Quick tip: How-to connect to an SAP HANA, express edition, EC2 host from the AWS CloudShell

This post is the side effect of working on my post how to connect from SAP HANA Cloud trial to SAP HANA, express edition, in AWS via the Cloud Connector. I decided to share it as a separate quick how-to in case anyone finds it helpful too.

Normally I use ssh from my laptop to connect to the OS shell of my EC2 instance running SAP HANA, express edition. But I started thinking and investigating how to connect to it from AWS CloudShell. In GCP Shell I would use something like gcloud compute ssh, so what was equivalent in AWS?

The way I found was EC2 Instance Connect. that I described below. Please let me know if/what you would do differently.

Deploy EC2 Instance Connect on SAP HANA’s host

I had to deploy EC2 Instance Connect on the instance first using some other ways connecting to it.

sudo zypper install ec2-instance-connect

In the AWS CloudShell

Get required details about the instance:

export AWS_REGION=eu-central-1

#Get Instance ID and its status
aws ec2 describe-instances --filters "Name=tag:Name,Values=HXE02" \
 --query "Reservations[*].Instances[*].{InstanceID:InstanceId,PublicIP:PublicIpAddress,Name:Tags[?Key=='Name']|[0].Value,Status:State.Name,AvailabilityZone:Placement.AvailabilityZone}" \
 --output table

#Start the EC2 instance, if required
aws ec2 start-instances --instance-ids i-033f738d907b0773f

Establish SSH connection to the instance:

#Install user mssh tool
python3 -m pip install ec2instanceconnectcli --user

#Connect to the instance
mssh --region eu-central-1 i-033f738d907b0773f

I got Connection timed out because the SSH port is blocked for ingress from addresses other than my laptop for now. I need to add another rule to allow ingress from the CloudShell instance.

Add the security group to allows SSH access to the EC2 instance from AWS CloudShell:

#Set the AWS region
export AWS_REGION=eu-central-1

#Get Instance's VPC ID
aws ec2 describe-instances --filters "Name=tag:Name,Values=HXE02" \
 --query "Reservations[].Instances[0].NetworkInterfaces[0].VpcId[]"
#Returned vpc-02708f64c1f7ef868

#Create a new security group
aws ec2 create-security-group --vpc-id vpc-02708f64c1f7ef868 \
 --group-name SSHfromAWSCloudShell \
 --description "Allow SSH access from the current CloudShell instance"
# Returned sg-056f379bebfaf0575

#Add and ingress rule to allow SSH (port 22) access from the current IP address
aws ec2 authorize-security-group-ingress --group-id sg-056f379bebfaf0575 \
 --protocol tcp --port 22 --cidr $(curl -s ifconfig.io)/32

#Display security group's ingress rules
aws ec2 describe-security-groups --group-id sg-056f379bebfaf0575 \
 --query "SecurityGroups[].IpPermissions"

Assign the newly created security group to the instance:

## Assign the security group to the instance (without dropping existing assignemnts)
#Get instance Network Interface ID
aws ec2 describe-instances --filters "Name=tag:Name,Values=HXE02" \
 --query "Reservations[].Instances[0].NetworkInterfaces[0].NetworkInterfaceId"
#Returned eni-0071160c754b88c6c

#Get assigned security groups
aws ec2 describe-network-interfaces --filters "Name=network-interface-id,Values=eni-0071160c754b88c6c" \
 --query "NetworkInterfaces[*].Groups[*].{Name:GroupName,ID:GroupId}"
#Returned sg-0e43ac22a862322ef

#Set security groups (to include the SSH access from CloudShell)
aws ec2 modify-instance-attribute --instance-id i-033f738d907b0773f \
 --groups sg-0e43ac22a862322ef sg-056f379bebfaf0575

Now, SSH connection to my EC2 instance should work OK!

mssh --region eu-central-1 i-033f738d907b0773f

I am in my SAP HANA’s host shell! The level is unlocked 🏆