All you need to know about AWS EC2 Instance Connect Endpoint

In June 2023, AWS announced a new feature called EC2 Instance Connect Endpoint. This feature allows secure connections to EC2 instances in private subnets without the need to jump through hosts or bastion servers. With EC2 Instance Connect, there is no longer a requirement for a public IP address or an Internet Gateway (IGW) in the Virtual Private Cloud (VPC). It eliminates the need for any agent to connect to AWS resources.

In this article, we will provide a step-by-step guide to an AWS Instance Connect Endpoint (EIC Endpoint) to Amazon Elastic Compute Cloud (Amazon EC2) instances in private subnets. We will securely connect to your instances from the Internet. EIC Endpoint combines identity-based and network-based access controls, providing the isolation, control, and logging needed to meet your organization’s security requirements.

Furthermore, we will review the AWS Instance Connect Endpoint and the different ways to use it.

Prerequisites

• You must have the required IAM permission to connect to an EC2 Instance Connect Endpoint.
• The EC2 Instance Connect Endpoint must be in the Available (console) or create-complete (AWS CLI) state.
• Ensure that the security group of the instance that you want to connect to is configured correctly for inbound traffic.
• If you’re using the AWS CLI, make sure that you have configured the AWS CLI, including the credentials that it uses, and that you’re using the latest version of the AWS CLI.

You can access the relevant information for additional details by clicking on the provided Prerequisites link.

Creating an AWS Instance Connect Endpoint

Now we are going to review the process of creating an AWS Instance Connect Endpoint. In the following sections, we will go through all the steps to set it up and test it.

Creating the test environment

To test the EC2 Instance Connect Endpoint, I created a test environment. My AWS environment has one private subnet. I have launched an EC2 instance in the private subnet, as shown in Figure 1:

Figure 1 — Instance view of a private subnet

Create an EC2 Instance Connect Endpoint

In this section, we are going to create an EC2 Instance Connect Endpoint step by step in our test environment. Open the Amazon VPC console. Then, in the left navigation pane, choose Endpoints. Choose “Create endpoint”, as shown in Figure 2:

Figure 2 — View of the endpoint configuration

Select the VPC in which you want to create the endpoint. Then, select the subnet where your EC2 instance is running, and select the security group to associate with the endpoint. If you don’t select a security group, the default security group for your VPC will be associated with the endpoint, as shown in Figure 3:

Figure 3 — View with the security group of the configuration of the endpoint

Note: The initial status of the endpoint creation is Pending. Before you can connect to an instance using this endpoint, wait until the status is Available. This process can take a few minutes to finish. When the endpoint is created, it appears as shown in Figure 4:

Figure 4 — View of the endpoint with available status

Connecting the EC2 Linux instance in the private subnet using the Amazon EC2 console

In this section, we are going to connect to an EC2 instance on a private subnet in our test environment with the EC2 instance connect endpoint created previously. Open the Amazon EC2 console. In the navigation pane, choose Instances. Select the instance that we created, and in the Actions menu, select Connect, as shown in Figure 5:

Figure 5 — View to establish an EC2 instance connection

Select the “EC2 Instance Connect” tab. For the Connection type, select “Connect using EC2 Instance Connect Endpoint”. For the User name, verify the username (for the EC2 instance, it must be “ec2-user”). For “EC2 Instance Connect Endpoint”, select the EC2 Instance Connect Endpoint created previously in the instance’s VPC, as shown in Figure 6:

Figure 6 — View to connect to an EC2 instance using the EC2 Instance Connect Endpoint

Finally, select Connect to open a terminal window. Now, we are connected to the EC2 instance on the private IP via SSH using AWS Instance Connect End-Point, as shown in Figure 7:

Figure 7 — View the connection made using the Web Console using EC2 Instance Connect Endpoint

Connecting the EC2 Linux instance in the private subnet using the SSH

Now, we can use SSH to connect to your Linux instance in a private subnet and use the open-tunnel command to establish a private tunnel. I used the command below to connect to the Linux instance in the private subnet:

ssh -i my-key-pair.pem ec2-user@i-0123456789example \ -o ProxyCommand='aws ec2-instance-connect open-tunnel --instance-id i-0123456789example'

Let’s review the command parameters in use:

-i – Sets the key pair that was used to launch the instance.

ec2-user@i-0123456789example – Is  the username of the AMI that was used to launch the instance and the instance ID.

--instance-id – Sets the ID of the instance to connect to. Alternatively, specify %h, which extracts the instance ID from the user.

This is an example of a single connection to an instance using SSH and the open-tunnel command.

I used my Instance ID, as shown in Figure 8:

Figure 8 — View of the connection made using ssh and the open-tunnel command.

Summary

We have successfully created and used an EC2 Instance Connect endpoint to securely connect to your EC2 instances using SSH. EC2 Instance Connect Endpoint simplifies and enhances the security of connecting to private EC2 instances via SSH.

Using Bastions Hosts involves the operational overhead of patching, managing, and auditing, as well as additional costs. EC2 Instance Connect Endpoint eliminates the cost and operational overhead of maintaining Bastion’s Hosts, offering a comprehensive solution that delivers the isolation, control, and detailed logging necessary to fulfill an organization’s security requirements.

Resources

• Create an EC2 Instance Connect Endpoint
• Connect using EC2 Instance Connect Endpoint to a Linux instance