Workbench is a remote connection tool provided by Alibaba Cloud that allows you to connect to Elastic Compute Service (ECS) instances from a browser, without the need to install additional software.
What is Workbench?
Introduction
Workbench is a web-based remote connection tool provided by Alibaba Cloud. You can use Workbench in a browser without the need to install Workbench. The following figure shows the process of using Workbench to connect to an ECS instance.
Workbench features
Multiple connection methods
You can use Workbench to connect to an instance by using various methods, such as SSH (in Linux) and RDP (in Windows).
References
Connection over the Internet or a private network
If you want to use Workbench to connect to an instance by using SSH or RDP, you can use the private or public IP address of the instance.
More features
In addition to connecting to instances, Workbench supports the following features:
File management: allows you to upload and download files between ECS instances and your on-premises computer. For more information, see Manage files.
System management: allows you to manage users, historical logon logs, and system services on Linux instances. For more information, see Perform system management.
Multi-terminal: allows you to simultaneously connect to multiple ECS instances and batch run commands on the instances. For more information, see Use the multi-terminal feature.
Workflow for using Workbench to connect to an instance
The following figure shows how to connect to an instance by using Workbench.
Find the instance to which you want to connect.
Enable network connectivity between Workbench and the ECS instance.
In this step, configure rules in the security groups to which the instance belongs in the ECS console and configure firewall rules on the instance to allow inbound traffic from Workbench.
Use Workbench to connect to the instance.
In the ECS console, connect to the instance by using Workbench. Enter the username, password, and key pair in the Instance Login dialog box of Workbench.
Create the Workbench service-linked role.
If the Resource Access Management (RAM) service-linked role related to Workbench is not created when you use Workbench to connect to an instance, the system prompts you to grant Workbench the permissions to access the instance. Follow the on-screen instructions to create the Workbench service-linked role.
Connect to the instance and perform O&M operations.
Workbench service-linked role
The first time you use Workbench to connect to an instance, you are prompted to create the AliyunServiceRoleForECSWorkbench service-linked role. Workbench assumes the role to access the instance. For more information, see Service-linked roles.
The first time you connect to an instance, a dialog box appears, as shown in the following figure. Click OK to automatically create the service-linked role.
If you use a RAM user, you must contact the Alibaba Cloud account owner or the administrator to attach the AliyunECSWorkbenchFullAccess policy to the RAM user. Only the RAM users to which the AliyunECSWorkbenchFullAccess policy is attached have the permissions to create the Workbench service-linked role.
Policy that grants a RAM user the permissions to use Workbench
After the Workbench service-linked role is created, you must attach the following policy to a RAM user. The policy grants the RAM user the permissions to use Workbench to connect to all ECS instances.
{
"Version": "1",
"Statement": [
{
"Action": "ecs-workbench:LoginInstance",
"Resource": "*",
"Effect": "Allow"
}
]
}To limit the instances to which you can connect by using Workbench, specify the Resource element in the following format:
{
"Version": "1",
"Statement": [
{
"Action": "ecs-workbench:LoginInstance",
"Resource": [
"acs:ecs-workbench:{#regionId}:{#accountId}:workbench/{#instanceId}",
"acs:ecs-workbench:{#regionId}:{#accountId}:workbench/{#instanceId}"
],
"Effect": "Allow"
}
]
}Take note of the following parameters:
{#regionId}: the region ID of the instance to which you want to connect. You can set this parameter to an asterisk (*).{#accountId}: the ID of the Alibaba Cloud account. You can set this parameter to an asterisk (*).{#instanceId}: the ID of the instance to which you want to connect. You can set this parameter to an asterisk (*).
Security group settings related to Workbench
When you use Workbench to connect to instances over SSH or RDP, you must allow inbound traffic from the Workbench server in the security groups to which the instances belong. You can add security group rules based on your network type. The following table describes the security group rules. For information about how to add a security group rule, see Add a security group rule.
If you enable the firewall in the instance operating system, modify firewall rules by referring to the security group settings.
VPC
When you use Workbench to connect to ECS instances in a virtual private cloud (VPC), you must configure the inbound security group rules described in the following table in the security groups to which the instances belong.
Action | Priority | Protocol type | Port or port range | Authorization object |
Allow | 1 | Custom TCP | The port range is configured based on the port of the remote connection service running on your instance.
Important If you change the port of the remote connection service on your instance, specify the actual port used by the remote connection service. |
Warning If you specify |
Classic network
When you use Workbench to connect to instances in the classic network, you must configure the inbound security group rules described in the following table in the security groups to which the instances belong.
Action | Priority | Protocol type | Port or port range | Authorization object |
Allow | 1 | Custom TCP | The port range is configured based on the port of the remote connection service running on your instance.
Important If you change the port of the remote connection service on your instance, specify the actual port used by the remote connection service. |
Warning If you specify |