AWS Blockchain Templates was discontinued on April 30, 2019. No further updates to this service or this supporting documentation will be made. For the best Managed Blockchain experience on AWS, we recommend that you use [ Amazon Managed Blockchain (AMB)](https://aws.amazon.com/managed-blockchain/). To learn more about getting started with Amazon Managed Blockchain, see our [ workshop on Hyperledger Fabric](https://catalog.us-east-1.prod.workshops.aws/workshops/008da2cb-8454-42d0-877b-bc290bff7fcf/en-US), or our [blog on deploying an Ethereum node](https://aws.amazon.com/blogs/database/deploy-an-ethereum-node-on-amazon-managed-blockchain/). If you have questions about AMB or require further support, [contact Support](https://console.aws.amazon.com/support/home#/case/create?issueType=technical) or your AWS account team.

# Getting Started with AWS Blockchain Templates
Getting Started

This tutorial demonstrates how to use the AWS Blockchain Template for Ethereum to create a private blockchain network on AWS through CloudFormation. The network that you create has two Ethereum clients and one miner running on Amazon EC2 instances in an Amazon ECS cluster. Amazon ECS runs these services in Docker containers pulled from Amazon ECR. Before you start this tutorial, it's helpful to know about blockchain networks and the AWS services involved, but not required.

This tutorial assumes that you have set up the general prerequisites covered in [Setting Up AWS Blockchain Templates](blockchain-templates-setting-up.md). In addition, you must set up some AWS resources, such as an Amazon VPC network and specific permissions for IAM roles, before you use the template.

The tutorial demonstrates how to set up those prerequisites. We made setup choices, but they are not prescriptive. As long as you meet the prerequisites, you can make other configuration choices based on the needs of your application and environment. For information about the features and general prerequisites for each template, and to download templates or launch them directly in CloudFormation, see [AWS Blockchain Templates and Features](blockchain-template-features.md).

Throughout this tutorial, examples use the US West (Oregon) Region (us-west-2), but you can use any region that supports AWS Blockchain Templates: 
+ US West (Oregon) Region (us-west-2)
+ US East (N. Virginia) Region (us-east-1)
+ US East (Ohio) Region (us-east-2)

**Note**  
Running a template in a Region not listed above launches resources in the US East (N. Virginia) Region (us-east-1).

The AWS Blockchain Template for Ethereum that you configure using this tutorial creates the following resources:
+ On-Demand EC2 instances of the type and number that you specify. The tutorial uses the default t2.medium instance type.
+ An internal Application Load Balancer.

Following the tutorial, steps are provided to clean up resources that you create.

**Topics**
+ [

# Set Up Prerequisites
](blockchain-template-getting-started-prerequisites.md)
+ [

# Create the Ethereum Network
](blockchain-templates-create-stack.md)
+ [

# Connect to EthStats and EthExplorer Using the Bastion Host
](blockchain-bastion-host-connect.md)
+ [

# Clean Up Resources
](blockchain-templates-cleanup.md)

# Set Up Prerequisites


The AWS Blockchain Template for Ethereum configuration that you specify in this tutorial requires that you do the following:
+ [Create a VPC and Subnets](#blockchain-templates-create-a-vpc)
+ [Create Security Groups](#blockchain-templates-create-security-group)
+ [Create an IAM Role for Amazon ECS and an EC2 Instance Profile](#blockchain-templates-iam-roles)
+ [Create a Bastion Host](#blockchain-templates-bastion-host)

## Create a VPC and Subnets


The AWS Blockchain Template for Ethereum launches resources into a virtual network that you define using Amazon Virtual Private Cloud (Amazon VPC). The configuration you specify in this tutorial creates an Application Load Balancer, which requires two public subnets in different Availability Zones. In addition, a private subnet is required for the container instances, and the subnet must be in the same Availability Zone as the Application Load Balancer. You first use the VPC Wizard to create one public subnet and a private subnet in the same Availability Zone. You then create a second public subnet within this VPC in a different Availability Zone.

For more information, see [What is Amazon VPC?](https://docs.aws.amazon.com/vpc/latest/userguide/) in the *Amazon VPC User Guide*.

