i have an ec2 instance running ubuntu and im trying to restrict ssh access to only my ip address, im using both the security on the ec2 and the network acl, i have multiple ip addresses
192.168.1.233: the one on my computer in system prefrences -> network under the name of the wifi network
157.100.197.222/32: the one in the ec2 when i edit inbound rules under the option my ip address https://i.stack.imgur.com/WXCxh.png
172.31.30.243: the one when i connect to the ec2 and type hostname -I | awk ‘{print $1}’ https://i.stack.imgur.com/oHuc5.png
im able to connect to the ec2 when in the network acl inbound rules i deny ssh acces to /8, /16, and /24 and then allow all other sources and in the security of the ec2 i allow all sources to connect via ssh https://i.stack.imgur.com/zOuhS.png https://i.stack.imgur.com/tOkcL.png
but right now im allowing access from all 3 of my ip addresses and denying everything else and it wont connect https://i.stack.imgur.com/AnyVI.png https://i.stack.imgur.com/RM3YA.png
i know it has something to do with the network ip address vs the device ip address and using the right ip with the right cidr block but i dont know exactly what to put, can someone help me
2
Answers
You have to check what is your outgoing IP address. You do this by going to any "check my ip" website. This will be the address you have to allow in your security groups.
Also do not modify network ACL. Default NACL is all that you need. Only use Security Groups to control access to your instance from your IP.
The error message appears to indicate that you are attempting to connect to the Amazon EC2 instance by using EC2 Instance Connect.
EC2 Instance Connect works as follow:
Therefore, the Security Group sees your connection as coming from the EC2 Instance Connect service rather than the public IP address of your computer.
You would need to add the IP address ranges of the EC2 Instance Connect service the Security Group to permit access to the EC2 instance (see Set up EC2 Instance Connect – Amazon Elastic Compute Cloud). However, this would permit an inbound connection from any computer that successfully authenticates via the EC2 Instance Connect service.
Thus, it is not possible to restrict access to the EC2 Instance to your own IP address while using EC2 Instance Connect to connect to the instance.
However, it is worth noting that EC2 Instance Connect uses IAM to authenticate access to the instance, so you should trust this authentication. Rather that restricting by IP address of computers, you could restrict to the IP address ranges of the EC2 Instance Connect service and then use IAM permissions to control access to the instance.
See also: EC2 Instance Connect – Which AWS IPs For Inbound For Browser Console Access?