This post is the side effect of working on my post how to connect from SAP HANA Cloud trial to SAP HANA, express edition, in AWS via the Cloud Connector. I decided to share it as a separate quick how-to in case anyone finds it helpful too.

Normally I use ssh from my laptop to connect to the OS shell of my EC2 instance running SAP HANA, express edition. But I started thinking and investigating how to connect to it from AWS CloudShell. In GCP Shell I would use something like gcloud compute ssh, so what was equivalent in AWS?

The way I found was EC2 Instance Connect. that I described below. Please let me know if/what you would do differently.

Deploy EC2 Instance Connect on SAP HANA's host

I had to deploy EC2 Instance Connect on the instance first using some other ways connecting to it.

sudo zypper install ec2-instance-connect

In the AWS CloudShell

Get required details about the instance:

export AWS_REGION=eu-central-1



#Get Instance ID and its status

aws ec2 describe-instances --filters "Name=tag:Name,Values=HXE02" \

 --query "Reservations[*].Instances[*].{InstanceID:InstanceId,PublicIP:PublicIpAddress,Name:Tags[?Key=='Name']|[0].Value,Status:State.Name,AvailabilityZone:Placement.AvailabilityZone}" \

 --output table



#Start the EC2 instance, if required

aws ec2 start-instances --instance-ids i-033f738d907b0773f

Establish SSH connection to the instance:

#Install user mssh tool

python3 -m pip install ec2instanceconnectcli --user



#Connect to the instance

mssh --region eu-central-1 i-033f738d907b0773f

I got Connection timed out because the SSH port is blocked for ingress from addresses other than my laptop for now. I need to add another rule to allow ingress from the CloudShell instance.

Add the security group to allows SSH access to the EC2 instance from AWS CloudShell:

#Set the AWS region

export AWS_REGION=eu-central-1



#Get Instance's VPC ID

aws ec2 describe-instances --filters "Name=tag:Name,Values=HXE02" \

 --query "Reservations[].Instances[0].NetworkInterfaces[0].VpcId[]"

#Returned vpc-02708f64c1f7ef868



#Create a new security group

aws ec2 create-security-group --vpc-id vpc-02708f64c1f7ef868 \

 --group-name SSHfromAWSCloudShell \

 --description "Allow SSH access from the current CloudShell instance"

# Returned sg-056f379bebfaf0575



#Add and ingress rule to allow SSH (port 22) access from the current IP address

aws ec2 authorize-security-group-ingress --group-id sg-056f379bebfaf0575 \

 --protocol tcp --port 22 --cidr $(curl -s ifconfig.io)/32



#Display security group's ingress rules

aws ec2 describe-security-groups --group-id sg-056f379bebfaf0575 \

 --query "SecurityGroups[].IpPermissions"

Assign the newly created security group to the instance:

## Assign the security group to the instance (without dropping existing assignemnts)

#Get instance Network Interface ID

aws ec2 describe-instances --filters "Name=tag:Name,Values=HXE02" \

 --query "Reservations[].Instances[0].NetworkInterfaces[0].NetworkInterfaceId"

#Returned eni-0071160c754b88c6c



#Get assigned security groups

aws ec2 describe-network-interfaces --filters "Name=network-interface-id,Values=eni-0071160c754b88c6c" \

 --query "NetworkInterfaces[*].Groups[*].{Name:GroupName,ID:GroupId}"

#Returned sg-0e43ac22a862322ef



#Set security groups (to include the SSH access from CloudShell)

aws ec2 modify-instance-attribute --instance-id i-033f738d907b0773f \

 --groups sg-0e43ac22a862322ef sg-056f379bebfaf0575

Now, SSH connection to my EC2 instance should work OK!

mssh --region eu-central-1 i-033f738d907b0773f

I am in my SAP HANA's host shell! The level is unlocked 🏆