Remotely Connect to Your Instances without a Public IP Address
We’re using bastion hosts to connect our EC2 instances via SSH or RDP for years. Using these hosts causes operational challenges (updates, additional configurations, audits, etc.) and additional costs. In addition to hosts, AWS has two different solutions to connect your instances. The first solution is AWS Instance Connect, but we need a public IP address to use it. The second solution is System Manager, but we need agent-based connectivity.
🌹 From now on, we’re able to use EC2 Instance Connect for all remote connections without public Ips, Internet Gateways, and bastion hosts.
EC2 Instance Connect combines authorization with IAM restrictions and network controls with security group rules. This feature is also auditable with AWS CloudTrail. Today, we will configure and understand the EC2 Instance Connect Endpoint step by step. Let’s start together! ⛅️
Step 1: IAM Permissions to use EC2 Instance Connect Endpoint
First of all, to create an EC2 Instance Connect Endpoint, you need these permissions:
- ec2:CreateInstanceConnectEndpoint
- ec2:CreateNetworkInterface
- ec2:CreateTags
- iam:CreateServiceLinkedRole
You can do some restrictions about EC2 Instance Connect remote port, your EC2 private IP address, or tunnel duration that we’ve built between EC2 Instance Connect and your instance. You can see all example policies and scenarios that are related to IAM from here.
Step 2: Security Groups Configurations
- For the EC2 Instance Connect Endpoint, AWS recommends outbound rule should allow outbound traffic to the specified destination (specific security group of your EC2 instances).
Outbound rules for EIC
- For your resources, if the preservation of client IP is set to false in the EIC configuration, you should allow inbound traffic from the EIC security group and inbound traffic from the VPC CIDR. For other preservation issues, you can check this documentation.
Inbound rules
Step 3: Create EC2 Instance Connect Endpoint
For creation, you should VPC à Endpoints and select “Create Endpoint”. Your endpoint and resources should be in the same VPC.
Create EC2 Instance Connect Endpoint
You should select private subnet and the security group that you’ve created. If you select subnet in different availability zone from your resources, additional data transfer costs can occur.
Security Group of EIC
After that, you need to wait until the status is “Available”. You can create 1 EC2 Instance Connect Endpoint per VPC & per subnet.
EIC Status
Step 4: Connect your EC2 Instance
From AWS Console, you need to select EC2 Instance Connect Endpoint.
We got a successful connection!
From our client, you can use this command:
ssh -i ‘key_file’ ubuntu@instance_id -o ProxyCommand=’aws ec2-instance-connect open-tunnel — instance-id instance_id’
We got successful connection again!
🫠 Advantages of using EC2 Instance Connect Endpoint:
- We do not need agent configuration.
- We do not need publicly accessible resources.
- We can audit all connections via AWS CloudTrail.
- No additional cost, we only pay for the data transfer.
Thanks for reading! Stay safe in the cloud! 👻