In the past, connecting to EC2 instances in private subnets without a public IPv4 address required the use of bastion hosts,NAT etc. However, this approach introduced operational overhead, additional costs, and security considerations. Fortunately, AWS has introduced EC2 Instance Connect Endpoint, which allows customers to establish SSH and RDP connectivity to instances without the need for public IP addresses or bastion hosts. In this blog post, we will explore how EC2 Instance Connect Endpoint works and how to set it up for your instances.
Prerequisites:
EC2 instance in a private subnet
SSH key (.pem file) provided by AWS
Aws-cli latest version
EC2 Instance Connect Endpoint
Creating EC2 Instance Connect Endpoint:
Go to the VPC console, select "Endpoints," and click on "Create endpoint."
Provide a name for the endpoint and select "EC2 Instance Connect Endpoint" under the Service category.
Choose your VPC and security groups.
Select the subnet in which you created the EC2 Instance Connect Endpoint.
Creating IAM User and Permissions:
Go to the IAM dashboard and create a new user.
Add the necessary permissions to use EC2 Instance Connect. You can either create an inline policy or use a predefined JSON policy provided by AWS.
sample policy:
{
"Version": "2012-10-17",
"Statement": [{
"Sid": "EC2InstanceConnect",
"Action": "ec2-instance-connect:OpenTunnel",
"Effect": "Allow",
"Resource": "arn:aws:ec2:region:account-id:instance-connect-endpoint/eice-123456789abcdef",
"Condition": {
"NumericEquals": {
"ec2-instance-connect:remotePort": "22"
},
"IpAddress": {
"ec2-instance-connect:privateIpAddress": "10.0.1.0/31"
},
"NumericLessThanEquals": {
"ec2-instance-connect:maxTunnelDuration": "60"
}
}
},
{
"Sid": "Describe",
"Action": [
"ec2:DescribeInstances",
"ec2:DescribeInstanceConnectEndpoints"
],
"Effect": "Allow",
"Resource": "*"
}
]
}
Install latest aws-cli
Configure aws-cli with created user
Connecting to Your Linux Instance Using SSH
To connect to your Linux instance, use SSH with the following command:
ssh -i my-key-pair.pem ec2-user@i-0123456789 -o ProxyCommand='aws ec2-instance-connect open-tunnel --instance-id i-0123456789'
Explanation of the command:
-i: Specify the key pair that was used to launch the instance.
ec2-user@i-0123456789: Specify the username of the instance and the instance ID.
--instance-id: Specify the ID of the instance to connect to.
Note: If you encounter the error message "kex_exchange_identification: Connection closed by remote host Connection closed by UNKNOWN port 65535," try whitelisting the same security group in the inbound rule of the security group assigned to the EC2 instance.
Limitations of EC2 Instance Connect Endpoint:
- IPv6 addresses are not supported.
- The EC2 instance and the EC2 Instance Connect Endpoint must be in the same VPC when client IP preservation is enabled.
- Client IP preservation is not supported when traffic is routed through an AWS Transit Gateway.
- Some instance types do not support client IP preservation.
Conclusion:
EC2 Instance Connect Endpoint provides a convenient and secure way to connect to EC2 instances in private subnets without the need for public IP addresses or bastion hosts. By following the steps outlined in this blog post, you can set up EC2 Instance Connect Endpoint and establish SSH connectivity to your instances. Remember to review the limitations and ensure your instances and security groups are properly configured.
References:
eic-aws-update
eic-how-it-works
connect-using-eic
If you have suggestions, please feel free to comment. Your feedback is valuable and appreciated.
Top comments (0)