Use the Amazon VPC console ([https://console.aws.amazon.com/vpc/](https://console.aws.amazon.com/vpc/)) to create the Elastic IP address, the VPC, and the subnet as described below.

**To create an Elastic IP address**

1. Open the Amazon VPC console at [https://console.aws.amazon.com/vpc/](https://console.aws.amazon.com/vpc/).

1. Choose **Elastic IPs**, **Allocate new address**, **Allocate**.

1. Make a note of the Elastic IP address that you create and choose **Close**.

1. In the list of Elastic IP addresses, find the **Allocation ID** for the Elastic IP address created earlier. You use this when you create the VPC.

**To create the VPC**

1. From the navigation bar, select a Region for the VPC. VPCs are specific to a Region, so select the same Region in which you created your key pair in and where you are launching the Ethereum stack. For more information, see [Create a Key Pair](blockchain-templates-setting-up.md#blockchain-templates-create-a-key-pair).

1. On the VPC dashboard, choose **Start VPC Wizard**.

1. On the **Step 1: Select a VPC Configuration** page, choose **VPC with Public and Private Subnets**, **Select**.

1. On the **Step 2: VPC with Public and Private Subnets ** page, leave **IPv4 CIDR block** and **IPv6 CIDR block** to their default values. For **VPC name**, enter a friendly name.

1. For **Public subnet's IPv4 CIDR**, leave the default value. For **Availability Zone**, choose a zone. For **Public subnet name**, enter a friendly name.

   You specify this subnet as one of the first of two subnets for the Application Load Balancer when you use the template.

   Note the Availability Zone of this subnet because you select the same Availability Zone for the private subnet, and a different one for the other public subnet.

1. For **Private subnet's IPv4 CIDR**, leave the default value. For **Availability Zone**, select the same Availability Zone as in the previous step. For **Private subnet name**, enter a friendly name.

1. For **Elastic IP Allocation ID**, select the Elastic IP address that you created earlier.

1. Leave the default values for other settings.

1. Choose **Create VPC**.

   The example below shows a VPC **EthereumNetworkVPC** with a public subnet **EthereumPubSub1** and a private subnet **EthereumPvtSub1**. The public subnet uses Availability Zone **us-west-2a**.  
![\[VPC configuration form with public and private subnet details for EthereumVPC.\]](http://docs.aws.amazon.com/blockchain-templates/latest/developerguide/images/VPC.png)

**To create the second public subnet in a different Availability Zone**

1. Choose **Subnets** and then select the public subnet that you created earlier from the list. Select the **Route Table** tab and note the **Route table** ID. You specify this same route table for the second public subnet below.

1. Choose **Create Subnet**.

1. For **Name tag**, enter a name for the subnet. You use this name later when you create the bastion host in this network.

1. For **VPC**, select the VPC that you created earlier.

1. For **Availability Zone**, select a different zone from the zone that you selected for the first public subnet.

1. For **IPv4 CIDR block**, enter **10.0.2.0/24**.

1. Choose **Yes, Create**. The subnet is added to the list of subnets.

1. With the subnet selected from the list, choose **Subnet Actions**, **Modify auto-assign IP settings**. Select **Auto-assign IPs**, **Save**, **Close**. This allows the bastion host to obtain a public IP address when you create it in this subnet.

1. On the **Route Table** tab, choose **Edit**. For **Change to**, select the route table ID that you noted earlier and choose **Save**.

You should now see three subnets for the VPC that you created earlier. Make a note of the subnet names and IDs so that you can specify them using the template.

![\[VPC Dashboard showing three subnets with their IDs, states, and IPv4 CIDR ranges.\]](http://docs.aws.amazon.com/blockchain-templates/latest/developerguide/images/subnets-listing.png)


## Create Security Groups


Security groups act as firewalls, controlling inbound and outbound traffic to resources. When you use the template to create an Ethererum network on an Amazon ECS cluster, you specify two security groups:
+ A security group for EC2 instances that controls traffic to and from EC2 instances in the cluster
+ A security group for the Application Load Balancer that controls traffic between the Application Load Balancer, EC2 instances, and the bastion host. You associate this security group with the bastion host as well.

Each security group has rules that allow communication between the Application Load Balancer and the EC2 instances, as well as other minimum rules. This requires that the security groups reference one another. For this reason, you first create the security groups and then update them with appropriate rules.

