aws-templateswordpress-production-ready

Connect to the application instance using SSH

The Bitnami WordPress Production-Ready Stack solution deploys instances on a private subnet which is only accessible through SSH using a Bastion host. Therefore, to connect to the instance through SSH, it’s necessary to forward the SSH key to the Bastion host.

TIP: Refer to the architecture page for more information about the subnets and security improvements available in this solution.

Here are the steps you’ll follow in this tutorial:

  • Obtain any of the Bastion hosts’ public IP address
  • Obtain any of the application instances’ private IP address
  • Connect via SSH to the Bastion host
  • Forward your key using SSH Agent
  • Connect via SSH to the application instance

The next sections will walk you through these steps in detail.

Step 1: Obtain any of the Bastion hosts’ public IP address

  • Log in to the AWS CloudFormation console.
  • Select the nested stack with name STACKNAME-BastionStack-… (replace the placeholder STACKNAME with the actual stack name chosen when deploying the template) and click the “Outputs” tab in the lower panel.
  • Note the Bastion host’s IP address, as shown below:

    Obtain Bastion IP

Step 2: Obtain any of the application instances’ private IP address

  • Log in to the AWS EC2 console.
  • Choose “Instances” from the navigation panel and select one of the application instances. You can filter by the tags you set when deploying the solution.
  • From the “Description” tab, obtain and note the instance’s private IP address, as shown below:

    Obtain WP instance IP

Step 3: Connect via SSH to the Bastion host

NOTE: You must use the SSH key pair that you associated with the CloudFormation template when it was first deployed.

Connect with an SSH client on Windows

In order to access your server via SSH tunnel you need an SSH client. In the instructions below we have selected PuTTY, a free SSH client for Windows and UNIX platforms. To access the server via SSH tunnel using PuTTY on a specific port using an SSH tunnel, you need to have it configured in order to allow connections to your server.

  • Step 1: Obtain PuTTY

    • Download the PuTTY ZIP archive from its website.
    • Extract the contents to a folder on your desktop.
    • Double-click the putty.exe file to bring up the PuTTY configuration window.
  • Step 2: Convert your PEM private key to PPK format (optional)

    If your private key is in .pem format, it is necessary to convert it to PuTTY’s own .ppk format before you can use it with PuTTY. If your private key is already in .ppk format, you may skip this step.

    Follow the steps below to convert your .pem private key to .ppk format:

    • Launch the PuTTY Key Generator by double-clicking the puttygen.exe file in the PuTTY installation directory.
    • Click the “Load” button and select the private key file in .pem format.

      PuTTY key conversion

    • Once the private key has been imported, click the “Save private key” button to convert and save the key in PuTTY’s .ppk key file format.

      PuTTY key conversion

  • Step 3: Configure PuTTY

    • Double-click the putty.exe file to bring up the PuTTY configuration window.
    • In the PuTTY configuration window, enter the host name or public IP address of your server into the “Host Name (or IP address)” field, as well as into the “Saved Sessions” field. Then, click “Save” to save the new session so you can reuse it later.

      PuTTY configuration

    • Obtain your SSH credentials in order to allow the authentication against the server. Refer to the FAQ to learn how to obtain your SSH credentials for your client.

    • In the “Connection -> SSH -> Auth” section, browse to the private key file (.ppk) you’ve previously obtained in the step above.

      PuTTY configuration

    • In the “Connection -> Data” section, enter the username ec2-user into the “Auto-login username” field, under the “Login details” section.

      PuTTY configuration

    • In the “Session” section, click on the “Save” button to save the current configuration.

    • Select the session you want to start (in case that you have saved more than one session) and click the “Open” button to open an SSH session to the server.

      PuTTY configuration

      PuTTY will first ask you to confirm the server’s host key and add it to the cache. Go ahead and click “Yes” to this request (learn more).

      PuTTY connection

You should now be logged in to your server. Here is an example of what you’ll see:

PuTTY connection

TIP: In case of difficulties using PuTTY, refer to the official documentation for troubleshooting advice and resolution for common error messages.

Connect with an SSH client on Linux and Mac OS X

Linux and Mac OS X come bundled with SSH clients by default. In order to log in to your server, follow the steps below:

  • Open a new terminal window on your local system (for example, using “Finder -> Applications -> Utilities -> Terminal” in Mac OS X or the Dash in Ubuntu).
  • Set the permissions for your private key file (.pem) to 600 using a command like the one below:

    $ chmod 600 KEYFILE
    
  • Connect to the Bastion host using the following command:

    $ ssh -i KEYFILE ec2-user@BASTION_IP
    

    Remember to replace KEYFILE in the previous commands with the path to your private key file (.pem), and BASTION_IP with the public IP address obtained in Step 1.

  • Your SSH client might ask you to confirm the server’s host key and add it to the cache before connecting. Accept this request by typing or selecting “Yes” (learn more).

You should now be logged in to the Bastion host.

Step 4: Forward your key using SSH Agent

The next step is to forward your SSH using an SSH agent. This is necessary to ensure that the connection through the Bastion host to the rest of the nodes is secure. Follow the instructions below:

Forward your key using SSH Agent on Windows

To forward your SSH key using PuTTY, you must first have SSH access to your server. Please check the SSH instructions for Windows section for more information on this.

Once you have your SSH client correctly configured, enable SSH Agent forwarding. To do so, follow these steps:

  • In the “Connection -> SSH -> Auth” section, activate the “Allow agent forwarding” checkbox.

    PuTTY forward agent

  • In the “Session” section, save your changes by clicking the “Save” button.

  • Click the “Open” button to open an SSH session to the server. The SSH session will now forward your key for subsequent SSH sessions starting from the same server. You can check this by running the following:

    $ ssh-add -L
    

TIP: In case of difficulties using PuTTY, refer to the official documentation for troubleshooting advice and resolution for common error messages.

Forward your key using SSH Agent on Linux and Mac OS X

Follow the steps below:

  • Open a new terminal window on your local system (for example, using “Finder -> Applications -> Utilities -> Terminal” in Mac OS X or the Dash in Ubuntu).
  • Run the following command to add the SSH key to the agent. Remember to replace KEYFILE with the path to your private key:

    $ ssh-add KEYFILE
    
  • Connect to the Bastion host using the -A option. Remember to replace BASTION_IP with the IP obtained in the Step 1.

    $ ssh -A ec2-user@BASTION_IP
    

The SSH session will now forward your key. You can check this by running the following command:

    $ ssh-add -L

Step 5: Connect via SSH to the application instance

Once you’re connected to the Bastion host with your SSH key forwarded, you can access the application instances from there.

  • Connect to the application instance using the following command:

    $ ssh bitnami@PRIVATE_IP
    

    Remember to replace KEYFILE in the previous commands with the path to your private key file (.pem), and PRIVATE_IP with the private IP address obtained in Step 2.

You should now be logged in to the instance. Here is an example of what you’ll see:

Obtain WP instance IP

TIP: To access application instances in a single step, try an alternative approach by creating an SSH tunnel.

Last modification March 9, 2020