Public IP fallback for awless ssh --private

[edubxb]

I normally use private IP addresses to connect by ssh to EC2 instances, but, in some cases, the instances are only reachable using their public IP, so, to avoid trying at the first time with the private address, and, if it fails, with the public one, an useful feature will be add another flag to delegate this work to awless.

[simcap]

@edubxb I guess the use case presented could be generalized as fallbacking on the other IP (public or private) when one does not work. And indeed we do not support that yet.

I have a few remarks though:

• we would have to inspect the error to know it is an IP failure. Inspection would be a bit fiddly as there can be many errors originating a connection failure.
• in most cases when connecting through a private IP you have to do it knowingly (using --private flag) meaning the machine is setup to not be accessed publicly, so there would little chance of such machines having an public IP
• awless ssh provides many fallbacks when resolving/finding the SSH key and user. It also provides clear output messages with guesses on what should be done next.
• not your case but generalizing: falling back on a private IP address (if we detect the public one does not work) make the assumption that the user has setup a dedicated tunneling (VPN, etc ...) to connect directly to private IPs

I might not have understood your DevOps scenario well enough, so do not hesitate to clarify your setup.

[edubxb]

Yes @simcap, the use case could be from private to public, or vice versa, but in my case, is the first, let me explain my current scenario...

I work with several AWS accounts, some of then are for production and others for development or staging purposes. VPC of some accounts are reachable from our local networks through [Direct Connect] (https://aws.amazon.com/es/ Directconnect /). Due I'm a little lazy, when I need to connect to an EC2 instance, I do not want to remember if the instance belongs to an VPC reachable by our private network or not. This is the reason I suggested this feature.

In some cases, the instances do not have a public IP, so awless could inspect the instance properties to find it, and if doesn't have one (not sure if awless already do this currently), use the private address instead, regardless the flag used or the default behavior.

Another situation could be an instance with public IP, but not reachable using it by SSH, because the admin tasks are done with the private one.

Please, let me know if you need more information about it.

[simcap]

Ok, thanks.

In order to implement that (fall back on public) we will have to better type and identify our errors returned by the code from awless ssh. The idea is to know for sure what was the failure about: wrong username, key issue, host issue. This is not the case right now.

Once we have that we will be able to implement cleanly such scenarios. Do not know when though.

P.S: in the meantime, there might be a way to have the behavior by combining some bash functions + awless, though I have not had the time to look into it yet

[edubxb]

Yes, some script magic can help, something like:

function aws-ssh {
  awless ssh --private "$@" || awless ssh "$@"
}

[fxaguessy]

This bash script seems to be sufficient for this problem.