AWS Systems Manager Session Manager is a fully managed capability that lets you manage your Amazon Elastic Compute Cloud (Amazon EC2) instances, on-premises instances, and virtual machines (VMs). It is available through an interactive one-click browser-based shell or through the AWS Command Line Interface (AWS CLI). Session Manager provides secure and auditable instance management without the need to open inbound ports, maintain bastion hosts, or manage SSH keys. When Systems Manager Agent (SSM Agent) is installed on your instances and you have IAM permissions to call the Systems Manager API, you can use the AWS Management Console or AWS CLI to securely connect to instances.

Some customers who enabled Session Manager port forwarding to redirect the remote traffic of web applications reported high latency (in the order of minutes). This is followed by timeouts when they accessed remote web applications on a local port in the client browser. As a workaround, those customers set up a classic SSH port forwarding session for web traffic.

On October 20, 2020, Systems Manager released improved versions of SSM Agent and the Session Manager plugin. The Session Manager plugin (version 1.2.7.0 and later) installed on the client now multiplexes connections from the client browser and sends them over a single web socket channel. SSM Agent on the remote instance demultiplexes and sends data over concurrent connections to the web application. Likewise, SSM Agent on the remote instance (version 3.0.222.0 and later) reads parallel connections coming from the web application, multiplexes, and then sends them over the single web socket data channel. The Session Manager plugin in the client then demultiplexes and redirects data over parallel connections to the client browser.

These improvements in the agent and plugin have reduced latency and improved load times for applications that load data using multiple concurrent connections over a port forwarding session. For more information about these improvements, check the October 20th announcement.

In this blog post, I walk you through the results of improved Session Manager port forwarding performance with Systems Manager Agent 3.0.222.0 and Session Manager plugin 1.2.7.0.

Benchmark setup

Let’s discuss the scenarios that I used to benchmark the results.

Step 1

My remote EC2 instances in the following scenarios are managed by Systems Manager. Follow the steps in setting up AWS Systems Manager and then follow the steps to install Systems Manager Agent for your operating system. To use Systems Manager to manage remote on-premises servers, follow steps from 1 through 5 in scenario 4 in the blog post I wrote recently.

Step 2

Install the Apache NiFi 1.12.1 web application appropriate for the operating system of the managed instances. I chose this application because it relies on the availability of concurrent connections to accelerate data loading to the source. I performed steps 3-5 on my macOS laptop client.

Step 3

I installed the Session Manager plugin version 1.2.7.0 and the latest version of the AWS CLI. For installation instructions, check Session Manager plugin for the AWS CLI in the AWS Systems Manager documentation.

Step 4

From the AWS CLI, I opened a secure tunnel between my local port and the remote port on the instance. I created a new session using the AWS-StartPortForwardingSession Session Manager document. For more information, check start-session in the AWS CLI Command Reference.

aws ssm start-session \
--target [Remote_managed_Instance_Id]\
--document-name AWS-StartPortForwardingSession \ 
--parameters '{"portNumber":["8080"],"localPortNumber":["9090"]}'

Step 5

I connected to this local port using my laptop browser so that Session Manager forwards subsequent traffic between the local and remote port.

http://localhost:9090

The following screenshot shows the Apache NiFi web application from the remote instance. Numerous objects are being rendered over a port forwarding session during an iteration.

NiFi UI displays name, path, status, type, initiator, size, and time. It shows that 109 requests have been made

Figure 1: Network activity inspection using Chrome DevTools while Apache NiFi web application renders over port forwarding session

Benchmark results

To benchmark the performance of SSM Agent 3.0.222.0 and the Session Manager plugin 1.2.7.0, I established a secure tunnel between my local and remote port on an instance by creating a session. Then I ran an iteration by connecting to the local port using my laptop browser to see the time it took for DOMContentLoaded of the remote web application on the local port. Because the load time for the web application over a port forwarding session was taking too long to capture with the earlier versions of the SSM Agent and SSM plugin, I captured the DOMContentLoaded time for illustration purposes instead.

Scenario 1: Remote Systems Manager managed EC2 instance ran Amazon Linux 2 (AL2) AMI, SSM Agent 2.3.1319.0, Apache NiFi 1.12.1 application listening on its default port 8080.

Scenario 2: Remote Systems Manager managed EC2 instance ran Amazon Linux 2 AMI, SSM Agent 3.0.222.0, Apache NiFi 1.12.1 application listening on its default port 8080.

Scenario 3: Remote Systems Manager managed EC2 instance ran Windows Server 2019 AMI, SSM Agent 2.3.1319.0, Apache NiFi 1.12.1 application listening on its default port 8080.

Scenario 4: Remote Systems Manager managed EC2 instance ran Windows Server 2019 AMI, SSM Agent 3.0.222.0, Apache NiFi 1.12.1 application listening on its default port 8080.

The benchmarking with SSM Agent 3.0.222.0 and the Session Manager plugin 1.2.7.0 showed an approximate 99.9% decrease in the latency of web application rendering over Session Manager port forwarding. The following chart shows the latency, in seconds, for the DOMContentLoaded event of the remote web application on the local port.

Time, in seconds, for the DOMContentLoaded event of Apache NiFi web application over port forwarding session on remote servers running Windows Server and Amazon Linux 2

Figure 2: DOMContentLoaded event of Apache NiFi web application over port forwarding session

Conclusion

In this blog post, I showed you the benchmark results of improved Session Manager port forwarding performance with SSM Agent 3.0.222.0 and the Session Manager plugin 1.2.7.0. If you have encountered high latency and then timeouts, when you access remote web applications on a local port in the client browser using Session Manager port forwarding, upgrade the SSM Agent to 3.0.222.0 on the remote instance. Upgrade the Session Manager plugin on the local machine to 1.2.7.0 and then retry. If you have questions or feedback, open an AWS Support Case.

Additional references

Port forwarding sessions created using Session Manager now support multiple simultaneous connections

Port forwarding using AWS System Manager Session Manager

About the author

Blog author picture
Shree Chinnasamy is a technical account manager and is focused on driving operational excellence for his customers. An avid reader and a marathon finisher, Shree is based out of Washington in the pacific northwest.