SSH to an EC2 instance in VPC private subnet


While exploring out AWS VPC, have you wondered about how you would SSH into your instances since any instance launched in VPC does not have internet access directly.

This tutorial will explain connecting to your instances using port forwarding technique.

Step 1 : Creating VPC

Create a VPC with Public & Private subnets using one of the templates provided in VPC Wizard


On the next screen make sure to chose a valid kaypair for which you have the .pem file. You’ll need this to SSH into the NAT instance. Also keep a note of the default IP ranges for private & public subnet.


At this point, the wizard will create following resources for you :

§                         VPC (with CIDR in our case)

§                         Public Subnet (with CIDR

§                         Private Subnet (with CIDR

§                         Two Route Tables

§                         One Internet Gateway

§                         One Network ACL

§                         One Elastic IP

§                         One Security Group

In addition to this list, you would notice that it has also launched a NAT instance. This is a special type of instance that is used to route traffic for other instances. Also, VPC wizard has already configured the “Route Tables” to route traffic from Public Subnet to Internet Gateway & Private Subnet to NAT instance

Step 2 :  SSH into NAT instance

Before you can SSH into NAT instance, you’ll need to change VPC’s Security Group settings to allow inbound traffic over port 22

Now, let’s go to our EC2 service page to get Elastic IP of NAT instance launched by VPC wizard & try to SSH into this instance using the keypair provided earlier.


I’m using Ubuntu’s terminal to connect to my instance using the following command

ssh -i training.pem ec2-user@

You’ll need to change IP address in the end to Elastic IP assigned to you.


Kindly note the IP address in last line of the screenshot above ( This is the Private IP that was automatically assigned to our NAT instance. Also note that since NAT instance was launched in public subnet, this IP range falls into CIDR range for our public subnet (

Step 3 : Launching instances in Private Subnet

We would now launch two instances in private subnet. Later we’ll try to SSH into these instances by redirecting TCP packets through NAT instance. While launching the instances, make sure to launch them in private subnet of the VPC we created (Subnet in our case). Once the instances are launched, note down their private IP address. We would use them configure IP tables on our NAT instance.


The launched instances in our case carry the following private IPs



Step 4 : Configuring iptable on NAT instance

We will now make some configurations to our NAT instance

sudo iptables -t nat -A PREROUTING -p tcp --dport 10234 -j DNAT --to-destination
sudo iptables -t nat -A PREROUTING -p tcp --dport 10235 -j DNAT --to-destination

Here I have updated the IP tables of NAT instance to route incoming traffic on port 10235 to port 22 of first instance in our private subnet & similarly traffic on port 10235 on second instance.

Step 5 : Configuring Security Group

Before we can SSH into instances in private subnet, we’ll need to update security group of NAT instance to accept incoming traffic on ports 10234 & 10235. Also, port 22 should be open for target instances (we have already done this earlier)

Step 6 : SSH into NAT on specified port number

Now we’ll SSH into our NAT instance again from our local system as earlier with some difference this time. We’ll specify port number in our SSH command

ssh -p 10234 -i /home/himanshu/Downloads/training.pem ec2-user@
ssh -p 10235 -i /home/himanshu/Downloads/training.pem ec2-user@

This allows us to SSH directly in instance of private subnet. Check out the last line of screenshot below to see that IP address is of one of instances from private subnet.


This completes our tutorial.

Make sure you terminate your instances & delete VPC to avoid any unnecessary charges.


Leave a comment

Leave your opinion

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: