Use the port forwarding and session connection features of the Session Manager CLI (ali-instance-cli) to securely access the OpenClaw service on an ECS instance without a public IP or inbound security group rules.
Background
Typically, accessing the OpenClaw web UI or TUI on an ECS instance requires a public IP and opening the service port, such as 18789, in a security group. The ali-instance-cli establishes an encrypted connection through the Session Manager channel. All traffic is transmitted over the Alibaba Cloud internal network, which eliminates the need to expose any ports.
The following two connection methods are supported:
Connection method | Description | Scenario |
Forwards the OpenClaw Dashboard port on the instance to your local machine, allowing you to access it through a browser. | Ideal for daily use of OpenClaw when a graphical interface is preferred. | |
Logs on to the instance terminal by using Session Manager to use the OpenClaw TUI from the command line. | Suitable for users who prefer command-line operations or need direct interaction within the terminal. |
Prerequisites
You have completed the required preparations, which include the following:
Session Manager is enabled.
Ensure the Cloud Assistant Agent is installed on the instance and running properly.
The Session Manager CLI is installed and configured on your local machine.
The OpenClaw service is deployed on the ECS instance, and the OpenClaw Gateway is running.
If Session Manager is not enabled, ali-instance-cli commands return the session manager is disabled error.
Access web UI without a public IP
Use port forwarding to map the OpenClaw Dashboard port on the instance to your local machine to access the web UI in your browser.
Step 1: Check gateway status
Run the following command on the instance to check the status of the OpenClaw Gateway:
openclaw gateway statusSample output:
Gateway: bind=lan (0.0.0.0), port=18789 (env/config)
...
RPC probe: ok
Listening: *:18789If RPC probe is ok and Listening shows a port number, the OpenClaw Gateway is running correctly.
Step 2: Get the Dashboard access URL
Run the following command on the instance to get the URL of the OpenClaw Dashboard:
openclaw dashboardSample output:
Dashboard URL: http://127.0.0.1:18789/#token=<TOKEN>Take note of the port number (18789 by default) and the token value. You will need them in the following steps.
Step 3: Run port forwarding
Run the following command on your local machine to forward the instance's OpenClaw port. The command is the same for Linux, macOS, and Windows.
./ali-instance-cli portforward --instance <INSTANCE_ID> --local-port 18789 --remote-port 18789Parameters:
--instance: The ID of the ECS instance, for example,i-bp1xxxxxxxxxxxxx.--local-port: The local listening port. This can be different from the remote port. For example, set the port to18789.--remote-port: The listening port of the OpenClaw service on the instance. The default is18789.
The terminal displays output similar to the following:
Port forwarding for SessionId: s-hz0xxxxx, local port 18789, remote port :18789
Waiting for connections...Keep the terminal window running. Closing it disconnects the session.
Step 4: Access OpenClaw
Open the following URL in your browser:
http://localhost:18789/#token=<TOKEN>Replace <TOKEN> with the token value from Step 2. If you set --local-port to a different port, update the port number in the URL accordingly.
Log on to TUI without a public IP
Use the session connection feature to log on to the ECS instance terminal and directly launch the OpenClaw TUI.
Step 1: Check version requirements
Ensure your local version of ali-instance-cli meets the following minimum requirements:
Operating system | Minimum version |
Linux | 1.2.0.82 |
Windows | 1.1.0.82 |
macOS | 1.3.0.82 |
Run the following command to check your current version:
./ali-instance-cli versionStep 2: Check gateway status
Run the following command on the instance to check the status of the OpenClaw Gateway:
openclaw gateway statusStep 3: Get gateway authentication token
Obtain the OpenClaw Gateway authentication token from the openclaw.json configuration file.
Linux:
~/.openclaw/openclaw.jsonWindows:
C:\Users\<User name>\.openclaw\openclaw.json
The authentication token is in the gateway.auth.token field:
{
"gateway": {
"auth": {
"mode": "token",
"token": "<YOUR_TOKEN>"
}
}
}The <TOKEN> in the next command represents this value.
Step 4: Start the TUI
If the target instance runs Linux:
Run the following command. Specify the instance ID, system username, and the OpenClaw Gateway authentication token.
./ali-instance-cli session --instance <INSTANCE_ID> --user-name <USER_NAME> --commandLine "openclaw tui --token <TOKEN>"If the target instance runs Windows:
Run the following command. Specify the instance ID, system username, user password, and the OpenClaw Gateway authentication token.
./ali-instance-cli session --instance <INSTANCE_ID> --user-name <USER_NAME> --password <PASSWD> --commandLine "powershell -command openclaw tui --token <TOKEN>"The commands above are basic examples. You can add other parameters to openclaw tui as needed.
FAQ
OpenClaw is deployed in a Docker container. Web UI inaccessible after port forwarding
The OpenClaw Gateway is not bound to a network interface that Docker can access. By default, the Gateway binds to the loopback address, preventing Docker port mapping from forwarding traffic properly.
Solution: Run the following commands on the instance to change the OpenClaw Gateway bind mode to LAN, and then restart the container:
Replace <CONTAINER_NAME> with your container name.
docker exec <CONTAINER_NAME> openclaw config set gateway.bind lan
docker restart <CONTAINER_NAME>"Permission denied" for Docker commands
By default, ali-instance-cli sessions run as the ecs-assist-user user. To run Docker commands, you must use sudo, for example, sudo docker exec openclaw openclaw dashboard.