Elastic Compute Service:Working mechanism, supported regions, and security of Session Manager

Supported regions

Session Manager is supported in the following regions: China (Qingdao), China (Beijing), China (Zhangjiakou), China (Hohhot), China (Ulanqab), China (Hangzhou), China (Shanghai), China (Shenzhen), China (Heyuan), China (Guangzhou), China (Chengdu), China (Hong Kong), Japan (Tokyo), South Korea (Seoul), Singapore, Australia (Sydney), Malaysia (Kuala Lumpur), Indonesia (Jakarta), Philippines (Manila), Thailand (Bangkok), India (Mumbai), Germany (Frankfurt), UK (London), US (Silicon Valley), US (Virginia), UAE (Dubai), and SAU (Riyadh).

Limits

When you use Session Manager to connect to an instance, the speed at which files are uploaded or downloaded is limited to 20 KB/s.

How Session Manager works

The following section describes the procedure to establish a connection by using Session Manager:

1. Session Manager Client initiates a session.

2. The Cloud Assistant server authenticates the session request. After the request is authenticated, the server generates a WebSocket URL and a token that remains valid for 10 minutes and returns the URL and the token to Session Manager Client.

3. Session Manager Client establishes a WebSocket connection to the Cloud Assistant server by using the URL and the token.

4. The Cloud Assistant server requests to establish a WebSocket connection to Cloud Assistant Agent that is installed on an instance.

5. A WebSocket connection is established between the Cloud Assistant server and Cloud Assistant Agent.

6. After the WebSocket connection is established, you can enter a command in Session Manager Client. The command is streamed to and run on the instance on which Cloud Assistant Agent is installed. The command output is displayed in Session Manager Client.

Security

• The Web Socket Secure (WSS) protocol is used to establish persistent WebSocket connections between Session Manager Client and the Cloud Assistant server as well as between the Cloud Assistant server and Cloud Assistant Agent. The WSS protocol encrypts persistent WebSocket connections by using the SSL protocol to ensure security.

• When you use Session Manager to connect to instances, you do not need to manage the instance passwords. Unlike SSH and VNC that use username/password-based authentication, Session Manager uses Resource Access Management (RAM) based authentication. You can use your Alibaba Cloud account to enable or disable Session Manager for all instances within an account. After Session Manager is enabled, both Alibaba Cloud accounts and RAM users can connect to instances by using this feature.

• You can attach policies to RAM users and then manage ECS instances as the RAM users to improve security. If you want to use Session Manager as a RAM user, policies that grant the permissions to call the StartTerminalSession operation must be attached to the RAM user. RAM policies allow you to control permissions from various dimensions, such as tags, regions, ECS instances, and source IP addresses. Thanks to RAM policies, you can connect to instances and manage the instances in a secure manner without using passwords. For more information, see Connect to an instance by using Session Manager.

• After WebSocket connections are established between Cloud Assistant Agents installed on instances and the Cloud Assistant servers, you can use Session Manager instead of SSH or VNC to connect to the instances, without the need to open ports for inbound traffic on the instances. This way, you can improve the security of the instances.

Use Session Manager for remote logons in your applications

The cloud-assistant-starter open source project contains the complete code for using Session Manager to connect to an ECS instance or a managed instance. In the project, AxtSession.tsx contains the complete code for connecting to instances and using the WebSocket URLs that are returned by the StartTerminalSession operation. You can copy the code to your application to implement password-free and public IP address-free remote logons.