Access OpenClaw on an ECS instance through ali-instance-cli port forwarding or session connection, with no public IP or open ports required.
Background
Accessing the OpenClaw web UI or TUI on an ECS instance typically requires a public IP and an open service port (such as 18789) in a security group. The ali-instance-cli routes all traffic through an encrypted Session Manager channel over the Alibaba Cloud internal network, eliminating the need to expose any ports.
Two connection methods are available:
|
Connection method |
Description |
Scenario |
|
Forwards the OpenClaw Dashboard port to your local machine for browser access. |
Daily use with a graphical interface. |
|
|
Connects to the instance terminal through Session Manager for command-line TUI access. |
Command-line operations or direct terminal interaction. |
Prerequisites
-
The required preparations are complete, including:
-
Session Manager is enabled.
-
The Cloud Assistant Agent is installed on the instance and running.
-
-
The Session Manager CLI is installed and configured on your local machine.
-
OpenClaw is deployed on the ECS instance and the OpenClaw Gateway is running.
If Session Manager is not enabled, ali-instance-cli commands return a session manager is disabled error.
Access web UI without a public IP
Map the OpenClaw Dashboard port to your local machine through port forwarding, then access the web UI in a browser.
Step 1: Check the gateway status
On the instance, check the OpenClaw Gateway status:
openclaw gateway statusSample output:
Gateway: bind=lan (0.0.0.0), port=18789 (env/config)
...
RPC probe: ok
Listening: *:18789If RPC probe shows ok and Listening shows a port number, the Gateway is running correctly.
Step 2: Get the Dashboard URL
On the instance, get the OpenClaw Dashboard URL:
openclaw dashboardSample output:
Dashboard URL: http://127.0.0.1:18789/#token=<TOKEN>Note the port number (default: 18789) and the token value for the following steps.
Step 3: Run port forwarding
On your local machine, forward the instance's OpenClaw port. The command is the same for Linux, macOS, and Windows.
./ali-instance-cli portforward --instance <INSTANCE_ID> --local-port 18789 --remote-port 18789Parameters:
-
--instance: The ECS instance ID, for example,i-bp1xxxxxxxxxxxxx. -
--local-port: The local listening port. Can differ from the remote port, for example,18789. -
--remote-port: The OpenClaw service port on the instance. Default:18789.
Sample output:
Port forwarding for SessionId: s-hz0xxxxx, local port 18789, remote port :18789
Waiting for connections...Keep the terminal running. Closing it disconnects the session.
Step 4: Access the Dashboard
Open the following URL in a browser:
http://localhost:18789/#token=<TOKEN>Replace <TOKEN> with the token from Step 2. If --local-port uses a different port, update the URL accordingly.
Log on to TUI without a public IP
Log on to the ECS instance terminal through Session Manager and launch the OpenClaw TUI.
Step 1: Check the version requirements
Verify that your local ali-instance-cli meets the minimum version requirements:
|
Operating system |
Minimum version |
|
Linux |
1.2.0.82 |
|
Windows |
1.1.0.82 |
|
macOS |
1.3.0.82 |
Check your current version:
./ali-instance-cli versionStep 2: Check the gateway status
On the instance, check the OpenClaw Gateway status:
openclaw gateway statusStep 3: Get the gateway authentication token
Get the OpenClaw Gateway authentication token from the openclaw.json configuration file.
-
Linux:
~/.openclaw/openclaw.json -
Windows:
C:\Users\<User name>\.openclaw\openclaw.json
The token is in the gateway.auth.token field:
{
"gateway": {
"auth": {
"mode": "token",
"token": "<YOUR_TOKEN>"
}
}
}<TOKEN> in the next command refers to this value.
Step 4: Start the TUI
If the target instance runs Linux:
Specify the instance ID, system username, and the OpenClaw Gateway authentication token.
./ali-instance-cli session --instance <INSTANCE_ID> --user-name <USER_NAME> --commandLine "openclaw tui --token <TOKEN>"If the target instance runs Windows:
Specify the instance ID, system username, user password, and the OpenClaw Gateway authentication token.
./ali-instance-cli session --instance <INSTANCE_ID> --user-name <USER_NAME> --password <PASSWD> --commandLine "powershell -command openclaw tui --token <TOKEN>"These are basic examples. Add other openclaw tui parameters as needed.
FAQ
OpenClaw is deployed in a Docker container. Web UI inaccessible after port forwarding
The OpenClaw Gateway is not bound to a network interface that Docker can access. By default, the Gateway binds to the loopback address, which prevents Docker port mapping from forwarding traffic.
Solution: Change the OpenClaw Gateway bind mode to LAN and restart the container:
Replace <CONTAINER_NAME> with your container name:
docker exec <CONTAINER_NAME> openclaw config set gateway.bind lan
docker restart <CONTAINER_NAME>"Permission denied" for Docker commands
By default, ali-instance-cli sessions run as ecs-assist-user. To run Docker commands, use sudo, for example, sudo docker exec openclaw openclaw dashboard.