The session management feature is provided by Cloud Assistant. Compared with SSH and Virtual Network Computing (VNC), session management makes your connections to Elastic Compute Service (ECS) instances more convenient and secure.

Establish connections

The following clients and server are used in session management:
  • Session management client: initiates sessions, receives commands sent by users, and displays command outputs.
  • Cloud Assistant server: controls permissions and manages session status.
  • Cloud Assistant client installed on an instance: runs commands sent by users.
The following section describes the procedure to establish a connection by using session management:
  1. The session management client initiates a session.
  2. The Cloud Assistant server authenticates the session request. After the request is authenticated, the server generates a WebSocket URL for connection and a token that remains valid for 10 minutes and returns the URL and the token to the session management client.
  3. The session management client establishes a WebSocket connection to the Cloud Assistant server by using the URL and the token.
  4. The Cloud Assistant server requests to establish a WebSocket connection to the Cloud Assistant client that is installed on an instance.
  5. A WebSocket connection is established between the Cloud Assistant server and the Cloud Assistant client.
  6. After the WebSocket connection is established, you can enter a command in the session management client. The command is streamed to the instance on which the Cloud Assistant client is installed and is run on the instance. Then, the command output is displayed in the session management client.
session-mgr-seq

Security

The Web Socket Secure (WSS) protocol is used to establish persistent WebSocket connections between the session management client and the Cloud Assistant server as well as between the Cloud Assistant server and the Cloud Assistant client. The WSS protocol encrypts the persistent WebSocket connections by using the Secure Socket Layer (SSL) protocol.

When you use session management to connect to instances, you do not need to manage the instance passwords. Unlike SSH and VNC that use the username and password authentication, session management uses the Resource Access Management (RAM)-based authorization. You can use your Alibaba Cloud account to enable or disable the session management feature for all instances within the account. After the session management feature is enabled, both Alibaba Cloud accounts and RAM users can connect to instances by using this feature.

If you want to use the session management feature as a RAM user, the RAM user must be attached policies to call the StartTerminalSession operation. RAM policies allow you to control permissions by using a variety of dimensions such as tags, regions, ECS instances, and connection IP addresses. Thanks to RAM policies, you can connect to instances and manage the instances in a secure manner without using passwords. For more information, see Connect to an instance by using session management.

After WebSocket connections are established between the Cloud Assistant clients installed on instances and the Cloud Assistant servers, you can use session management instead of SSH and VNC to connect to instances. In this case, ports that allow inbound traffic on instances can be disabled to improve the security of the instances.