0

My company's AWS security inbound rules are set such that IP's from within company networks can SSH into AWS Resources. However, I want to work from home and be able to SSH into AWS EC2 instances (and also login to RDS instances).

One way is to of course add my home wifi's IP into Inbound Rules of AWS security group of the instance I want to SSH into. However, my manager for some reason don't like that. (I wonder why is that).

So, the other way is to connect to my company's network using VPN. I don't understand after that, how to connect to AWS EC2 or AWS RDS. Please help.

Improve this question

3 Answers 3

Reset to default
0

There is a few moving parts here so stay with me.

Home -> Work VPN -> Work -> vpn to Aws -> AWS

Lets say each has the following values:

Home PC on VPN: 192.168.10.2
Work VPN Network: 192.168.10.0
Work Network : 172.16.0.0
VPN to AWS Network: 10.0.2.0
AWS VPC (All EC2 Instances are assigned): 10.0.3.0

The admin needs to set a rule allowing SSH traffic from WORK VPN NETWORK to VPN to AWS NETWORK on the work networks firewall and then allow the WORK VPN subnet as an inbound rule on the VPC in aws. Everyone's setup can vary, but this is the most simple way to do what you want and it is setup similar to this. This set of actions will allow anyone who connects to the VPN to access any ec2 hosts on the VPC.

Improve this answer
0

If I understand correctly, you have a VPN to your work network set up. The VPN should give you an external IP address of your work network, which should automatically allow you to SSH into AWS instances and RDS as if you were in the office. You can check your external IP by browsing to https://www.whatismyip.com/what-is-my-public-ip-address/ or similar sites.

As for why your manager doesn't like to add your home IP address to the AWS security group, you can best ask him/her. I bet it is related to home/consumer IP being dynamic (they can change without notice) and the overhead introduced by this. If he/she adds your IP, more people working from home want the same thing. These all need to be managed and modified/removed when the situation changes (e.g you leave the company). Apart from this, your home network is not under the control of the company. This can introduce security risks as they do not know who has access to it.

Improve this answer
0

Depending of your company's VPN setup:

  • If split-tunneling is disabled on your VPN, you don't need to do anything. Once you are connected to your company's VPN, you should be able to ssh to your instance.
  • If spli-tunneling is enabled, your admin needs to route traffic to the specific instance (it's public or private IP address) thru your company's VPN, so whenever you connect to the VPN, your routing table (on your laptop) will have a route to your instance that sends traffic thru the VPN tunnel.

These two ways, the security group assigned to the instance will receive your traffic as being sourced from your company's network/IPs

Improve this answer

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .