Connect to EC2 Instances via SSH
Question
A company has set up some EC2 Instances in a VPC with the default Security group and NACL settings.
They want to ensure that the IT admin staff can connect to the EC2 Instance via SSH.
As an architect, what would you ask the IT admin team to do to ensure that they can connect to the EC2 Instance from the Internet? Choose 2 answers from the options below.
Answers
Explanations
Click on the arrows to vote for the correct answer
A. B. C. D.Answer - A and C.
The AWS Documentation mentions the following.
To enable access to or from the internet for instances in a VPC subnet, you must do the following.
Attach an Internet gateway to your VPC.Ensure that your subnet's route table points to the internet gateway.
Ensure that instances in your subnet have a globally unique IP address (public IPv4 address, Elastic IP address, or IPv6 address).
Ensure to add an inbound rule to allow traffic from SSH with source 0.0.0.0/0
By default, all outbound traffic is allowed.
Option B is incorrect since the Private IP will always be created and would not connect from the internet.
If you use the private IP to communicate, traffic will stay within the VPC.
It will not be routed out.
The routing table will route it internally.
If you use the public IP to communicate, traffic will go out to the internet (through the internet gateway) and return to your VPC.Instances receive a Public IP address so that it is reachable from outside the VPC.
This IP address might change if the instance stops and starts.
Alternatively, you can use an Elastic IP Address that remains static.
Option D is incorrect since the default NACL rules will allow all traffic.
For more information on exposing VPC resources to the Internet, please refer to the below link-
https://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_Internet_Gateway.htmlTo enable the IT admin staff to connect to the EC2 instance via SSH from the internet, the following steps should be taken:
Ensure that the Instance has a Public or Elastic IP: If the instance is located in a private subnet, it will not have a public IP address, which means that it cannot be accessed from the internet directly. In this case, an Elastic IP can be assigned to the instance, which will provide a static, public IP address that can be used to connect to the instance.
Modify the Security Group settings: By default, the security group associated with the EC2 instance will not allow inbound traffic to port 22 (used for SSH). Therefore, the IT admin staff must add a new inbound rule to the security group to allow traffic from their IP address range to port 22. This will ensure that the SSH traffic can reach the instance from their location.
Ensure to modify the NACL rules: By default, the Network Access Control Lists (NACLs) associated with the VPC will allow all inbound and outbound traffic. However, if the NACLs have been modified to block any inbound or outbound traffic, then the IT admin staff may not be able to connect to the instance via SSH. In this case, the NACLs need to be modified to allow inbound SSH traffic from the IT admin staff's IP address range.
Therefore, the correct answers are A and C - Ensure that the Instance has a Public or Elastic IP and Ensure to modify the Security groups.