**To create two security groups**

1. Open the Amazon EC2 console at [https://console.aws.amazon.com/ec2/](https://console.aws.amazon.com/ec2/).

1. In the navigation pane, choose **Security Groups**, **Create Security Group**.

1. For **Security group name**, enter a name for the security group that's easy to identify and will differentiate it from the other, such as *EthereumEC2-SG* or *EthereumALB-SG*. You use these names later. For **Description**, enter a brief summary.

1. For **VPC**, select the VPC that you created earlier.

1. Choose **Create**.

1. Repeat the steps above to create the other security group.

**Add inbound rules to the security group for EC2 instances**

1. Select the security group for EC2 instances that you created earlier

1. On the **Inbound** tab, choose **Edit**.

1. For **Type**, choose **All traffic**. For **Source**, leave **Custom** selected, and then choose the security group you are currently editing from the list, for example, *EthereumEC2-SG*. This allows the EC2 instances in the security group to communicate with one another.

1. Choose **Add Rule**.

1. For **Type**, choose **All traffic**. For **Source**, leave **Custom** selected, and then choose the security group for the Application Load Balancer from the list, for example, *EthereumALB-SG*. This allows the EC2 instances in the security group to communicate with the Application Load Balancer.

1. Choose **Save**.

**Add inbound and edit outbound rules for the security group for the Application Load Balancer**

1. Select the security group for Application Load Balancers that you created earlier

1. On the **Inbound** tab, choose **Edit** and then add the following inbound rules:

   1. For **Type**, choose **All traffic**. For **Source**, leave **Custom** selected, and then choose the security group you are currently editing from the list, for example, *EthereumALB-SG*. This allows the Application Load Balancer to communicate with itself and with the bastion host.

   1. Choose **Add Rule**.

   1. For **Type**, choose **All traffic**. For **Source**, leave **Custom** selected, and then choose the security group for EC2 instances from the list, for example, *EthereumEC2-SG*. This allows the EC2 instances in the security group to communicate with the Application Load Balancer and the bastion host.

   1. Choose **Add Rule**.

   1. For **Type**, choose **SSH**. For **Source**, select **My IP**, which detects your computer's IP CIDR and enters it.
**Important**  
This rule allows the bastion host to accept SSH traffic from your computer, enabling your computer to use the bastion host to view web interfaces and connect to EC2 instances on the Ethereum network. To allow others to connect to the Ethereum network, add them as sources to this rule. Only allow inbound traffic to trusted sources.

   1. Choose **Save**.

1. On the **Outbound** tab, choose **Edit** and delete the rule that was automatically created to allow outbound traffic to all IP addresses.

1. Choose **Add Rule**.

1. For **Type**, choose **All traffic**. For **Destination**, leave **Custom** selected, and then choose the security group for EC2 instances from the list. This allows outbound connections from the Application Load Balancer and the bastion host to EC2 instances in the Ethereum network.

1. Choose **Add Rule**.

1. For **Type**, choose **All traffic**. For **Destination**, leave **Custom** selected, and then choose the security group you are currently editing from the list, for example, *EthereumALB-SG*. This allows the Application Load Balancer to communicate with itself and with the bastion host.

1. Choose **Save**.

## Create an IAM Role for Amazon ECS and an EC2 Instance Profile


When you use this template, you specify an IAM role for Amazon ECS and an EC2 instance profile. The permissions policies attached to these roles allow the AWS resources and instances in your cluster interact with other AWS resources. For more information, see [IAM Roles](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles.html) in the *IAM User Guide*. You set up the IAM role for Amazon ECS and the EC2 instance profile using the IAM console ([https://console.aws.amazon.com/iam/](https://console.aws.amazon.com/iam/)).

**To create the IAM role for Amazon ECS**

1. Open the IAM console at [https://console.aws.amazon.com/iam/](https://console.aws.amazon.com/iam/).

1. In the navigation pane, choose **Roles**, **Create Role**.

1. Under **Select type of trusted entity**, choose **AWS service**.

1. For **Choose the service that will use this role**, choose **Elastic Container Service**.

1. Under **Select your use case**, choose **Elastic Container Service**, **Next:Permissions**.  
![\[AWS console interface for creating a role, with Elastic Container Service selected as the use case.\]](http://docs.aws.amazon.com/blockchain-templates/latest/developerguide/images/ecs-role.png)

1. For **Permissions policy**, leave the default policy (**AmazonEC2ContainerServiceRole**) selected, and choose **Next:Review**.

