Step 1: Remote Management

Author: Dean Suzuki, Siavash Irani (Last Updated: 4/4/20)

Abstract

Imagine that you have a fleet of Windows web servers and you need to perform some action against them. In this session, you will learn about a couple tools to help you remotely manage your server using:

  • Session Manager: Interactive remote shell environment

  • Run Command: Used to execute commands against a fleet of servers.

In this scenario, you have a fleet of web servers (ok, two, but you can imagine ). They are not working and you need to figure out what’s wrong.

Let’s begin by looking at the resources that make up the application.

  1. Login to the AWS console and select the N.Virginia region at the top right corner.
  2. Navigate to the EC2 console
  3. Choose Load Balancers in the left navigation and pick the load balancer who’s name has “MyLoad-.”
  4. Copy the DNS name and paste it into a new browser tab. NOTE: This will fail. Chrome will show a 503 error. Firefox shows a blank page. Keep this tab open as we will return to it later.
  5. Go back to the EC2 console and choose Instances from the left navigation
  6. Select “WEB01” from the list of instances and note that is has no public IP. How are we going to diagnose this if we cannot RDP to the instance?
  7. Switch to the Tags tab and look at the Tags that have been applied to WEB01. We are going to use these tags to apply policy later in the workshop.

Right click on “WEB01”, choose Instance Settings, and View/Change User Data. Note the PowerShell script that is being used to boot strap the instance. Something must be wrong with it?

Use SSM Session Manager to remotely connect to the instance.

Session Manager is a fully managed AWS Systems Manager capability that lets you manage your Amazon EC2 instances through an interactive one-click browser-based shell or through the AWS CLI. Session Manager provides secure and auditable instance management without the need to open inbound ports, maintain bastion hosts, or manage SSH keys. Session Manager also makes it easy to comply with corporate policies that require controlled access to instances, strict security practices, and fully auditable logs with instance access details, while still providing end users with simple one-click cross-platform access to your Amazon EC2 instances.

  1. Navigate to AWS Systems Manager console
  2. Choose Session Manager in the left navigation pane
  3. Click the Start Session button
  4. Under Target Instances select “WEB01” and click on Start Session.
  5. Once connected to the session, run a PowerShell command to read the content of the User Data execution log to identify the cause of execution failure.

    Get-Content -Path C:\\ProgramData\\Amazon\\EC2-Windows\\Launch\\log\\UserdataExecution.log
    
  6. Make a note of the error message: The errors from user scripts: Install-WindowsFeature : ArgumentNotValid: The role, role service, or feature name is not valid:‘WebServer’. The name was not found.

  7. The above error states that the Windows Server Role name “WebServer” defined in the User Data script is invalid. It should have been “Web-Server”. Oops!

    While we could fix this in the instance, we would have to log into each instance to fix them individually. There is a better way. Let’s use Run Command to fix all the instances at once.

Use AWS Systems Manager Run Command to fix the IIS installation

AWS Systems Manager Run Command lets you remotely and securely manage the configuration of your managed instances. A managed instance is any Amazon EC2 instance or on-premises machine in your hybrid environment that has been configured for Systems Manager. Run Command enables you to automate common administrative tasks and perform ad hoc configuration changes at scale. You can use Run Command from the AWS console, the AWS Command Line Interface, AWS Tools for Windows PowerShell, or the AWS SDKs. Run Command is offered at no additional cost.

  1. Return to the Systems Manager Console and choose Run Command from the left navigation.
  2. Click the Run a Command button.
  3. Review the available Command documents that are out of the box and commands that can be run.
  4. Search for AWS-RunPowerShellScript. Note that the search box is case sensitive.
  5. Click the radio button to the left of AWS-RunPowerShellScript
  6. Scroll down to Commands and enter the following. Note that the second line is wrapping and may need to be fixed after you copy and paste it.

    Install-WindowsFeature -Name Web-Server -IncludeAllSubFeature
    
    Add-Content c:\inetpub\wwwroot\default.aspx '<%@ Page Title="" Language="C#" Trace="true"%>'
    
    del c:\inetpub\wwwroot\iisstart.htm
  7. Scroll down to Targets and enter “Role” for the Tag Key and “WebServer” for TagValue. (NOTE – Key/Value pair is cAsEsEnSiTivE)

  8. Press the Add button, then scroll down to the bottom and click the Run button.

  9. Wait for the action to complete on both instances. It will take a 3-5 minutes to complete. You will see the Status change to Success. You may need to hit the Refresh button to update the status more frequently.

  10. When it completes, click on the instance Ids to see the output.

Confirm that the application is working

  1. Return to the bowser tab that has the application open. Remember that you pasted the load balancer URL in this tab earlier but got an error. Note that it may take 60 seconds or so after RunCommand completes for the instances to pass health checks and the page to load.
  2. Reload the page to ensure the application is working. It’s just an ASP trace page that looks like this:
  3. Great everything is working