Secure Connectivity from Public to Private: Introducing EC2 Instance Connect Endpoint supports SSH and RDP connectivity without public IP address

Amazon EC2 Instance Connect (EIC) Endpoint is a new feature that provides a secure way to connect to our instances and other VPC resources from the internet. It eliminates the need for an Internet Gateway (IGW), a public IP address on our resource, a bastion host, or any agent to establish connectivity.

With EIC Endpoint, we can establish SSH and RDP connectivity to our EC2 instances without relying on public IP addresses. This means we can have remote connectivity to instances in private subnets without the need for public IPv4 addresses.

In the past, customers had to create bastion hosts to tunnel SSH/RDP connections to instances with private IP addresses. However, this approach required additional operational overhead for patching, managing, and auditing the bastion hosts, as well as incurring extra costs. EIC Endpoint eliminates these costs and operational burdens associated with maintaining bastion hosts.

EIC Endpoint combines AWS Identity and Access Management (IAM) based access controls with network-based controls such as Security Group rules. This combination allows you to restrict access to trusted principals and provides an audit trail of all connections through AWS CloudTrail. By leveraging these features, customers can enhance their security posture and meet their organization’s security requirements.

Overall, EIC Endpoint simplifies remote connectivity to EC2 instances in private subnets, improves security, and reduces operational overhead for organizations.

How it works

First, we create an EC2 Instance Connect Endpoint in a subnet in our virtual private cloud (VPC). Then, when you want to connect to an instance, we specify the ID of the instance. We can optionally provide the EC2 Instance Connect Endpoint. The endpoint acts as a private tunnel to the instance.

Once we create an EC2 Instance Connect Endpoint in a subnet, we can use the endpoint to connect to any instance in any subnet in our VPC provided our VPC is configured to allow subnets to communicate.

Step 1: IAM Permissions to use EC2 Instance Connect Endpoint
First of all, to create an EC2 Instance Connect Endpoint, we need these permissions:

• ec2:CreateInstanceConnectEndpoint
• ec2:CreateNetworkInterface
• ec2:CreateTags
• iam:CreateServiceLinkedRole

We can do some restrictions about EC2 Instance Connect remote port, our EC2 private IP address, or tunnel duration that we’ve built between EC2 Instance Connect and your instance. We can see all the example policies and scenarios that are related to IAM from here.

Step 2: Security Groups Configurations

• For the EC2 Instance Connect Endpoint, AWS recommends outbound rule should allow outbound traffic to the specified destination (specific security group of our EC2 instances).

Outbound rules for EIC

For our resources, if the preservation of client IP is set to false in the EIC configuration, We should allow inbound traffic from the EIC security group and inbound traffic from the VPC CIDR. For other preservation issues, we can check this documentation.

Step 3: Create EC2 Instance Connect Endpoint
For creation, We should use VPC Endpoints and select “Create Endpoint”. Our endpoint and resources should be in the same VPC.

We should select the private subnet and the security group that we’ve created. If we select a subnet in a different availability zone from our resources, additional data transfer costs can occur.

After that, we need to wait until the status is “Available”. We can create one EC2 Instance Connect Endpoint per VPC and per subnet.

Step 4: Connect your EC2 Instance
From the AWS Console, you need to select EC2 Instance Connect Endpoint.

We made a successful connection!

Advantages of using the EC2 Instance Connect Endpoint:

We do not require agent configuration.

We do not need publicly accessible resources.

We can audit all connections via AWS CloudTrail.

There is no additional cost; we only pay for the data transfer.

To allow only a single connection to an instance using SSH and the open-tunnel command, you can use the following steps:

1. Open your terminal and run the following command:

ssh -i my-key-pair.pem ec2-user@i-0123456789example -o ProxyCommand='aws ec2-instance-connect open-tunnel --instance-id i-0123456789example'

This command will establish a single SSH connection to the specified instance using the open-tunnel command.

To allow multiple connections to an instance, you can follow these steps:

1. Open your terminal and run the following command to start listening for new TCP connections on the specified port (e.g., 8888) on your local machine:

aws ec2-instance-connect open-tunnel --instance-id i-0123456789example --local-port 8888

You will see the output “Listening for connections on port 8888.”

1. In a new terminal window, run the following SSH command to create a new TCP connection and a private tunnel to your instance:

ssh -i my-key-pair.pem ec2-user@localhost -p 8888

You will see the output “[1] Accepted new TCP connection, opening websocket tunnel.”

To connect to your Windows instance using RDP, you can follow these steps:

1. Complete Steps 1–5 in the “Connect to your Windows instance using RDP” guide in the Amazon EC2 User Guide for Windows Instances. This guide provides detailed instructions on how to set up your instance and download the RDP desktop file.
2. After downloading the RDP desktop file, you may receive an “Unable to connect” message because your instance does not have a public IP address. This is expected.
3. Run the following command to establish a private tunnel to the VPC in which the instance is located. Replace “i-0123456789example” with the actual instance ID and choose a local port:

aws ec2-instance-connect open-tunnel \
    --instance-id i-0123456789example \
    --remote-port 3389 \
    --local-port any-port

1. In your Downloads folder, locate the RDP desktop file that you downloaded and drag it onto the RDP client window.
2. Right-click the RDP desktop file and choose “Edit”.
3. In the “Edit PC” window, enter “localhost:local-port” as the PC name, where “local-port” is the same value you used in the previous step. Save the changes.

4. In the RDP client, right-click the PC you just configured and choose “Connect” to connect to your instance.

5. Enter the decrypted password for the instance when prompted.

Please note that these steps assume you have the necessary permissions and access to the AWS resources required to connect to your Windows instance using RDP.

Billing

There is no additional cost for using EIC endpoints. Standard data transfer charges apply

Conclusion

EIC Endpoint provides a secure solution to connect to your instances via SSH or RDP in private subnets without IGWs, public IPs, agents, and bastion hosts. By configuring an EIC Endpoint for our VPC, We can securely connect using your existing client tools or the Console/AWS CLI.