All Products
Search
Document Center

Elastic Compute Service:Connect to an instance through Workbench

Last Updated:Feb 06, 2025

Workbench is a remote connection tool from Alibaba Cloud that enables direct access to Elastic Compute Service (ECS) instances from a browser, eliminating the need for additional software installations.

What is Workbench?

Workbench introduction

Workbench is a web-based remote connection tool provided by Alibaba Cloud. It allows you to connect to ECS instances directly from a browser without any installation. The following figure illustrates the process of connecting to an ECS instance using Workbench.

image

Features of Workbench

  • Supports connecting to instances over the Internet or private network

    Workbench allows connections to instances using SSH or RDP through both public and private IP addresses.

More features of Workbench

In addition to the instance connection feature, Workbench offers the following capabilities:

  • File Management: This feature allows you to upload files to ECS and download them to your local machine. For more information, see Manage files.

  • System Administration: The Workbench system administration feature enables user management, tracking of historical login records, and control over system services within the Linux instance's operating system. For more information, see how to manage your system.

  • Multi-screen Terminal: The Workbench multi-screen terminal feature facilitates simultaneous connections to multiple ECS instances, allowing for concurrent execution of the same commands on these instances. For more information, see how to use the multi-terminal feature.

Basic usage process of Workbench

The diagram below describes the steps for using Workbench to connect to an instance:

image
  1. Find the Instance to Connect.

  2. Establish Network Connectivity Between Workbench and the ECS Instance.

    This involves configuring security group and firewall rules to allow inbound traffic from Workbench to the instance.

  3. Use Workbench to Connect to the Instance.

    In the console, select the instance and connect through Workbench using the necessary credentials, such as username and password or a key pair.

  4. Create the Service-Linked Role.

    If the service-linked role is not already created, Workbench will prompt you to authorize its creation to access the ECS instance.

  5. Successfully Connect to the Instance and Perform Operations and Maintenance (O&M).

Service-linked role of Workbench

Workbench requires permissions to manage your ECS instances. When you first connect to an instance using Workbench, you'll be prompted to create a service-linked role named AliyunServiceRoleForECSWorkbench, which grants Workbench the necessary access to your ECS instance. For more information about service-linked roles, see Service-linked roles.

The following dialog box appears when you first connect to an instance. Click OK, and the system will automatically create the service-linked role.

image

If you are a RAM user, you must contact the primary account or administrator to grant you the AliyunECSWorkbenchFullAccess system policy. Only users with this permission can create the service-linked role for Workbench.

Permission settings for RAM users using Workbench

After creating the service-linked role, RAM users must assign the following policy to utilize Workbench. This policy grants users the ability to connect to all ECS instances via Workbench.

{
  "Version": "1",
  "Statement": [
    {
      "Action": "ecs-workbench:LoginInstance",
      "Resource": "*",
      "Effect": "Allow"
    }
  ]
}

To restrict the instances that users can connect to through Workbench, modify the Resource field as follows:

{
  "Version": "1",
  "Statement": [
    {
      "Action": "ecs-workbench:LoginInstance",
      "Resource": [
        "acs:ecs-workbench:{#regionId}:{#accountId}:instance/{#instanceId}",
        "acs:ecs-workbench:{#regionId}:{#accountId}:instance/{#instanceId}"
      ],
      "Effect": "Allow"
    }
  ]
}

The parameters are described as follows:

  • {#regionId}: The region ID where the instance is located. It can be set to the wildcard character *.

  • {#accountId}: The primary account ID. It can be set to the wildcard character *.

  • {#instanceId}: The destination instance ID. It can be set to the wildcard character *.

Example

For example, to allow a RAM user to use Workbench to connect to instances with IDs i-001 and i-002 under all regions and accounts, set the following permission policy:

{
  "Version": "1",
  "Statement": [
    {
      "Action": "ecs-workbench:LoginInstance",
      "Resource": [
        "acs:ecs-workbench:*:*:instance/i-001",
        "acs:ecs-workbench:*:*:instance/i-002"
      ],
      "Effect": "Allow"
    }
  ]
}

Security group settings related to Workbench

To establish a connection to instances via SSH or RDP using Workbench, you must set up the instance's security group to permit inbound traffic from the Workbench server. Consult the table below to identify the correct security group rules based on your network type. For more information, see how to add a security group rule.

Important

If a firewall is enabled within the instance, modify the firewall rules to align with the security group settings.

VPC

To connect to instances in a virtual private cloud (VPC) using Workbench, set the following inbound direction rules in the security group of the instance:

Action

Priority

Protocol type

Port range

Authorization object

Allow

1

Custom TCP

The port range is configured based on the port of the remote connection service running within your instance.

  • Connecting to Linux Instances:

    Select SSH (22).

    The default service for Linux instances is SSH, typically on port 22.
  • Connecting to Windows Instances:

    Select RDP (3389).

    The default service for Windows instances is RDP, typically on port 3389.
Important

If the port for the remote service is changed within the instance, adjust the settings accordingly.

  • Connections over the Internet: Specify 161.117.0.0/16.

  • Private network connections: Specify 100.104.0.0/16.

Warning

Using 0.0.0.0/0 indicates that all IP addresses are allowed to connect to the remote service port, which poses a security risk. Use it with caution.

Classic network

To connect to instances in a classic network using Workbench, set the following inbound direction rules in the security group of the instance:

Action

Priority

Protocol type

Port range

Authorization object

Allow

1

Custom TCP

The port range is configured based on the port of the remote connection service running within your instance.

  • Connecting to Linux Instances:

    Select SSH (22).

    The default service for Linux instances is SSH, typically on port 22.
  • Connecting to Windows Instances:

    Select RDP (3389).

    The default service for Windows instances is RDP, typically on port 3389.
Important

If the port for the remote service is changed within the instance, adjust the settings accordingly.

  • Connections over the Internet: Add 161.117.90.22.

  • Internal network connections: Add 161.117.90.22.

Warning

Using 0.0.0.0/0 indicates that all IP addresses are allowed to connect to the remote service port, which poses a security risk. Use it with caution.