Open in app

Sign in

Write

Sign in

How to SSH into an EC2 instance using EC2 instance Connect (EIC) Endpoint

Peter
8 min readOct 24, 2023

--

AWS recently release a new feature on how you can SSH into any resource in any subnet (public or private) in your VPC using a CLI command. It makes use of EIC Endpoint Service. This feature simplifies the way you SSH into an EC2 instance especially when found in a private subnet. We will go through the setup steps. These steps are as follows:

I. Create a VPC with public and Private Subnets

Our Reference Architecture

We will use the reference architecture above for our VPC.

This VPC will be created in us-east-1 (N. Virginia). From AWS management console,

  • Select VPC -> Create VPC,
  • Enter the VPC name and the IPv4 CIDR block address
  • then click Create VPC.
  • Next, we will enable “DNS hostnames”, Goto Actions -> Edit VPC settings
  • Check the box “Enable DNS hostnames” and save.

=> INTERNET GATEWAY

For our VPC to access the internet, we will create an internet gateway. Ensure to filter by our VPC. From the left side, select Internet gateways

  • Enter the name and click Create internet gateway
  • Attach this internet gateway to our VPC, Go to Action -> Attach to VPC
  • We select our VPC from the dropdown list and confirm (you will only see the VPCs that are not attached to any internet gateway).

=> SUBNETS

We will create our public subnets in 2 different AZ (us-east-1a, us-east-1b).

  • On your left side, select Subnet -> Create subnet.
  • We select our VPC from the dropdown list
  • Enter the subnet name (in our case “Public Subnet 1”)
  • Select the availability zone
  • Enter the IPv4 subnet CIDR block and click on Create subnet
  • Follow the same steps above to create the other subnets (Public Subnet 2, Private Subnet 1, Private Subnet 2)
  • We will enable the auto-assign IP settings in the public subnets (this will enable any ec2 instance launched in these subnets to be assigned a public IPv4 address.)
  • Select “Public Subnet 1
  • From Actions, select Edit subnet settings
  • Under Auto-assign IP settings, check the box “Enable auto-assign public IPv4 address” and save.
  • Repeat the steps above for the second public subnet “Public Subnet 2

=> Public Route Table

We are now going to create a route table and add a public route that will route traffic to the internet

  • On your left side, select Route tables -> Create route table.
  • Enter the name (in our case “Public Route Table”)
  • Select our VPC from the dropdown list
  • Click on Create route table

To add a public route,

  • Select the “Public Route Table”
  • On Routes tab, go to Edit routes
  • Click on Add route, enter “0.0.0.0/0” for destination, “MPN Internet Gateway” for target and click on Save changes

=> NAT Gateways

We are now going to create 2 NAT gateways in different AZs. Our private subnets will access the internet through these NAT gateways.

  • On your left side, select NAT gateways -> Create NAT gateways.
  • Enter the name (in our case “Nat Gateway A”)
  • Select from the dropdown list the subnet that will hold this NAT gateway (in our case “Public Subnet 1”)
  • Select Public in Connectivity type
  • Click on Allocate Elastic IP and click on Create NAT gateway
  • Repeat the same steps above to create the second NAT gateway “Nat Gateway B” in the subnet “Public Subnet 2”

=> Private Route Table

We are now going to create 2 private route table and add a public route that will route traffic to the internet

  • On your left side, select Route tables -> Create route table.
  • Enter the name (in our case “Private Route Table A”)
  • Select your VPC from the dropdown list
  • Click on Create route table
  • Repeat the process to create second route table “Private Route Table B

=> We now add a route to the 2 private route tables:

  • Private Route Table A with target as Nat Gateway A and destination 0.0.0.0/0
  • Private Route Table B with target as Nat Gateway B and destination 0.0.0.0/0

Our VPC is now ready.

è Follow the same steps above to create our second public subnet (Public Subnet B) in AZ “us-east-1b” with IPv4 subnet CIDR block “10.0.1.0/24”

II. Install the latest version of AWS CLI on our computer

  • Search “AWS CLI download” in google or access the webpage here
  • Select your operating system and download the installer
  • Or we can simply run the msiexec command in a CLI:

C:\> msiexec.exe /i https://awscli.amazonaws.com/AWSCLIV2.msi

  • Once installation is complete, we can verify it’s installed by running the command C:\> aws — version

III. Create 2 IAM policies, one that allows users to create, describe, and delete EIC Endpoints, and another that allows users to use the EIC Endpoints.

