DEV Community

Connecting to Private EC2 Instances Using an Amazon EC2 Instance Connect Endpoint

Amazon EC2 Instance Connect (EIC) Endpoints provide a secure and seamless option for connecting to private EC2 instances. EIC endpoints can be configured using identity-based and network-based access controls, which provides more flexibility and control over the security of your VPC resources. These endpoints can also reduce administrative overhead and improve security by removing the need for a bastion host.

In this lab, you will replace a bastion host with an Amazon EC2 Instance Connect Endpoint to access a private EC2 instance. You will connect to the private instance using the AWS Management Console and the AWS CLI.

Learning objectives

Upon completion of this intermediate-level lab, you will be able to:

  • Configure an Amazon EC2 Instance Connect Endpoint
  • Access a private instance using an EC2 Instance Connect Endpoint

Familiarity with the following will be beneficial but is not required:

  • Amazon Virtual Private Cloud (VPC)
  • Amazon Elastic Compute Cloud (EC2)

Introducing Amazon EC2 Instance Connect Endpoints

Before EC2 Instance Connect Endpoints, you would need to connect to instances using a bastion host with a public IP address that could be accessed from the internet. To accomplish this, the VPC would also require an Internet Gateway (IGW) and the use of port forwarding to reach the private instance.

The diagram below illustrates a typical bastion host configuration and the starting infrastructure of this lab:

Image description

A user would connect to the bastion host via the IGW using a terminal or the EC2 Instance Connect service. The bastion host resides in a public subnet and is configured with the SSH keys needed to connect to the private instance. The bastion host would then connect to the private instance using SSH.

Not pictured in the diagram are the security groups that allow these instances to communicate with each other.

A client instance, or separate host machine, would not be able to connect to the private instance without additional configurations and SSH keys.

EC2 Instance Connect Endpoints

EC2 Instance Connect Endpoints offer the following benefits:

  • No requirement for a Bastion host
  • IAM-based authentication and authorization
  • Simplified management and administration
  • Compatible with existing SSH-based tools and workflows

Image description

The EIC endpoint will replace the Bastion Host and allow you to connect to the instance in the private subnet. This lab will demonstrate how to connect to the private instance using the AWS Management Console and the AWS CLI.

The client EC2 instance depicted in the diagrams will simulate a separate host machine with no SSH keys configured. This instance has the latest AWS CLI version installed.

This lab is meant to serve as an introduction to EC2 Instance Connect Endpoints. For additional benefits and configuration options, see the EC2 Instance Connect Endpoint documentation.

Connecting to the Virtual Machine using EC2 Instance Connect

This lab will use the EC2 Instance Connect console to connect to two EC2 instances. Both instances will attempt to connect to a private EC2 instance. Once you have completed this lab step for the bastion instance, repeat the process for the client instance.

In this lab step, you will connect to an EC2 instance using EC2 Instance Connect named bastion and access a shell.
Instructions

In the AWS Management Console search bar, enter EC2, and click the EC2 result under Services:

Image description

To see available instances, click Instances in the left-hand menu:

Image description

The instances list page will open, and you will see an instance named bastion in the Running state:

Image description

If you don't see a running instance then the lab environment is still loading. Wait until the

Instance state is Running

Right-click the bastion instance, and click Connect:

Image description
The Connect to your instance form will load.

In the form, ensure the EC2 Instance Connect tab is selected:

Image description

You will see the instance's Instance ID and Public IP address displayed.
In the User name textbox, enter ec2-user:

Image description

To open a browser-based shell, click Connect:

Image description

Accessing Private Instances Using a Bastion Host

In this lab step, you will connect to a private EC2 instance from a bastion host.

Important: Ensure that you have an EC2 Instance Connect session open to both the bastion and client EC2 instances. You will need to switch between these sessions throughout this lab step.

Instructions

In the instance connect window for the bastion EC2 instance, enter the following command to connect to the private instance:



ssh -A ec2-user@10.0.2.40(my instance ips)


Enter fullscreen mode Exit fullscreen mode

Enter yes to the prompt:

Image description

The bastion EC2 instance has been configured with the SSH keys needed to connect to the private EC2 instance. The -A flag enables SSH agent forwarding, which allows the bastion EC2 instance to use the SSH keys to connect to the private EC2 instance.

The bastion instance also uses a public IP address, which enables it to be accessed from the internet, and in this case, the EC2 Instance Connect service.

Once a connection is established, you will notice the IP address in the prompt changes to the private IP address of the private EC2 instance:

Image description

You can enter exit into the terminal to disconnect from the instance.

You will now attempt to connect to the private EC2 instance from the client EC2 instance.

