Allow your browser navigate to website on private subnets using SSH

alfchee profile image alfchee ・2 min read

Let's say we have an scenario where you have you Cloud with private and public subnets, your servers are on private subnets and they go public only by Load Balancers and everything goes right. Also, in your public subnet you have an instance that you use as bastion, for any configuration or test/check you want to perform on the instances in the private subnet.

Diagram of VPC with public and private subnets

But let's say that you want to create a new instance of dev or test, but with the same subnet environment, that is the private subnet, and you want to test your web application on that instance, but you cannot reach it from public Internet, then how to do that?

Then, there's still a way to get access to your app, and that is using SOCKS v5 and SSH!!

You may typically connect to your bastion using SSH

ssh -i ~/.ssh/my-key user@bastion-public-ip

Then we are going to use one more parameter of SSH to achieve our goal, and that is -D, which according the documentation

-D [bind_address:]port
Specifies a local “dynamic” application-level port forwarding. This works by allocating a socket to listen to port on the local side, optionally bound to the specified bind_address. Whenever a connection is made to this port, the connection is forwarded over the secure channel, and the application protocol is then used to determine where to connect to from the remote machine. Currently the SOCKS4 and SOCKS5 protocols are supported, and ssh will act as a SOCKS server. Only root can forward privileged ports. Dynamic port forwardings can also be specified in the configuration file.

Then this option allow us to allocate a local socket, then whenever we create a connection to the port we chose, all the communication will be done through the SSH tunnel, and the bastion instance will be used as a proxy to get the dev/test instance on the private subnet.

Now the first thing we need to do is to create the SSH connection

ssh -i ~/.ssh/my-key -D 1234 user@bastion-public-ip

We are setting the port 1234 to work for us as the port we need to connect on our local. I'm going to configure Firefox, but can be done on Chrome as well.

Going to Options > Network Settings and we are going to chose

  • Manual proxy configurations, checked
  • SOCKS Host: localhost, and Port: 1234
  • SOCKS v5, checked
  • Proxy DNS when using SOCKS v5, checked

In the same way as in the screenshot below

Firefox SOCK v5 configuration

And then, from your browser, you'll be able to reach your dev/test instance using the private DNS or private IP!!

This helped me in one situation, then hoping can help you too. Also, in this way you may funnel any other kind of traffic through that port, so, you may test with other kind of applications.

Thanks for read!!

Posted on Nov 17 '19 by:

alfchee profile



I would like to program Skynet, but I'm not sure if I would deploy it on AWS or Azure, which would be better for humans?


markdown guide