1. For **Role name**, enter a value that helps you identify the role, such as *ECSRoleForEthereum*. For **Role Description**, enter a brief summary. Note the role name for later.

1. Choose **Create role**.

1. Select the role that you just created from the list. If your account has many roles, you can search for the role name.  
![\[AWSIAM console showing a role named "ECSRoleForEtherum" with its description.\]](http://docs.aws.amazon.com/blockchain-templates/latest/developerguide/images/ecs-role-list.png)

1. Copy the **Role ARN** value and save it so that you can copy it again. You need this ARN when you create the Ethereum network.  
![\[AWSIAM role summary page showing role ARN, description, and attached policies.\]](http://docs.aws.amazon.com/blockchain-templates/latest/developerguide/images/ecs-role-arn.png)

The EC2 instance profile that you specify in the template is assumed by EC2 instances in the Ethereum network to interact with other AWS services. You create a permissions policy for the role, create the role (which automatically creates an instance profile of the same name), and then attach the permissions policy to the role.

**To create an EC2 instance profile**

1. In the navigation pane, choose **Policies**, **Create policy**.

1. Choose **JSON** and replace the default policy statement with the following JSON policy:

   ```
   {
       "Version": "2012-10-17",		 	 	 
       "Statement": [
           {
               "Effect": "Allow",
               "Action": [
                   "ecs:CreateCluster",
                   "ecs:DeregisterContainerInstance",
                   "ecs:DiscoverPollEndpoint",
                   "ecs:Poll",
                   "ecs:RegisterContainerInstance",
                   "ecs:StartTelemetrySession",
                   "ecs:Submit*",
                   "ecr:GetAuthorizationToken",
                   "ecr:BatchCheckLayerAvailability",
                   "ecr:GetDownloadUrlForLayer",
                   "ecr:BatchGetImage",
                   "logs:CreateLogStream",
                   "logs:PutLogEvents",
                   "dynamodb:BatchGetItem",
                   "dynamodb:BatchWriteItem",
                   "dynamodb:PutItem",
                   "dynamodb:DeleteItem",
                   "dynamodb:GetItem",
                   "dynamodb:Scan",
                   "dynamodb:Query",
                   "dynamodb:UpdateItem"
               ],
               "Resource": "*"
           }
       ]
   }
   ```

1. Choose **Review policy**.

1. For **Name**, enter a value that helps you identify this permissions policy, for example *EthereumPolicyForEC2*. For **Description**, enter a brief summary. Choose **Create policy**.  
![\[AWS console showing Create policy page with name, description, and service permissions.\]](http://docs.aws.amazon.com/blockchain-templates/latest/developerguide/images/ec2-perms-policy.png)

1. Choose **Roles**, **Create role**.

1. Choose **EC2**, **Next: Permissions**.

1. In the **Search** field, enter the name of the permissions policy that you created earlier, for example *EthereumPolicyForEC2*.

1. Select the check mark for the policy that you created earlier, and choose **Next: Review**.  
![\[AWS console showing Create role page with EthereumPolicyForEC2 policy selected.\]](http://docs.aws.amazon.com/blockchain-templates/latest/developerguide/images/ec2-select-policy.png)

1. For **Role name**, enter a value that helps you identify the role, for example *EC2RoleForEthereum*. For **Role description**, enter a brief summary.Choose **Create role**.

1. Select the role that you just created from the list. If your account has many roles, you can enter the role name in the **Search** field.  
![\[AWSIAM interface showing a role named EC2RoleforEther with associated description and trusted entity.\]](http://docs.aws.amazon.com/blockchain-templates/latest/developerguide/images/ec2-select-role.png)

1. Copy the **Instance Profile ARN** value and save it so you can copy it again. You need this ARN when you create the Ethereum network.  
![\[AWSIAM role summary page showing Role ARN and Instance Profile ARNs fields.\]](http://docs.aws.amazon.com/blockchain-templates/latest/developerguide/images/ec2-role-arn.png)

## Create a Bastion Host


In this tutorial, you create a bastion host. This is an EC2 instance that you use to connect to the web interfaces and instances in your Ethereum network. Its sole purpose is to forward SSH traffic from trusted clients outside the VPC so that they can access Ethereum network resources.

