Search code examples
amazon-web-servicesamazon-ec2ssh-tunnelaws-security-group

How Is Port Forwarding Working on AWS without Security Group Rules?


Running an AWS EC2 instance with Ubuntu 22.04. I am also running a jupyter server for python development there and connecting to that from my local Ubuntu laptop with ssh tunneling.

#!/usr/bin/env bash
# encoding:utf-8
SERVER=98.209.63.973 # My EC2 instance
# Tunnel the jupyter service
nohup ssh -N -L localhost:8081:localhost:8888 $SERVER & # 8081:Local port 8888:remote port

However, I never opened port 8888 of the ec2 instance by a security group rule. How come the port forwarding is working in that case? Should not it be blocked?


Solution

  • When using ssh -L, ssh will listen to local port 8081 and will send that traffic across the SSH connection (port 22) to the destination computer. The ssh daemon that receives the traffic will then forward the traffic to localhost:8888.

    There is no need to permit port 8888 in the EC2 instance security group because it is receiving this traffic via port 22.

    An SSH connection does more than just sending the keystrokes you type. It is a full protocol that can pass traffic across multiple logical channels.