Editing Enabling SSH Connections to an Elastic Beanstalk Environment

== Overview ==

Notes on connecting to an AWS EC2 instance in order to manage and deploy web applications. <ref>[https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/AccessingInstancesLinux.html Connecting to Your Linux Instance Using SSH] - EC2 User Guide</ref> <ref>[http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/putty.html Connecting to Your Linux Instance from Windows Using PuTTY] (AWS documentation)</ref>

== Prerequisites ==

* '''An Elastic Beanstalk environment'''
* '''An EC2 instance''' This is created automatically during the creation of each Elastic Beanstalk environment. Each EBS environment is linked to its own EC2 instance. 

=== Open SSH port (22) ===

* '''AWS Management Console''' > '''EC2''' > ''EC2 instance corresponding to the EBS environment'' > click for details > '''Security Group''' > click for details
* '''Inbound Rules''' tab > '''Edit''' button 
* '''Add Rule''' button
** '''Type:''' SSL
** '''Protocol:''' TCP
** '''Port Range:''' 22
** '''Source:''' `XX.XX.XX.XX/32` where `XX.XX.XX.XX` is the public IP address of the local development LAN.

<p class="alert alert-warning">This port should NEVER be publicly accessible. This setting should NEVER be specified in any config files for the web application.</p>

<p class="alert alert-info">For convenience, in the AWS management console view details for the EC2 instance corresponding to the EBS environment. From there, click the '''Connect''' button at the top for details on how to connect to the instance.</p>

* '''Get the ID of the EC2 instance''' Amazon EC2 console > Instance ID column (or use `describe-instances` from the AWS CLI)
* '''Get the public DNS of the instance''' Amazon EC2 console > Public DNS column (optionally click show/hide and select Public DNS column)
* '''Private key''' Fully-qualified path to `.pem` file for key pair specified when the instance was launched.
* '''Enabled inbound SSH traffic from your IP address to the instance''' Ensure the security group associated with the instance allows incoming traffic from the local IP address.<ref>[http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/authorizing-access-to-an-instance.html Authorizing Network Access to your Instances]</ref>

=== Key Pairs ===

Create a key pair on an EC2 instance after creating an inbound rule for the SSH port.

* '''EC2 Management Console''' > ''select the EC2 instance linked to the EBS environment''
* '''Network & Security''' group (on lefthand menu) > '''Key Pairs'''
* '''Create Key Pair''' button at the top right
** '''Name:''' ''descriptive token''
** '''Key pair type:''' RSA
** '''File Format:''' `.pem`
** Click '''Create'''
** Download the `.pem` file to `~/.ssh/`
** ''(If the certificate file downloads with a ".cer" extension, it is still in .pem format. It is ok to simply change the extension from ".cer" to ".pem".)''
* After the `.pem` file is installed in the `~/.ssh/` directory, make sure its permissions are set to `700`.

Link an EBS environment with a key pair. 

* '''EB Management Console''' > ''application'' > ''environment''
* '''Configuration''' > '''Security''' > '''Edit''' 
* '''Key Pair''': Select the key pair created for the EC2 instance.

At this point, the server should be ready to accept ssh connections.

<p class="alert alert-warning">An existing key pair cannot be associated with an existing EC2 instance. Well, they can, but it may be simpler to create a new Elastic Beanstalk and a new EC2 instance along with it.</p>

== Connecting ==

<syntaxhighlight lang="bash">
$ eb ssh
</syntaxhighlight>

The above is a wrapper for the following:

<syntaxhighlight lang="bash">
$ ssh -i ~/.ssh/nrosedevs-aws.pem ec2-user@[Public_DNS_address]
</syntaxhighlight>

The '''Public DNS Address''' is retrieved from the AWS EC2 Dashboard, under '''Instances'''. Click on the individual instance to view its public DNS. 

`ec2-user` is the user name for Amazon Linux servers. Other server types may have different user names, e.g. Ubuntu's user is `ubuntu`.

The `.pem` file was created and downloaded when a key pair was created for the EC2 instance. If ssh access is needed on a different machine, the `.pem` file must be copied over from a machine that has already had the `.pem` file installed.

== Troubleshooting ==

TK

== Configuration ==

<div class="alert alert-info">I had a hell of a time getting this to work using an existing EC2 instance. I ended up rebuilding the Key Pair, IAM Role, and EC2 instance. Then and only then did this work... actually come to think of it, I suspect that the problem might have been in the configuration of the EC2 instance. Where the directions say to select '''Enable''' for the '''Auto-assign Public IP''', initially I left it at the default setting. I can't see a way of going back and changing this setting once the instance is created. </div>

When a Key Pair is created through the AWS management console, a `.pem` file containing the pair is generated. 

This file is created once, and cannot be generated again at a later date. 

Save the `.pem` file locally, e.g. in `~/.ssh/` or `c:\users\damien\.ssh\`. 

On Mac OS use ssh via the terminal.

The AWS documentation stresses using PuTTY on Windows, but it's possible to use a Powershell prompt also. Maybe the Powershell prompt isn't as secure? 

PuTTY uses a `.ppk` file to hold the key pair, while the Powershell prompt uses the `.pem` file. 

=== Prerequisites ===

* A running EC2 instance
** [https://console.aws.amazon.com/ec2/ EC2 dashboard]
** '''Navigation''' pane > '''Instances''' > '''Instances'''
*** Confirm that the EC2 instance exists, and that it is running.
*** Retrieve the '''public DNS''' for the EC2 instance from this page.

== Notes ==
<references />
[[Category:AWS]] [[Category:Elastic Beanstalk]] [[Category:Web Development]]