All Products
Search
Document Center

Elastic Compute Service:Connect to an instance with Session Manager in the ECS console

Last Updated:May 15, 2026

Session Manager provides password-free, public IP-free access to ECS instances, with stronger security than SSH or RDP.

Important

Session Manager also supports CLI connections to Linux and Windows instances.

To connect to a Windows instance through the Session Manager GUI, use port forwarding to map the remote access port to your local computer, then connect with RDP.

Prerequisites

The ECS instance to which you want to connect is in the Running state

View the instance status on the Instance page in the ECS console.

See View instance information.

image

image

Cloud Assistant Agent is installed on the instance

Session Manager relies on Cloud Assistant. Install Cloud Assistant Agent on the instance and check its status on the ECS Cloud Assistant page in the ECS console.

Cloud Assistant Agent is pre-installed on ECS instances created from Alibaba Cloud public images after December 1, 2017. For earlier instances, manually install Cloud Assistant Agent. See Install the Cloud Assistant Agent.

image

image

See Check Cloud Assistant status and troubleshoot exceptions.

Network connectivity is provided by configuring a security group

When you use Session Manager to connect to an ECS instance, make sure that Cloud Assistant Agent running on the ECS instance is connected to the Cloud Assistant server by adding the following rules to an outbound security group:

Compared with connection methods, such as SSH and Remote Desktop Protocol (RDP), Cloud Assistant Agent actively establishes a WebSocket connection to the Session Manager server. You need to only open the outbound WebSocket port of the Cloud Assistant server in a security rule. For information about how Session Manager works, see the How Session Manager works section of this topic.
Important
  • If you use basic security groups including the default security group, all outbound traffic is allowed. No additional configuration is required.

  • If you use an advanced security group, all outbound traffic is denied. You must configure the relevant rules. The following table describes the rules. For information about security groups, see Basic and advanced security groups.

For information about how to add rules to a security group, see Add a security group rule.

Action

Priority

Protocol type

Port range

Authorization object

Description

Allow

1

Custom TCP

443

100.100.0.0/16

This port is used to access the Cloud Assistant server.

Allow

1

Custom TCP

443

100.0.0.0/8

This port is used to access the server on which the Cloud Assistant Agent installation package is stored when you want to install or update Cloud Assistant Agent.

Allow

1

Custom UDP

53

0.0.0.0/0

This port is used to resolve domain names.

If you want to connect to an instance by using only Session Manager, delete the inbound rules that allow the SSH port (default 22) and RDP port (default 3389) from a security group to improve the security of the ECS instance.

Resource Access Management (RAM) users have the required permissions on Session Manager

If a RAM user wants to use Session Manager to connect to an instance in the ECS console, the RAM user must be granted the following permissions based on the principle of least privilege:

  • ecs:StartTerminalSession: The permission to connect to an instance by using Session Manager. You can configure the Resource parameter to specify the ECS instances to which a RAM user can connect by using Session Manager.

  • ecs:DescribeCloudAssistantStatus: The permission to query whether Cloud Assistant Agent needs to be installed on an ECS instance. The system checks this permission before you connect to an instance in the ECS console.

  • ecs:DescribeUserBusinessBehavior: The permission to query whether Session Manager is enabled. The system checks this permission before you connect to an instance in the ECS console.

  • (Optional) ecs:ModifyCloudAssistantSettings: The permission to enable or disable Session Manager. If Session Manager is enabled for the current Alibaba Cloud account, you do not need to grant this permission.

Sample custom policy:

{
  "Version": "1",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "ecs:StartTerminalSession",
      "Resource": "*"
    },
    {
      "Effect": "Allow",
      "Action": [
        "ecs:DescribeUserBusinessBehavior",
        "ecs:DescribeCloudAssistantStatus",
        "ecs:ModifyCloudAssistantSettings"
      ],
      "Resource": "*"
    }
  ]
}

For information about how to grant permissions to a RAM user, see Grant permissions to a RAM user.

Procedure

  1. Go to ECS console - Instances.

  2. In the top navigation bar, select the region and resource group to manage.

  3. Click the instance ID. On the Instance Details page, click Connect in the upper-right corner.

  4. Click Show Other Logon Methods and check whether Session management turned on (full region) is displayed in the Session Manager section. If Session Management closed is displayed, turn on the switch to enable Session Manager.

    Important

    To enable Session Manager as a RAM user, ensure the RAM user has the DescribeUserBusinessBehavior permission to view Session Manager configurations and the ModifyUserBusinessBehavior permission to enable or disable it. See the Prerequisites section.

    image

    image

  5. Click Secret-free login.

    After connecting, you are logged on as ecs-assist-user (Linux) or the system user (Windows). The following figure shows a Linux instance login.

    image

References

You can also connect to an instance with the Session Manager CLI (ali-instance-cli) from your computer.