All Products
Search
Document Center

Elastic Compute Service:Working mechanism, supported regions, and security of Session Manager

Last Updated:Nov 25, 2024

Session Manager is a feature provided by Cloud Assistant. Compared with SSH and Virtual Network Computing (VNC), Session Manager makes your connections to Elastic Compute Service (ECS) instances more convenient and secure. This topic describes the regions in which Session Manager is supported, how Session Manager works, and the security of Session Manager.

Billing

You can enable the Session Manager feature free of charge.

By default, session records of Session Manager are not saved. If you want to query, analyze, audit, and persistently store session records of Session Manager, we recommend that you deliver the session records to a specific Object Storage Service (OSS) bucket or Simple Log Service for persistent storage. For more information, see Use the Session Record Delivery feature. For information about the billing of Simple Log Service and OSS, see Billing overview of Simple Log Service and Billing overview of OSS.

Supported regions

Session Manager is supported in the following regions: China (Qingdao), China (Beijing), China (Zhangjiakou), China (Hohhot), China (Ulanqab), China (Hangzhou), China (Shanghai), China (Shenzhen), China (Heyuan), China (Guangzhou), China (Chengdu), China (Hong Kong), Japan (Tokyo), South Korea (Seoul), Singapore, Malaysia (Kuala Lumpur), Indonesia (Jakarta), Philippines (Manila), Thailand (Bangkok), Germany (Frankfurt), UK (London), US (Silicon Valley), US (Virginia), UAE (Dubai), and SAU (Riyadh).

Limits

When you use Session Manager to connect to an instance, the speed at which files are uploaded or downloaded is limited to 20 KB/s.

How Session Manager works

The following components are used in Session Manager:

  • Session Manager Client: initiates sessions, receives commands sent by users, and displays command outputs.

  • Cloud Assistant server: controls permissions and manages session status.

  • Cloud Assistant Agent installed on an instance: runs commands entered by users.

The following section describes the procedure for establishing a connection by using Session Manager:

  1. Session Manager Client initiates a session.

  2. The Cloud Assistant server authenticates the session request. After the request is authenticated, the server generates a WebSocket URL and a token that remains valid for 10 minutes and returns the URL and the token to Session Manager Client.

  3. Session Manager Client establishes a WebSocket connection to the Cloud Assistant server by using the URL and the token.

  4. The Cloud Assistant server requests to establish a WebSocket connection to Cloud Assistant Agent that is installed on an instance.

  5. A WebSocket connection is established between the Cloud Assistant server and Cloud Assistant Agent.

  6. After the WebSocket connection is established, you can enter a command in Session Manager Client. The command is streamed to and run on the instance on which Cloud Assistant Agent is installed. The command output is displayed in Session Manager Client.

image

Security

  • The Web Socket Secure (WSS) protocol is used to establish persistent WebSocket connections between Session Manager Client and the Cloud Assistant server and between the Cloud Assistant server and Cloud Assistant Agent. The WSS protocol encrypts persistent WebSocket connections by using the Secure Socket Layer (SSL) protocol to ensure data security.

  • When you use Session Manager to connect to instances, you do not need to manage the instance passwords. Unlike SSH and VNC that use username/password-based authentication, Session Manager uses Resource Access Management (RAM) based authentication. You can use your Alibaba Cloud account to enable or disable Session Manager for all instances within an account. After Session Manager is enabled, both Alibaba Cloud accounts and RAM users can connect to instances by using this feature.

  • You can attach policies to RAM users and then manage ECS instances as the RAM users to improve security. If you want to use Session Manager as a RAM user, policies that grant the permissions to call the StartTerminalSession operation must be attached to the RAM user. RAM policies allow you to control permissions from various dimensions, such as tags, regions, ECS instances, and source IP addresses. RAM policies also allow you to connect to instances and manage the instances in a secure manner without using passwords. For more information, see Connect to an instance by using Session Manager.

  • After WebSocket connections are established between Cloud Assistant Agents installed on instances and the Cloud Assistant servers, you can use Session Manager instead of SSH or VNC to connect to the instances, without the need to open ports for inbound traffic on the instances. This way, you can improve the security of the instances.

Use Session Manager for remote logons in your applications

The cloud-assistant-starter open source project contains the complete code for using Session Manager to connect to an ECS instance or a managed instance. In the project, AxtSession.tsx contains the complete code for connecting to instances and using the WebSocket URLs that are returned by the StartTerminalSession operation. You can copy the code to your application to implement password-free and public IP address-free remote logons.