Connect to an instance by using Workbench-Elastic Compute Service(ECS)-阿里云帮助中心

Workbench is a browser-based remote connection tool from Alibaba Cloud that lets you connect to ECS instances directly from a browser, with no software installation required.

What is Workbench?

Workbench introduction

Workbench is a browser-based remote connection tool that requires no installation. The following figure shows how to connect to an ECS instance by using Workbench.

Features of Workbench

Multiple connection methods
You can use Workbench to connect to instances using various methods, such as SSH (for Linux), RDP (for Windows) and Security Center.
Related topics
- Connect to a Linux instance by using Workbench
- Connect to a Windows instance by using Workbench

Public and private network connections
When connecting to an instance by using Workbench over SSH or RDP, you can use either a public or private IP address.

More features of Workbench

Workbench also provides the following features.

File management: Visually manage files on Linux instances, with support for file uploads and downloads. For more information, see Manage files on an ECS instance by using Workbench.
AI Agent mode: In AI Agent mode, you can use natural language to plan and perform Linux O&M operations, simplifying tasks like software installation and issue diagnosis. For more information, see AI Agent mode.
Terminal Assistant: Generates scripts and commands for O&M tasks. For more information, see Terminal Assistant.
Intelligent command completion: Predicts and displays a list of subsequent commands, parameters, or options based on the context as you type in the command line. For more information, see Intelligent command completion.
System management: Centrally manages users, logon logs, and system services on Linux instances, and monitors the system status in real time. You can also visually add O&M tasks such as heap analysis, thread stack analysis, or performance analysis for Java applications. For more information, see System management.
Script library: Allows you to save frequently used commands or script snippets in Workbench and run them with a single click in any instance session connected through Workbench. For more information, see Script library.
Screen recording audit: Records videos of user operations within ECS instances. This lets administrators review user behavior for auditing purposes and provides evidence for security audits. For more information, see Screen recording audit.
Command audit: Reviews the history of commands run in Workbench logon sessions to ensure compliance with security standards. This helps identify abnormal operations and security risks by recording command details, execution times, and other information for further analysis and auditing. For more information, see Command audit.
Multi-terminal: Allows you to connect to multiple ECS instances simultaneously and run the same commands on all of them. For more information, see Multi-terminal.
Software installation: Allows you to use AI Agent or predefined packages from CloudOps Orchestration Service (OOS) to automatically deploy software such as Docker and MySQL. For more information, see Software installation.

Workbench workflow

The workflow for connecting to an instance by using Workbench is shown in the following figure.

Locate the instance to connect to.
Establish a network connection between Workbench and the ECS instance.
In this step, you need to configure the security group of the instance and the firewall on the instance to allow inbound traffic from Workbench.
Connect to the instance by using Workbench.
On the console, choose to connect to the instance by using Workbench and enter credentials such as a username and password or a key pair.
Create the service-linked role.
If you have not created a service-linked role, Workbench prompts you to create one. This role grants Workbench the permission to access the ECS instance.
Connect to the instance and perform O&M operations.

Service-linked role for Workbench

The first time you use Workbench to connect to an instance, you are prompted to create the AliyunServiceRoleForECSWorkbench service-linked role. Workbench requires this role to access your ECS instances. For more information about service-linked roles, see Service-linked roles.

When you connect to an instance for the first time, a dialog box appears. Click OK to automatically create the service-linked role.

If you are a RAM user, ask your Alibaba Cloud account administrator to attach the AliyunECSWorkbenchFullAccess system access policy to your RAM user, which grants the permission required to create the service-linked role for Workbench.

RAM user permissions

After the service-linked role is created, a RAM user requires the following access policy to use Workbench to connect to all ECS instances.

{
  "Version": "1",
  "Statement": [
    {
      "Action": "ecs-workbench:LoginInstance",
      "Resource": "*",
      "Effect": "Allow"
    }
  ]
}

To restrict the instances that the user can connect to by using Workbench, modify the Resource field as follows:

{
  "Version": "1",
  "Statement": [
    {
      "Action": "ecs-workbench:LoginInstance",
      "Resource": [
        "acs:ecs-workbench:{#regionId}:{#accountId}:workbench/{#instanceId}",
        "acs:ecs-workbench:{#regionId}:{#accountId}:workbench/{#instanceId}"
      ],
      "Effect": "Allow"
    }
  ]
}

The following table describes the parameters.

{#regionId}: The ID of the region where the instance resides. You can use a wildcard character (*).
{#accountId}: The ID of the Alibaba Cloud account. You can use a wildcard character (*).
{#instanceId}: The ID of the target instance. You can use a wildcard character (*).

Example

For example, to allow a RAM user to use Workbench to connect to instances i-001 and i-002 across all regions and accounts, you can configure the following access policy.

{
  "Version": "1",
  "Statement": [
    {
      "Action": "ecs-workbench:LoginInstance",
      "Resource": [
        "acs:ecs-workbench:*:*:workbench/i-001",
        "acs:ecs-workbench:*:*:workbench/i-002"
      ],
      "Effect": "Allow"
    }
  ]
}

Security group settings

When you use Workbench to connect to an instance over SSH or RDP, you must allow inbound traffic from the Workbench server in the security group of the instance. You can refer to the following table to add a security group rule based on your network type. For more information, see Add a security group rule.

Important

If a firewall is enabled on the instance, update the firewall rules to match the security group rules.

Authorization policy

Priority

Protocol type

Port range

Authorization object

Allow

Custom TCP

The port depends on the remote connection service on your instance.

To connect to a Linux instance:
Select SSH (22).
The default remote connection service for Linux instances is SSH, and the default port is 22.
To connect to a Windows instance:
Select RDP (3389).
The default remote connection service for Windows instances is RDP, and the default port is 3389.

Important

If you modified the port of the remote service on your instance, configure the port accordingly.

For public network connections: Add47.96.60.0/24, 118.31.243.0/24, 8.139.112.0/24, 8.139.99.192/26.
For private network connections: Add 100.104.0.0/16.

Warning

If you set the authorization object to 0.0.0.0/0, all IP addresses can access the remote service port. This configuration poses security risks. Use this setting with caution.