Ansible, connecting to bastion server in AWS VPC, host unreachable

How can I connect to a bastion server in a AWS VPC using Ansible 2.x to perform a Docker swarm setup? I've seen this question and the official FAQ.

Already tried providing the following via --extra-vars: ansible_ssh_common_args: '-o ProxyCommand="ssh -W %h:%p -q user@my.bastion.server.com"' or even using ansible.cfg with the parameter above, or even something like:

[ssh_connection]
ssh_args = -o ControlMaster=auto -o ControlPersist=600s -J ec2- 
user@my.bastion.dns.com

I tried a lot of combinations but I’m always getting this error message running a ping command in a playbook:

UNREACHABLE! => {"changed": false, "msg": "Failed to connect to the 
host via ssh: ssh: connect to host 10.1.xx.xx port 22: Operation timed 
out\r\n",

Probably worth mentioning that:

  1. I’m able to connect to the private hosts in my VPC normally using ssh -J option, example: ssh -J user@my.bastion.server.com user@vpc.host.private.ip .
  2. I’m using Ansible’s ec2.py dynamic inventory with ec2.ini configured to map the private ips for a given tag entry.

1 answer

  • answered 2018-07-11 17:28 Rogério Peixoto

    It was a ssh misconfiguration problem.

    I was able to fix with the configuration with those parameters.

    1) Ansible.cfg file

    [ssh_connection]
    ssh_args = -o ProxyCommand="ssh -W %h:%p -q $BASTION_USER@$BASTION_HOST" -o ControlPersist=600s 
    control_path=%(directory)s/%%h-%%r
    pipelining = True
    

    2) Ec2.ini file

    [ec2]
    regions = us-xxxx-x
    destination_variable = private_ip_address
    vpc_destination_variable = private_ip_address
    

    3) Playbook Execution Command

    export BASTION_USER=xxx-xxxx;
    export BASTION_HOST=ec2-xx-xx-xx-xx.xxxxx.compute.amazonaws.com;
    ansible-playbook -u ec2-xxxx \
     -i ./inventory/ec2.py \
     ./playbook/ping.yml \
     --extra-vars \
     "var_hosts=tag_Name_test_private ansible_ssh_private_key_file=~/.ssh/my-test-key.pem" -vvv
    

    And voila!

    successful ping