  • From AWS management console, search for IAM and click
  • On the IAM Dashboard, click on Policies > Create policy
  • On Policy editor, click on JSON and delete the content we find there
  • From AWS documentary site here, copy the JSON script under the topic “Allow users to create, describe, and delete EC2 Instance Connect Endpoints” and paste in the policy editor
  • On line 13, update the region and account-id with our region and aws account-id respectively
  • Click Next and enter the policy name (create-eic-endpoint)
  • Scroll down and click create.
  • Repeat the process and create a policy name (use-eic-endpoint) with the Jason script under the topic “Allow users to connect only from a specified source IP address range” and paste in the policy editor.
  • On line 7, update the region and account-id with our region and AWS account-id respectively
  • On line 13, remove the eice-123456789abcdef id and replace with a “*”
  • Delete the Condition portion (from line 8 to 18)

IV. Create an IAM user that has an access key and secret access key, and attach the policies to the user

  • While in the IAM dashboard, click on Users > Create User
  • Enter user name and click next
  • Under Permissions option, select “Attach policies directly
  • Select the 2 policies we created previously and AdministratorAccess
  • Click Next then Create user
  • Next we will create access key and secret access key
  • Click on the user we previously created, go to Security credentials tab and click “Create access key
  • Select “Command Line Interface (CLI)”, scroll down and check “Confirmation”, then click Next and Create access key
  • Download the .csv file and store in a secure location

V. Configure the IAM user’s credentials on our computer with the command “aws configure”

  • Open the terminal (we will use powershell)
  • Type the command “aws configure”, enter
  • Next enter Access Key ID, then Secret Access Key, then your default region and format.

VI. Verify OpenSSH is installed on our computer

To verify OpenSSH is present on our computer, run the command “ssh -V

VII. Create 2 security groups (SG) in our VPC

We will create 2 security group:

  • EIC-ENDPOINT SG: Open outbound traffic on port 22 (SSH) and use the VPC IPv4 CIDR block address for the destination
  • EC2-INSTANCE SG: Open inbound traffic on port 22 and use the EIC-ENDPOINT-SG for the destination

To create a security group, on the AWS management console, access EC2 dashboard

  • On your left side, select Security groups -> Create security groups.
  • Enter the name and description (in our case “EIC-ENDPOINT SG”), we can use same name for description
  • Delete the default selected VPC and select your VPC from the dropdown list
  • In outbound rules, click Add rules and input Type =”SSH”, Destination = Our VPC IPv4 CIDR block address
  • Click Create security group to save
  • Repeat the same steps to create the second SG “EC2-INSTANCE SG”

VIII. Create an EC2 instance Connect Endpoint. Making sure we are in the VPC console,

  • On your left, select Endpoints > Create endpoints
  • Give the endpoint a name
  • Under Service category, select “EC2 instance Connect Endpoint”
  • Under VPC, select our VPC from the dropdown list
  • Under security groups, select the “EIC-ENDPOINT-SG” security groups we previously created
  • Under subnet, select a subnet from the dropdown list in our VPC architecture
  • Click create endpoint
  • Wait for the status to change to “Available”

IX. Launch an EC2 instance in a private subnet within our VPC

All the previous steps (I to VIII) is done once, now we can launch any EC2 instance and ssh into it without the need of any keypair. We will launch an EC2 in a private subnet. Make sure to be in EC2 dashboard console,

  • On the left, click on instance, then Launch instance
  • Give an instance a name
  • Under Quick Start, select Amazon Linux and AMI = Amazon Linux 2023 AMI
  • Instance type = t2.micro
  • Under Key pair, from the drop down select “Proceed without a key pair
  • Under Network settings, click on Edit
  • Select VPC
  • Subnet => Private Subnet 1
  • Under firewall, go with select existing security group and select the EC2-INSTANCE-SG
  • Scroll down and click Launch instance.

X. Connect to the EC2 instance

  • There are 2 ways to SSH, using the management console and using the CLI.
  • Using the management console, to SSH to our EC2 instance using EIC endpoint, from the list of running instances, select the instance we want to SSH to
  • Click on “Connect”
  • On Connection Type, select “Connect using EC2 Instance Connect Endpoint”
  • On EC2 Instance Connect Endpoint, select our endpoint ID
  • Then click on connect

From the CLI, run the following command: aws ec2-instance-connect ssh — instance-id <ec2 instance ID>

(replace the instance id with that of our ec2 instance)

This completes the steps to do. Thank you for following along with me. I hope it helps.

Connect with me on LinkedIn

Have a great day.

--

--

Peter

Written by Peter

3 Followers

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams