All Products
Search

This Product

    Elastic Compute Service:Connect to an instance through Workbench

    Document Center

    Elastic Compute Service:Connect to an instance through Workbench

    Last Updated:Nov 22, 2024

    Workbench is a remote connection tool provided by Alibaba Cloud that enables direct access to Elastic Compute Service (ECS) instances from a browser without the need for additional software installations.

    What is Workbench?

    Workbench introduction

    Workbench is a web-based remote connection tool offered by Alibaba Cloud. It operates within a browser and requires no installation. The following figure shows the process of connecting to an ECS instance using Workbench.

    image

    Features

    • Supports connecting to instances over the Internet or private network

      Workbench allows connections to instances using SSH or RDP through either public or private IP addresses.

    More features

    Workbench provides additional features below besides the instance connection feature:

    • File Management: Enables file uploads to ECS and downloads from ECS to your local machine. For more information, see Manage files.

    • System administration: The Workbench system administration feature allows for the management of users, historical login records, and system services within the Linux instance operating system. For more information, see Perform system management.

    • Multi-screen terminal: The Workbench multi-screen terminal feature allows simultaneous connections to multiple ECS instances, enabling the execution of identical commands across these instances concurrently. For more information, see Use the multi-terminal feature.

    Basic usage process of Workbench

    The following diagram outlines the steps for using Workbench to connect to an instance:

    image

    1. Find the instance to connect.

    2. Establish network connectivity between Workbench and the ECS instance.

      This involves setting the security group and firewall rules to allow inbound traffic from Workbench to the instance.

    3. Use Workbench to connect to the instance.

      In the console, select the instance and connect through Workbench using the required credentials such as the username and password or a key pair.

    4. Create the service-linked role.

      If the service-linked role is not created, Workbench prompts you to authorize it to access the ECS instance.

    5. Successfully connect to the instance and perform O&M.

    Service-linked role of Workbench

    Workbench requires permissions to manage your ECS instance. Upon first connection to an instance with Workbench, you are prompted to create a service-linked role named AliyunServiceRoleForECSWorkbench. This role authorizes Workbench to access your ECS instance. For more information about service-linked roles, see Service-linked roles.

    The following dialog box appears when you first connect to an instance. Click OK, and the system automatically creates the service-linked role.

    image

    As a RAM user, you must obtain the AliyunECSWorkbenchFullAccess system policy or a specific custom policy from the primary account or administrator. This permission is required for creating the service-linked role for Workbench and using Workbench to access instances. For more information, see Grant permissions to a RAM user.

    {
  "Version": "1",
  "Statement": [
    {
      "Action": "ecs-workbench:LoginInstance",
      "Resource": "*",
      "Effect": "Allow"
    },
    {
      "Action": "ram:CreateServiceLinkedRole",
      "Resource": "*",
      "Effect": "Allow",
      "Condition": {
        "StringEquals": {
          "ram:ServiceName": "workbench.ecs.aliyuncs.com"
        }
      }
    }
  ]
}

    Permission description

    • ecs-workbench:LoginInstance section: Grants permission to log on to instances using Workbench.

      {
  "Action": "ecs-workbench:LoginInstance",
  "Resource": "*",
  "Effect": "Allow"
}

    • ram:CreateServiceLinkedRole section: Allows creation of the service-linked role for Workbench.

      {
  "Action": "ram:CreateServiceLinkedRole",
  "Resource": "*",
  "Effect": "Allow",
  "Condition": {
    "StringEquals": {
      "ram:ServiceName": "workbench.ecs.aliyuncs.com"
    }
  }
}

    Security group settings related to Workbench

    To connect to instances using SSH or RDP through Workbench, you must configure the security group of the instance to allow inbound traffic from the Workbench server. Refer to the following table to determine the appropriate security group rules for your network type. For more information, see Add a security group rule.

    Important

    If a firewall is enabled within the instance, modify the firewall rules according to the security group settings.

    VPC

    To connect to instances that resides in a virtual private cloud (VPC) using Workbench, configure the following inbound direction rules in the security group of the instance.

    Action

    Priority

    Protocol type

    Port range

    Authorization object

    Allow

    1

    Custom TCP

    The port range is configured based on the port of the remote connection service running within your instance.

    • Connecting to Linux Instances:

      Select SSH (22).

      The default service for Linux instances is SSH, typically on port 22.

    • Connecting to Windows Instances:

      Select RDP (3389).

      The default service for Windows instances is RDP, typically on port 3389.
    Important

    If the port for the remote service is changed within the instance, adjust the settings accordingly.

    • Connections over the Internet: Specify 161.117.0.0/16.

    • Private network connections: Specify 100.104.0.0/16.

    Warning

    Using 0.0.0.0/0 indicates that all IP addresses are allowed to connect to the remote service port, which poses a security risk. Use it with caution.

    Classic network

    To connect to classic network instances using Workbench, configure the following inbound direction rules in the security group of the instance.

    Action

    Priority

    Protocol type

    Port range

    Authorization object

    Allow

    1

    Custom TCP

    The port range is configured based on the port of the remote connection service running within your instance.

    • Connecting to Linux Instances:

      Select SSH (22).

      The default service for Linux instances is SSH, typically on port 22.

    • Connecting to Windows Instances:

      Select RDP (3389).

      The default service for Windows instances is RDP, typically on port 3389.
    Important

    If the port for the remote service is changed within the instance, adjust the settings accordingly.

    • Connections over the Internet: Add 161.117.90.22.

    • Internal network connections: Add 161.117.90.22.

    Warning

    Using 0.0.0.0/0 indicates that all IP addresses are allowed to connect to the remote service port, which poses a security risk. Use it with caution.