In this blog, I will show you on how to connect to an EC2 instances in private subnet without requiring the instance to have a public IPv4 address and a key pair .
This new feature is called EC2 Instance Connect Endpoint. Before we go to the hands-on let's define first what is the EC2 Instance Connect Endpoint and I will mentioned some important setup before we can use it.
An EC2 Instance Connect Endpoint is simply allows you to connect to an instance without requiring the instance to have a public IPv4 address. You can connect to any instances that supports TCP.
To connect to an instance, you need only specify the instance ID. You can optionally provide the EC2 Instance Connect Endpoint.
Here's some limitation and pre-requisites that you need to know about EC2 Instance Connect Endpoint.
- EC2 Instance Connect Endpoint doesn't support connections to an instance using IPv6 addresses.
- When client IP preservation is enabled, the instance to connect to must be in the same VPC as the EC2 Instance Connect Endpoint
- Client IP Preservation is not supported when traffic is routed through an AWS Transit Gateway.
- The following instance types do not support client IP preservation: C1, CC1, CC2, CG1, CG2, CR1, G1, G2, HI1, HS1, M1, M2, M3, and T1
Pre-requisites:
- You must have the required IAM permission to connect to an EC2 Instance Connect Endpoint.
- The EC2 Instance Connect Endpoint must be in the Available (console) or create-complete (AWS CLI) state.
- Ensure that the security group of the instance that you want to connect to is configured correctly for inbound traffic.
- If you're using the AWS CLI, make sure that you have configured the AWS CLI, including that it uses, and that you're using the latest version of the AWS CLI. Note: If you're using an older version of AWS CLI, the EC2 Instance Connect Endpoint will not work. It only works with newer AWS CLI version starting at version 2.
To learn more about AWS CLI version 2, you may visit the link here
You can find all of this at the Connect using EC2 Instance Connect Endpoint to an instance AWS Documentation
Hands-on Lab: EC2 Instance Connect Endpoint
In this hands-on lab, I will setup an IAM user with specific IAM permission to use the EC2 Connect Endpoint service.
The architecture is compose of a Amazon VPC with two private subnet, a security group for each EC2 instance, and a EC2 Instance Connect Endpoint service.
Below is the procedure on how to setup the environment.
-
Launch an AWS CloudFormation Template:
Inside the script, it will launch the following AWS services:
- Amazon VPC with two private subnets
- Security groups for EC2 Instance Connect Endpoint, and for each EC2 Linux Instances
- You may check out my CloudFormation template at my Github repositories.
-
Create an EC2 Instance Connect Endpoint:
Below is the steps on how to create an EC2 Instance Connect Endpoint.-
AWS Management Console
- To create an EC2 Instance Connect Endpoint in AWS Management Console:
- Go to Amazon VPC service > on the left side click Endpoints
- On the Create endpoint page, enter any endpoint name, under Service category select EC2 Instance Connect Endpoint
- Next, select the security group for EC2 Instance Connect Endpoint. You may check the recommended Inbound and Outbound rules at AWS Documentation
- Select the VPC that was launched through CloudFormation Template > select the subnet where you want to place the EC2 Instance Connect Endpoint ENI (on my setup, I launched it to the private subnet)
- After you've finished the configuration on the previous steps, click Create endpoint
-
AWS CLI version 2:
aws ec2 create-instance-connect-endpoint --region <specify_the_region> --subnet-id <specify_subnet> --security-group-ids <security_group_id> - After the creation of EC2 Instance Connect Endpoint, wait for a couple of minutes to become Available the status.
-
AWS Management Console
-
Create an IAM user:
I will create another IAM user which will use the EC2 Instance Connect Endpoint.- Username: demo_user
- Password: Auto-generated
- After the creation of IAM user, we will enable the AWS CLI by creating an access key and secret access key.
- Don't forget to download/save the credentials (username, password, access key, and secret access key) after the creation of IAM user.
-
Create an IAM Policy for the IAM user:
Below is the IAM Policy that we will be using. After the creation of IAM policy, we will assign this to the IAM user that we create on the previous step.- Note: In the IAM Policy, please take note of the following:
-
<ARN_of_EC2InstanceConnectEndpoint>- after you create the EC2 Instance Connect Endpoint, copy the ARN and paste it on the IAM policy -
<VPC_CIDR>- in this part, the connection is successfully established only if all the conditions are satisfied, for example, if the SSH connection is established on port 22 of the instance, if the private IP address of the instance lies within the range of (like for example 10.0.0.0/16) -
<IAM_username>- you will specify the IAM user who will use the EC2 Instance Connect Endpoint. -
<region_code>and<account_id>- specify the correct region code and account ID that the user will test the access to the EC2 instances using EC2 Instance Connect Endpoint.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"ec2:AuthorizeSecurityGroupIngress",
"ec2:Describe*",
"ec2:StartInstances",
"ec2:Create*",
"ec2:RunInstances",
"ec2:StopInstances"
],
"Resource": "*"
},
{
"Sid": "VisualEditor1",
"Effect": "Allow",
"Action": "ec2-instance-connect:OpenTunnel",
"Resource": "<ARN_of_EC2InstanceConnectEndpoint>",
"Condition": {
"StringEquals": {
"aws:username": "<IAM_username>"
},
"IpAddress": {
"ec2-instance-connect:privateIpAddress": "<VPC_CIDR>"
},
"NumericEquals": {
"ec2-instance-connect:remotePort": "22"
}
}
},
{
"Sid": "VisualEditor2",
"Effect": "Allow",
"Action": "ec2-instance-connect:SendSSHPublicKey",
"Resource": "arn:aws:ec2:<region_code>:<account_id>:instance/*",
"Condition": {
"StringEquals": {
"ec2:osuser": "ec2-user"
}
}
}
]
}
Testing
We will now test the EC2 Instance Connect Endpoint. To start the testing we will first create an EC2 instances. Second part, we will now go to the main testing through AWS CLI.
-
Create an EC2 instances:
We will create two EC2 instances for our testing. The two instance will be launched on a separate private subnet. The creation of EC2 instances is very simple, the following configuration needs to be highlighted.
- Name:
provide any name of the instance - Key pair: select
Proceed without a key pair - Network settings:
- VPC:
select the VPC that was launched through CloudFormation template - Subnet: Since this is the first EC2 instance, we will select the
<region_code-1a> - Firewall (security groups): choose Select existing security group > select the security group
PrivSGForInstance1(this security group was included in our CloudFormation Template) - Click Launch instance
- VPC:
- Name:
- On the AWS Management Console, click AWS CloudShell
(You can use any terminal but ensure that there's a AWS CLI version 2 installed to your terminal or in Microsoft Windows CMD/PowerShell)
- Inside the terminal/AWS CloudShell, you must first enter the following command:
-
Access Key ID:
credentials of the IAM user that was created from the previous steps. -
Secret Access Key:
credentials of the IAM user that was created from the previous steps. -
Default region name:
specify the region_code that we will be working on _(in this lab it's us-east-1)_ -
Default output format: enter
json
-
Access Key ID:
- Next, we will initiate either of this two command:
-
One click command:
aws ec2-instance-connect ssh --instance-id <instance_id> -
Open-tunnel command:
ssh ec2-user@<instance_id>
-
One click command:
- Inside the terminal/AWS CloudShell, you must first enter the following command:
If unsuccessful, go back to the previous steps and check if you miss some configuration.
If successful, you have access now to the EC2 instance that's in the private subnet (no public IPv4 address) and without a key pair.
Congratulations! You have successfully completed the lab.
Top comments (0)