You set up the bastion host because the Application Load Balancer that the template creates is internal, meaning it only routes internal IP addresses. The bastion host:
+ Has an internal IP address that the Application Load Balancer recognizes because you launch it in the second public subnet that you created earlier.
+ Has a public IP address that the subnet assigns, which can be accessed by trusted sources outside the VPC.
+ Is associated with the security group for the Application Load Balancer you created earlier, which has an inbound rule that allows SSH traffic (port 22) from trusted clients.

To be able to access the Ethereum network, trusted clients need to be set up to connect through the bastion host. For more information, see [Connect to EthStats and EthExplorer Using the Bastion Host](blockchain-bastion-host-connect.md). A bastion host is one approach. You can use any approach that provides access from trusted clients to private resources within a VPC.

**To create a bastion host**

1. Follow the first five steps to [Launch an Instance](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EC2_GetStarted.html#ec2-launch-instance) in the *Amazon EC2 User Guide*.

1. Choose **Edit Instance Details**. For **Network**, choose the VPC you created earlier, for **Subnet** select the second public subnet that you created earlier. Leave all other settings to their defaults.

1. Confirm the change when prompted, and then choose **Review and Launch**.

1. Choose **Edit Security Groups**. For **Assign a security group**, choose **Select an existing security group**.

1. From the list of security groups, select the security group for the Application Load Balancer that you created earlier, and then choose **Review and Launch**.

1. Choose **Launch**.

1. Note the instance ID. You need it later when you [Connect to EthStats and EthExplorer Using the Bastion Host](blockchain-bastion-host-connect.md).  
![\[Green checkmark indicating successful instance launch with partially obscured instance ID.\]](http://docs.aws.amazon.com/blockchain-templates/latest/developerguide/images/bastion-instance.png)

# Create the Ethereum Network


The Ethereum network that you specify using the template in this topic launches an CloudFormation stack that creates an Amazon ECS cluster of EC2 instances for the Ethereum network. The template relies on the resources that you created earlier in [Set Up Prerequisites](blockchain-template-getting-started-prerequisites.md).

When you launch the CloudFormation stack using the template, it creates nested stacks for some tasks. After they are complete, you can connect to resources served by the network's Application Load Balancer through the bastion host to verify that your Ethereum network is running and accessible.

**To create the Ethereum network using the AWS Blockchain Template for Ethereum**

1. See [Getting Started with AWS Blockchain Templates](https://aws.amazon.com/blockchain/templates/getting-started/), and open the latest AWS Blockchain Template for Ethereum in the CloudFormation console using the quick-links for your AWS Region.

