Remotely Connect to Your Instances without a Public IP Address (2024)

See Also

Remotely Connect to Your Instances without a Public IP Address (3)

We’re using bastion hosts to connect our EC2 instances via SSH or RDP for years. Using these hosts causes operational challenges (updates, additional configurations, audits, etc.) and additional costs. In addition to hosts, AWS has two different solutions to connect your instances. The first solution is AWS Instance Connect, but we need a public IP address to use it. The second solution is System Manager, but we need agent-based connectivity.

🌹 From now on, we’re able to use EC2 Instance Connect for all remote connections without public Ips, Internet Gateways, and bastion hosts.

Remotely Connect to Your Instances without a Public IP Address (4)

EC2 Instance Connect combines authorization with IAM restrictions and network controls with security group rules. This feature is also auditable with AWS CloudTrail. Today, we will configure and understand the EC2 Instance Connect Endpoint step by step. Let’s start together! ⛅️

Step 1: IAM Permissions to use EC2 Instance Connect Endpoint

First of all, to create an EC2 Instance Connect Endpoint, you need these permissions:

ec2:CreateInstanceConnectEndpoint
ec2:CreateNetworkInterface
ec2:CreateTags
iam:CreateServiceLinkedRole

You can do some restrictions about EC2 Instance Connect remote port, your EC2 private IP address, or tunnel duration that we’ve built between EC2 Instance Connect and your instance. You can see all example policies and scenarios that are related to IAM from here.

Step 2: Security Groups Configurations

For the EC2 Instance Connect Endpoint, AWS recommends outbound rule should allow outbound traffic to the specified destination (specific security group of your EC2 instances).

Remotely Connect to Your Instances without a Public IP Address (5)

For your resources, if the preservation of client IP is set to false in the EIC configuration, you should allow inbound traffic from the EIC security group and inbound traffic from the VPC CIDR. For other preservation issues, you can check this documentation.

Remotely Connect to Your Instances without a Public IP Address (6)

Step 3: Create EC2 Instance Connect Endpoint

For creation, you should VPC à Endpoints and select “Create Endpoint”. Your endpoint and resources should be in the same VPC.

Remotely Connect to Your Instances without a Public IP Address (7)

You should select private subnet and the security group that you’ve created. If you select subnet in different availability zone from your resources, additional data transfer costs can occur.

Remotely Connect to Your Instances without a Public IP Address (8)

After that, you need to wait until the status is “Available”. You can create 1 EC2 Instance Connect Endpoint per VPC & per subnet.

Remotely Connect to Your Instances without a Public IP Address (9)

Step 4: Connect your EC2 Instance

From AWS Console, you need to select EC2 Instance Connect Endpoint.

Remotely Connect to Your Instances without a Public IP Address (10)

We got a successful connection!

Remotely Connect to Your Instances without a Public IP Address (11)

From our client, you can use this command:

ssh -i ‘key_file’ ubuntu@instance_id -o ProxyCommand=’aws ec2-instance-connect open-tunnel — instance-id instance_id’

Remotely Connect to Your Instances without a Public IP Address (12)

We got successful connection again!

🫠 Advantages of using EC2 Instance Connect Endpoint:

We do not need agent configuration.
We do not need publicly accessible resources.
We can audit all connections via AWS CloudTrail.
No additional cost, we only pay for the data transfer.

Thanks for reading! Stay safe in the cloud! 👻

More content at PlainEnglish.io.

Sign up for our free weekly newsletter. Follow us on Twitter, LinkedIn, YouTube, and Discord.