AWS Session Manager Port Forwarding to RDS (without SSH)

To Nha Notes | Nov. 20, 2023, 10:56 a.m.

Port Forwarding allows you to securely create tunnels between your instances deployed in private subnets, without the need to start the SSH service on the server, to open the SSH port in the security group or the need to use a bastion host.

Similar to SSH Tunnels, Port Forwarding allows you to forward traffic between your laptop to open ports on your instance. Once port forwarding is configured, you can connect to the local port and access the server application running inside the instance.

Starting a session (port forwarding to remote host)

To start a Session Manager port forwarding session to a remote host, version 3.1.1374.0 or later of SSM Agent must be installed on the managed node. The remote host isn't required to be managed by Systems Manager.

Note

Before you start a session, make sure that you have completed the setup steps for Session Manager. For information, see Setting up Session Manager.

To use the AWS CLI to run session commands, you must install the Session Manager plugin on your local machine. For information, see Install the Session Manager plugin for the AWS CLI. (Ubuntu: https://docs.aws.amazon.com/systems-manager/latest/userguide/install-plugin-debian.html)

Depending on your operating system and command line tool, the placement of quotation marks can differ and escape characters might be required.

Create a tunnel to RDS using Session Manager

To start a port forwarding session, run the following command from the CLI. Replace each example resource placeholder with your own information.

aws ssm start-session \
    --target instance-id \
    --document-name AWS-StartPortForwardingSessionToRemoteHost \
    --parameters '{"host":["mydb.example.us-east-2.rds.amazonaws.com"],"portNumber":["3306"], "localPortNumber":["3306"]}'

The host value represents the hostname or IP address of the remote host that you want to connect to. General connectivity and name resolution requirements between the managed node and the remote host still apply.

The portNumber value represents the port on the remote host where you want the session traffic to be redirected. For example, you might specify port 3306 for connecting to a MySQL database. If you don't specify the portNumber parameter, Session Manager uses 80 as the default value.

The value you specify for localPortNumber represents the local port on the client where traffic should be redirected to, such as 56789. This value is what you enter when connecting to a managed node using a client. For example, localhost:56789.

You're ready to locally connect to a privately running RDS on AWS.

mysql --port=3306 --host=127.0.0.1 -psome_password -u some_user  

References

https://aws.amazon.com/blogs/aws/new-port-forwarding-using-aws-system-manager-sessions-manager/

https://docs.aws.amazon.com/systems-manager/latest/userguide/session-manager-working-with-sessions-start.html#sessions-start-port-forwarding

https://dev.to/aws-builders/aws-session-manager-port-forwarding-to-rds-without-ssh-pda