1. Enter values according to the following guidelines:
   + For **Stack name**, enter a name that is easy for you to identify. This name is used within the names of resources that the stack creates.
   + Under **Ethereum Network Parameters** and **Private Ethereum Network Parameters**, leave the default settings.
**Warning**  
Use the default accounts and associated mnemonic phrase for testing purposes only. Do not send real Ether using the default set of accounts because anyone with access to the mnemonic phrase can access or steal Ether from the accounts. Instead, specify custom accounts for production purposes. The mnemonic phrase associated with the default account is `outdoor father modify clever trophy abandon vital feel portion grit evolve twist`.
   + Under **Platform configuration**, leave the default settings, which creates an Amazon ECS cluster of EC2 instances. The alternative, **docker-local** creates an Ethereum network using a single EC2 instance.
   + Under **EC2 configuration**, select options according to the following guidelines:
     + For **EC2 Key Pair**, select a key pair. For information about creating a key pair, see [Create a Key Pair](blockchain-templates-setting-up.md#blockchain-templates-create-a-key-pair).
     + For **EC2 Security Group**, select the security group you created earlier in [Create Security Groups](blockchain-template-getting-started-prerequisites.md#blockchain-templates-create-security-group).
     + For **EC2 Instance Profile ARN**, enter the ARN of the instance profile that you created earlier in [Create an IAM Role for Amazon ECS and an EC2 Instance Profile](blockchain-template-getting-started-prerequisites.md#blockchain-templates-iam-roles).
   + Under **VPC network configuration, select options according to the following guidelines:**
     + For **VPC ID**, select the VPC that you created earlier in [Create a VPC and Subnets](blockchain-template-getting-started-prerequisites.md#blockchain-templates-create-a-vpc).
     + For **Ethereum Network Subnet IDs**, select the single private subnet that you created earlier in the procedure [To create the VPC](blockchain-template-getting-started-prerequisites.md#create-vpc-procedure).
   + Under **ECS cluster configuration**, leave the defaults. This creates an ECS cluster of three EC2 instances.
   + Under **Application Load Balancer configuration (ECS only)**, select options according to the following guidelines:
     + For **Application Load Balancer Subnet IDs**, select two public subnets from the [list of subnets](blockchain-template-getting-started-prerequisites.md#list-of-subnets) that you noted earlier.
     + For **Application Load Balancer Security Group**, select the security group for the Application Load Balancer that you created earlier in [Create Security Groups](blockchain-template-getting-started-prerequisites.md#blockchain-templates-create-security-group).
     + For **IAM Role**, enter the ARN of the ECS role that you created earlier in [Create an IAM Role for Amazon ECS and an EC2 Instance Profile](blockchain-template-getting-started-prerequisites.md#blockchain-templates-iam-roles).
   + Under **EthStats**, select options according to the following guidelines:
     + For **Deploy EthStats**, leave the default setting, which is *true*.
     + For **EthStats Connection Secret**, type an arbitrary value that is at least six characters.
   + Under **EthExplorer**, leave the default setting for **Deploy EthExplorer**, which is *true*.
   + Under **Other parameters**, leave the default value for **Nested Template S3 URL Prefix** and make a note of it. This is where you can find nested templates.

1. Leave all other settings to their defaults, select the acknowledgement check box, and choose **Create**.

   The **Stack Detail** page for the root stack that CloudFormation launches appears.

1. To monitor the progress of the root stack and nested stacks, choose **Stacks**.  
![\[CloudFormation interface showing Stacks option highlighted in the navigation menu.\]](http://docs.aws.amazon.com/blockchain-templates/latest/developerguide/images/choose-stacks.png)

1. When all stacks show **CREATE\$1COMPLETE** for **Status**, you can connect to Ethereum user interfaces to verify that the network is running and accessible. When you use the ECS container platform, URLs for connecting to EthStats, EthExplorer, and EthJsonRPC through the Application Load Balancer are available on the **Outputs** tab of the root stack.
**Important**  
You won't be able to connect directly to these URLs or SSH directly until you set up a proxy connection through the bastion host on your client computer. For more information, see [Connect to EthStats and EthExplorer Using the Bastion Host](blockchain-bastion-host-connect.md).  
![\[CloudFormation console showing Ethereum network stack details and output URLs.\]](http://docs.aws.amazon.com/blockchain-templates/latest/developerguide/images/stack-urls.png)

# Connect to EthStats and EthExplorer Using the Bastion Host


To connect to Ethereum resources in this tutorial, you set up SSH port forwarding (SSH tunneling) through the bastion host. The following instructions demonstrate how to do this so that you can connect to EthStats and EthExplorer URLs using a browser. In the instructions below, you first set up a SOCKS proxy on a local port. You then use a browser extension, [FoxyProxy](https://getfoxyproxy.org/), to use this forwarded port for your Ethereum network URLs.

If you use Mac OS or Linux, use an SSH client to set up the SOCKS proxy connection to the bastion host. If you are a Windows user, use PuTTY. Before you connect, confirm that the client computer you are using is specified as an allowed source for inbound SSH traffic in the security group for the Application Load Balancer that you set up earlier.

