalent to accessing the service on the <ecs_port>
port of the instance.
macOS or Linux computer
Do not close the current terminal when you use port forwarding. If the terminal is closed, port forwarding is also terminated.
In the terminal, go to the directory in which ali-instance-cli.exe is stored and run a command to connect to the instance.
./ali-instance-cli portforward -i <instance_id> -r <target_port> -l <local_port>
Replace <instance_id>
with the ID of the instance that requires port forwarding, <target_port>
with the port of the destination ECS instance, and <local_port>
with an on-premises port to which the instance port is mapped.
As shown in the following figure, after the port forwarding feature is performed as expected, the system enters the Waiting for connections state. In this case, accessing 127.0.0.1:<local_port>
on the on-premises machine is equivalent to accessing the service of the <target_port>
port of the instance.
Method 2: Use an ECS instance as a jump server to forward traffic to other hosts
You can use Session Manager CLI to establish a connection to an ECS instance and use the ECS instance as a jump server to access a port of another host.
Windows computer
Do not close the Command Prompt window when you use port forwarding. If the Command Prompt window is closed, port forwarding is also terminated.
Open the Command Prompt window, go to the directory in which ali-instance-cli.exe is stored, and then run the following command to enable port forwarding:
ali-instance-cli.exe portforward -i <instance_id> -r <target_ip>:<target_port> -l <local_port>
Replace <instance_id>
with the ID of the jump server instance, <target_ip>
with the IP address of the destination host, <target_port>
with the port of the destination host, and <local_port>
with the on-premises port to which the instance port is mapped.
As shown in the following figure, after the port forwarding feature is performed as expected, the system enters the Waiting for connections state. In this case, accessing 127.0.0.1:<local_port>
is equivalent to accessing the service whose host address is <target_ip>
and port number is <target_port>
.
macOS or Linux computer
Do not close the current terminal when you use port forwarding. If the terminal is closed, port forwarding is also terminated.
In the terminal, go to the directory in which ali-instance-cli.exe is stored and run the following command to connect to the instance:
./ali-instance-cli portforward -i <instance_id> -r <target_ip>:<target_port> -l <local_port>
Replace <instance_id>
with the ID of the jump server instance, <target_ip>
with the IP address of the destination host, <target_port>
with the port of the destination host, and <local_port>
with the on-premises port to which the instance port is mapped.
As shown in the following figure, after the port forwarding feature is performed as expected, the system enters the Waiting for connections state. In this case, accessing 127.0.0.1:<local_port>
is equivalent to accessing the service whose host address is <target_ip>
and port number is <target_port>
.
Example scenarios
Example 1: Connect to an instance without Internet connection
Sample architecture
The port forwarding feature allows you to connect to an ECS instance without Internet connection.
Procedure
Connect to a Linux instance
Enable port forwarding.
Map the SSH port (22 by default) of the instance to port 8080 of the on-premises machine. The operations vary based on the operating system.
ImportantAfter port forwarding is enabled, closing the Command Prompt window or the terminal causes the connection to be interrupted.
Windows computer
Open the Command Prompt window, go to the directory in which the
ali-instance-cli.exe
tool is stored, and then run the following command to perform port forwarding:ali-instance-cli.exe portforward -i i-bp1****** -r 22 -l 8080
In this command, the
-i
parameter is set toi-bp1******
, which is the ID of the instance to which you want to connect. The-r
parameter is set to22
, which is the SSH service of the instance. The-l
parameter is set to8080
, which is port 8080 on the on-premises computer.macOS or Linux computer
Open the terminal, go to the directory in which the
ali-instance-cli
tool is stored, and then run the following command to perform port forwarding:./ali-instance-cli portforward -i i-bp1****** -r 22 -l 8080
In this command, the
-i
parameter is set toi-bp1******
, which is the ID of the instance to which you want to connect. The-r
parameter is set to22
, which is the SSH service of the instance. The-l
parameter is set to8080
, which is port 8080 on the on-premises computer.Connect to the instance.
After port forwarding is enabled, you can directly access port 8080 on the on-premises machine to access the destination instance.
Remote host IP address:
127.0.0.1
.SSH port of the remote host:
8080
.
In this example, the OpenSSH client is used. You can select an appropriate connection tool based on your business requirements.
Port forwarding.
Use
127.0.0.1:8080
to connect to an instance.
Connect to a Windows instance
Enable port forwarding.
Mape the RDP port (3389 by default) to port 8080 of the on-premises machine. The operations vary based on the operating system.
ImportantAfter port forwarding is enabled, closing the Command Prompt window or the terminal causes the connection to be interrupted.
