All posts
September 9, 20252 min read

The SSH Session Kept Breaking Until Mosh Made It Resilient in a Private VPC Subnet

The SSH session kept breaking. Then Mosh didn’t. When you run applications inside a VPC private subnet, direct access isn’t simple. Firewalls, routing tables, NAT gateways—everything is locked down for security. But sometimes you still need an interactive shell that survives bad connections, network jumps, or even IP address changes. That’s where deploying Mosh through a private subnet proxy changes everything. Mosh (Mobile Shell) is built for resilience. Instead of relying on TCP over SSH, it

Free White Paper

SSH Session Recording + Data Exfiltration Detection in Sessions: The Complete Guide

Architecture patterns, implementation strategies, and security best practices. Delivered to your inbox.

Free. No spam. Unsubscribe anytime.
Andrios Robert

The SSH session kept breaking. Then Mosh didn’t.

When you run applications inside a VPC private subnet, direct access isn’t simple. Firewalls, routing tables, NAT gateways—everything is locked down for security. But sometimes you still need an interactive shell that survives bad connections, network jumps, or even IP address changes. That’s where deploying Mosh through a private subnet proxy changes everything.

Mosh (Mobile Shell) is built for resilience. Instead of relying on TCP over SSH, it uses UDP to keep sessions alive no matter what happens to your connection. In public networks, it’s effortless. But inside a private VPC subnet with no direct internet ingress, you have to take a different path.

The key is to create a bastion-like proxy inside the VPC, expose it to your secure entry point, and let Mosh connect through it. By setting up an EC2 instance or container with a controlled security group and port-range rules for Mosh’s UDP traffic, you can tunnel into private resources without punching unnecessary holes in the network.

Continue reading? Get the full guide.

SSH Session Recording + Data Exfiltration Detection in Sessions: Architecture Patterns & Best Practices

Free. No spam. Unsubscribe anytime.

Steps for Mosh VPC Private Subnet Proxy Deployment

  1. Provision a proxy host in the same private subnet as your targets or in a public subnet that can reach private ones.
  2. Harden the security group to allow Mosh’s UDP port range (default: 60000–61000) only from trusted IPs. Keep SSH open for management if needed.
  3. Enable IP forwarding if acting as a passthrough to other machines.
  4. Configure Mosh server on the proxy. Install it on the target hosts or on the proxy to relay connections.
  5. Route connections so your Mosh client commands run over the proxy. This can be done with native mosh --ssh="ssh -J proxyuser@proxyhost" syntax or by configuring SSH jump hosts.
  6. Test failover by simulating network drops and observing how Mosh keeps the session alive, even across NAT hops.

This approach ensures interactive command sessions stay responsive, packet loss doesn’t kill your workflow, and private VPC environments remain locked to the outside world. It’s faster than standard SSH under unstable conditions and safer than opening broad public ports.

The deployment becomes even cleaner when automated. Infrastructure-as-code templates can create the proxy, configure the network rules, and install Mosh in one run. CI/CD pipelines can spin up isolated debugging environments in seconds, with Mosh ready for private subnet access.

See this pattern in action without the boilerplate and manual wiring. hoop.dev lets you deploy an environment like this in minutes, and you can test a live Mosh VPC private subnet proxy setup without touching your existing infrastructure. It’s the fastest way to go from concept to working resilient shell in a locked-down network.

Get started

See hoop.dev in action

One gateway for every database, container, and AI agent. Deploy in minutes.

Get a demoMore posts