**To connect to the bastion host with SSH port forwarding using SSH**
+ Follow the procedures in [Connecting to Your Linux Instance Using SSH](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/AccessingInstancesLinux.html) in the *Amazon EC2 User Guide*. For step 4 of the [Connecting to Your Linux Instance](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/AccessingInstancesLinux.html#AccessingInstancesLinuxSSHClient) procedure, add `-D 9001` to the SSH command, specify the same key pair that you specified in the AWS Blockchain Template for Ethereum configuration, and specify the DNS name of the bastion host.

  ```
  ssh -i /path/my-template-key-pair.pem ec2-user@bastion-host-dns -D 9001
  ```

**To connect to the bastion host with SSH port forwarding using PuTTY (Windows)**

1. Follow the procedures in [Connecting to Your Linux Instance from Windows Using PuTTY](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/putty.html) in the *Amazon EC2 User Guide* through step 7 of the [Starting a PuTTY Session](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/putty.html#putty-ssh) procedure, using the same key pair that you specified in the AWS Blockchain Template for Ethereum configuration.

1. In PuTTY, under **Category**, choose **Connection**, **SSH**, **Tunnels**.

1. For **Port forwarding**, choose **Local ports accept connections from other hosts**.

1. Under **Add new forwarded port**:

   1. For **Source port**, enter **9001**. This is an arbitrary unused port that we chose, and you can choose a different one if necessary.

   1. Leave **Destination** blank.

   1. Select **Dynamic**.

   1. Choose **Add**.

   For **Forwarded ports**, **D9001** should appear as shown below.  
![\[PuTTY Configuration window showing SSH port forwarding options with D9001 listed.\]](http://docs.aws.amazon.com/blockchain-templates/latest/developerguide/images/putty.png)

1. Choose **Open** and then authenticate to the bastion host as required by your key configuration. Leave the connection open.

With the PuTTY connection open, you now configure your system or a browser extension to use the forwarded port for your Ethereum network URLs. The following instructions are based on using FoxyProxy Standard to forward connections based on the URL pattern of EthStats and EthExplorer and port 9001, which you established earlier as the forwarded port, but you can use any method that you prefer.

**To configure FoxyProxy to use the SSH tunnel for Ethereum network URLs**

This procedure was written based on Chrome. If you use another browser, translate the settings and sequence to the version of FoxyProxy for that browser.

1. Download and install the FoxyProxy Standard browser extension, and then open **Options** according to the instructions for your browser.

1. Choose **Add New Proxy**.

1. On the **General** tab, make sure that the proxy is **Enabled** and enter a **Proxy Name** and **Proxy Notes** that help you identify this proxy configuration.

1. On the **Proxy Details** tab, choose **Manual Proxy Configuration**. For **Host or IP Address** (or **Server or IP Address** in some versions), enter *localhost*. For **Port**, enter *9001*. Select **SOCKS Proxy?**.

1. On the **URL Pattern** tab, choose **Add New Pattern**.

1. For **Pattern name**, enter a name that's easy to identify, and for **URL Pattern**, enter a pattern that matches all Ethereum resource URLs you created with the template, for example **http://internal-MyUser-LoadB-\$1**. For information on viewing URLs, see [Ethereum URLs](blockchain-templates-create-stack.md#ethereum-urls).

1. Leave the default selections for other settings and choose **Save**.

You are now able to connect to the Ethereum URLs, which are available on CloudFormation console using the **Outputs** tab of the root stack that you created with the template.

# Clean Up Resources


CloudFormation makes it easy to clean up resources that the stack created. When you delete the stack, all resources that the stack created are deleted.

**To delete resources that the template created**
+ Open the CloudFormation console, select the root stack that you created earlier, choose **Actions**, **Delete**.

  The **Status** of the root stack you created earlier and the associated nested stacks update to **DELETE\$1IN\$1PROGRESS**.

You may choose to delete the prerequisites you created for the Ethereum network.

**Delete the VPC**
+ Open the Amazon VPC console, select the VPC you created earlier and then choose **Actions**, **Delete VPC**. This also deletes the subnets, security groups, and the NAT gateway associated with the VPC.

**Delete the IAM role and EC2 instance profile**
+ Open the IAM console and choose **Roles**. Select the role for ECS and the role for EC2 that you created earlier and choose **Delete**.

**Terminate the EC2 instance for the bastion host**
+ Open the Amazon EC2 dashboard, choose **Running instances**, select the EC2 instance that you created for the bastion host, choose **Actions**, **Instance State**, **Terminate**.