Windows computer
Open the Command Prompt window, go to the directory in which the
ali-instance-cli.exe
tool is stored, and then run the following command to perform port forwarding:ali-instance-cli.exe portforward -i i-bp1****** -r 3389 -l 8080
In this command, the
-i
parameter value isi-bp1******
, which is the ID of the instance to which you want to connect. The-r
parameter is set to3389
, which is the RDP service of the instance. The-l
parameter is set to8080
, which is port 8080 on the on-premises computer.macOS or Linux computer
Open the terminal, go to the directory in which the
ali-instance-cli
tool is stored, and then run the following command to perform port forwarding:./ali-instance-cli portforward -i i-bp1****** -r 3389 -l 8080
In this command, the
-i
parameter value isi-bp1******
, which is the ID of the instance to which you want to connect. The-r
parameter is set to3389
, which is the RDP service of the instance. The-l
parameter is set to8080
, which is port 8080 on the on-premises computer.Connect to the instance.
After port forwarding is enabled, you can directly access port 8080 on the on-premises machine to access the destination instance.
Remote computer:
127.0.0.1:8080
.
The following example shows how to use Windows Remote Desktop (RDP) to connect to an ECS instance. You can select an appropriate connection tool based on your business requirements.
Port forwarding.
Use
127.0.0.1:8080
to connect to a Windows instance.
Example 2: Access the NGINX service from an ECS instance without Internet connection
Sample architecture
Procedure
Enable port forwarding.
Map the NGINX port (80 by default) to port 8080 of the on-premises machine. The operations vary based on the operating system.
ImportantAfter port forwarding is enabled, closing the Command Prompt window or the terminal causes the connection to be interrupted.
Windows computer
Open the Command Prompt window, go to the directory in which the
ali-instance-cli.exe
tool is stored, and then run the following command to perform port forwarding:ali-instance-cli.exe portforward -i i-bp1****** -r 80 -l 8080
In this command, the
-i
parameter is set toi-bp1******
, which is the ID of the instance to which you want to connect. The-r
parameter is set to80
, which is the NGINX port of the instance. The-l
parameter is set to8080
, which is port 8080 on the on-premises computer.macOS or Linux computer
Open the terminal, go to the directory in which the
ali-instance-cli
tool is stored, and then run the following command to perform port forwarding:./ali-instance-cli portforward -i i-bp1****** -r 80 -l 8080
In this command, the
-i
parameter is set toi-bp1******
, which is the ID of the instance to which you want to connect. The-r
parameter is set to80
, which is the NGINX port of the instance. The-l
parameter is set to8080
, which is port 8080 on the on-premises computer.Access the NGINX service.
The following example shows how to access the default page of the NGINX service in a browser.
Port forwarding.
Use
http://127.0.0.1:80
to access the default NGINX service page.
Example 3: Use an ECS instance as a jump server to access a private MySQL instance
Example description
As shown in the following figure, this example uses the instance whose ID is i-bp1******
as the jump server to access the MySQL database instance of ApsaraDB RDS for MySQL over the internal network. The endpoint of the RDS instance is rm-******.mysql.rds.aliyuncs.com
.
In this example, network connectivity between the ECS instance and the RDS instance is ensured.
Procedure
Enable port forwarding.
Map the MySQL port (3306 by default) to port 13306 of the on-premises machine. The operations vary based on the operating system.
ImportantAfter port forwarding is enabled, closing the Command Prompt window or the terminal causes the connection to be interrupted.
Windows computer
Open the Command Prompt window, go to the directory in which the
ali-instance-cli.exe
tool is stored, and then run the following command to perform port forwarding:ali-instance-cli.exe portforward -i i-bp1****** -r rm-******.mysql.rds.aliyuncs.com:3306 -l 13306
In this command, the
-i
parameter is set toi-bp1******
, which is the ID of the jump server ECS instance. The-r
parameter is set torm-******.mysql.rds.aliyuncs.com:3306
, which is the endpoint of MySQL. The-l
parameter is set to13306
, which is port 13306 on the on-premises machine.macOS or Linux computer
Open the terminal, go to the directory in which the
ali-instance-cli
tool is stored, and then run the following command to perform port forwarding:./ali-instance-cli portforward -i i-bp1****** -r rm-******.mysql.rds.aliyuncs.com:3306 -l 13306
In this command, the
-i
parameter is set toi-bp1******
, which is the ID of the jump server ECS instance. The-r
parameter is set torm-******.mysql.rds.aliyuncs.com:3306
, which is the endpoint of MySQL. The-l
parameter is set to13306
, which is port 13306 on the on-premises machine.Use the MySQL client to access the MySQL database.
After port forwarding is enabled, you can use port 13306 on the on-premises machine to access MySQL.
The MySQL client is used as an example. You can select an appropriate connection tool based on your business requirements.
Port forwarding.
Use
127.0.0.1:13306
to access the MySQL service.