Workbench is a remote connection tool from Alibaba Cloud that enables direct access to Elastic Compute Service (ECS) instances from a browser, eliminating the need for additional software installations.
What is Workbench?
Workbench introduction
Workbench is a web-based remote connection tool provided by Alibaba Cloud. It allows you to connect to ECS instances directly from a browser without any installation. The following figure illustrates the process of connecting to an ECS instance using Workbench.
Features of Workbench
-
Supports multiple connection methods
Workbench provides a variety of ways to connect to instances, such as SSH for Linux, RDP for Windows.
References
-
Supports connecting to instances over the Internet or private network
Workbench allows connections to instances using SSH or RDP through both public and private IP addresses.
More features of Workbench
In addition to the instance connection feature, Workbench offers the following capabilities:
File Management: This feature allows you to upload files to ECS and download them to your local machine. For more information, see Manage files.
System Administration: The Workbench system administration feature enables user management, tracking of historical login records, and control over system services within the Linux instance's operating system. For more information, see how to manage your system.
Multi-screen Terminal: The Workbench multi-screen terminal feature facilitates simultaneous connections to multiple ECS instances, allowing for concurrent execution of the same commands on these instances. For more information, see how to use the multi-terminal feature.
Basic usage process of Workbench
The diagram below describes the steps for using Workbench to connect to an instance:
Find the Instance to Connect.
Establish Network Connectivity Between Workbench and the ECS Instance.
This involves configuring security group and firewall rules to allow inbound traffic from Workbench to the instance.
Use Workbench to Connect to the Instance.
In the console, select the instance and connect through Workbench using the necessary credentials, such as username and password or a key pair.
Create the Service-Linked Role.
If the service-linked role is not already created, Workbench will prompt you to authorize its creation to access the ECS instance.
Successfully Connect to the Instance and Perform Operations and Maintenance (O&M).
Service-linked role of Workbench
Workbench requires permissions to manage your ECS instances. When you first connect to an instance using Workbench, you'll be prompted to create a service-linked role named AliyunServiceRoleForECSWorkbench, which grants Workbench the necessary access to your ECS instance. For more information about service-linked roles, see Service-linked roles.
The following dialog box appears when you first connect to an instance. Click OK, and the system will automatically create the service-linked role.
If you are a RAM user, you must contact the primary account or administrator to grant you the AliyunECSWorkbenchFullAccess system policy. Only users with this permission can create the service-linked role for Workbench.
Permission settings for RAM users using Workbench
After creating the service-linked role, RAM users must assign the following policy to utilize Workbench. This policy grants users the ability to connect to all ECS instances via Workbench.
{
"Version": "1",
"Statement": [
{
"Action": "ecs-workbench:LoginInstance",
"Resource": "*",
"Effect": "Allow"
}
]
}To restrict the instances that users can connect to through Workbench, modify the Resource field as follows:
{
"Version": "1",
"Statement": [
{
"Action": "ecs-workbench:LoginInstance",
"Resource": [
"acs:ecs-workbench:{#regionId}:{#accountId}:instance/{#instanceId}",
"acs:ecs-workbench:{#regionId}:{#accountId}:instance/{#instanceId}"
],
"Effect": "Allow"
}
]
}The parameters are described as follows:
{#regionId}: The region ID where the instance is located. It can be set to the wildcard character*.{#accountId}: The primary account ID. It can be set to the wildcard character*.{#instanceId}: The destination instance ID. It can be set to the wildcard character*.
Security group settings related to Workbench
To establish a connection to instances via SSH or RDP using Workbench, you must set up the instance's security group to permit inbound traffic from the Workbench server. Consult the table below to identify the correct security group rules based on your network type. For more information, see how to add a security group rule.
If a firewall is enabled within the instance, modify the firewall rules to align with the security group settings.
VPC
To connect to instances in a virtual private cloud (VPC) using Workbench, set the following inbound direction rules in the security group of the instance:
Action | Priority | Protocol type | Port range | Authorization object |
Allow | 1 | Custom TCP | The port range is configured based on the port of the remote connection service running within your instance.
Important If the port for the remote service is changed within the instance, adjust the settings accordingly. |
Warning Using |
Classic network
To connect to instances in a classic network using Workbench, set the following inbound direction rules in the security group of the instance:
Action | Priority | Protocol type | Port range | Authorization object |
Allow | 1 | Custom TCP | The port range is configured based on the port of the remote connection service running within your instance.
Important If the port for the remote service is changed within the instance, adjust the settings accordingly. |
Warning Using |