Switch to the browser tab for the client EC2 instance and enter the following command, then enter yes to the prompt:



aws ec2-instance-connect ssh --instance-id i-0564c1e98b952434d


Enter fullscreen mode Exit fullscreen mode

Image description

The client EC2 instance simulates a separate host machine that does not have the SSH keys needed to connect to the private EC2 instance. The aws ec2-instance-connect ssh command attempts to use the EC2 Instance Connect service to establish a connection to the private EC2 instance.

This command is only available in the latest version of the AWS CLI.

The private instance does not have a public IP address, so the connection fails with a There are no available instance connect endpoints. error.

Note: If the error aws: error: argument operation: Invalid choice, valid choices are: send-ssh-public-key appears, ensure that you are accessing the client instance. This error will appear if you are attempting to run the ec2-instance-connect ssh command on the bastion instance.

After you create an endpoint in the next lab step, you will return to this window to attempt a connection again.

We verified that the bastion EC2 instance can connect to the private EC2 instance, but the client EC2 instance cannot.

Creating an Amazon EC2 Instance Connect Endpoint

We will create an Amazon EC2 Instance Connect Endpoint in a VPC and replace the existing bastion host.

Instructions

In the AWS Management Console, in the search bar at the top, enter vpc, and under Services, click the VPC result:

Image description

From the VPC dashboard, in the left navigation pane, click Endpoints below Virtual private cloud:

Image description

Click Create endpoint:

Image description

The Create endpoint wizard will display.
Below Endpoint settings, enter lab-endpoint in the Name tag field:
Select EC2 Instance Connect Endpoint option below Service category:

Image description

The form will update with additional options to configure your endpoint.

For the endpoint VPC, select lab-vpc from the dropdown menu:

Image description

Image description

Client IP preservation allows the endpoint to preserve the IP address of the client when connecting to the instance. This is useful for logging and auditing purposes. Security groups and IAM policies can be configured to allow or deny connections based on the client IP address instead of the endpoint IP address.
Under Security groups, select the endpoint-sg security group:

Image description

You can use IAM policies to control which users can connect to instances and security groups to control the traffic that can access the endpoint.

In this example, the endpoint-sg security group allows all outbound traffic to the private-sg security group. The private-sg security group allows inbound traffic from within the VPC CIDR block.

  1. In the Subnet section, select public-subnet from the dropdown menu:

Image description

Click Create endpoint:

Image description

The endpoint will be created and displayed in the Endpoints list:

Image description

It may take up to 5 minutes for the endpoint to become available. The Status will change from Pending to Available when it is ready. After a few minutes, you may need to refresh the page to see the updated status.

We created an Amazon EC2 Instance Connect Endpoint.

Image description

Connecting to an Amazon EC2 Instance Connect Endpoint

In this lab step, you will connect to a private instance using an EC2 Instance Connect Endpoint. You will connect to the instance using the EC2 Instance Connect console and the AWS CLI.

Instructions

Return to the EC2 Instances table in the AWS Management Console.

Select the private EC2 instance, then select Connect.

Image description

Configure the following connection settings in the EC2 Instance Connect tab:

  • Connection Type: Select Connect using EC2 Instance Connect Endpoint
  • EC2 Instance Connect Endpoint: Select the lab-endpoint endpoint from the dropdown menu
  • Leave the default values of the remaining fields.

The Max tunnel duration field specifies the maximum amount of time that the connection will remain open. The default value is 1 hour. When configuring the IAM policy for the EC2 Instance Connect service, you can apply a condition to only allow connections with a specified maximum duration.

Image description

Click Connect:

Image description

An instance connect session will open in a new browser tab:

Image description

The Last login message at the top of the terminal displays the last connection to the instance, which was from the bastion EC2 instance. Your IP addresses may differ from the example above.

You are now connected to the private instance using the instance connect console.

Return to the client EC2 instance instance connect tab:

Enter the following command to connect to the private instance:



aws ec2-instance-connect ssh --instance-id i-0564c1e98b952434d


Enter fullscreen mode Exit fullscreen mode

Image description

The IP address in the prompt changes to the private IP address of the private EC2 instance, indicating that you are connected to the instance.

Summary

By completing this lab, you have:

  • Configured an Amazon EC2 Instance Connect Endpoint
  • Accessed a private instance using an EC2 Instance Connect Endpoint
  • Replaced a bastion host with an EC2 Instance Connect Endpoint

Conclusion
EC2 Instance Connect Endpoint revolutionizes the way we access private EC2 instances. By eliminating the need for public IP addresses, bastion hosts, or agents, it significantly enhances security and simplifies management. This service provides a robust, efficient, and cost-effective solution for securely connecting to your instances. By implementing EC2 Instance Connect Endpoint and adhering to best practices, organizations can strengthen their overall security posture and streamline operations.

Top comments (0)