Secure Connectivity from Public to Private Using AWS EC2 Instance Connect Endpoints

Cloud developers often grapple with the fundamental challenge of establishing secure internet access to servers within an AWS Virtual Private Cloud (VPC). One commonly used approaches is configuring an Intermediate bastion in the public subnet to facilitate connections to servers located in private subnets.

However, It's really hard to maintain the ssh keys and the bastion instances for each application or environment is hard and leads to an operational overhead.

AWS recently announced a service EC2 Instance Connect Endpoint to solve these problems.

What is Instance Connect Endpoint?

EC2 Instance Connect Endpoint allows you to connect to an instance without requiring the instance to have a public IPv4 address. You can connect to any instances that support TCP.

To connect to an instance, you need only specify the instance ID. You can optionally provide the EC2 Instance Connect Endpoint.

EIC Endpoint eliminates the cost and operational overhead of maintaining bastions. It combines AWS IAM based access controls to restrict access to trusted principals, with network based controls such as Security Group rules, and provides an audit of all connections via AWS CloudTrail, which improves security posture.

Illustration of a user connecting via an EIC Endpoint

Limitations Of ECI Endpoint

• EC2 Instance Connect Endpoint doesn't support connections to an instance using IPv6 addresses.

• When client IP preservation is enabled, the instance to connect to must be in the same VPC as the EC2 Instance Connect Endpoint.

• Client IP preservation is not supported when traffic is routed through an AWS Transit Gateway.

Prerequisites

• You must have the required IAM permission to connect to an EC2 Instance Connect Endpoint.
• The EC2 Instance Connect Endpoint must be in the Available (console) or create-complete (AWS CLI) state. To monitor the endpoint state
• Ensure that the security group of the instance that you want to connect to is configured correctly for inbound traffic
• If you're using the AWS CLI, Make sure it is configured properly and you are using the latest version of the CLI.

IAM Permissions Required To Create EC2 Instance Connect Endpoint

{
    "Version": "2012-10-17",
    "Statement": [{
            "Sid": "GrantAllActionsInAllSubnets",
            "Action": [
                "ec2:CreateInstanceConnectEndpoint",
                "ec2:DeleteInstanceConnectEndpoint",
                "ec2:CreateNetworkInterface",
                "ec2:CreateTags",
                "iam:CreateServiceLinkedRole"
            ],
            "Effect": "Allow",
            "Resource": "arn:aws:ec2:region:account-id:subnet/*"
        },
        {
            "Action": [
                "ec2:CreateNetworkInterface"
            ],
            "Effect": "Allow",
            "Resource": "arn:aws:ec2:::security-group/*"
        },
        {
            "Sid": "DescribeInstanceConnectEndpoints",
            "Action": [
                "ec2:DescribeInstanceConnectEndpoints"
            ],
            "Effect": "Allow",
            "Resource": "*"
        }
    ]
}

IAM Permissions Required To Connect Using EC2 Instance Connect Endpoint

{
    "Version": "2012-10-17",
    "Statement": [{
            "Sid": "EC2InstanceConnect",
            "Action": "ec2-instance-connect:OpenTunnel",
            "Effect": "Allow",
            "Resource": "arn:aws:ec2:region:account-id:instance-connect-endpoint/eice-123456789abcdef",
            "Condition": {
                "NumericEquals": {
                    "ec2-instance-connect:remotePort": "22"
                },
                "IpAddress": {
                    "ec2-instance-connect:privateIpAddress": "10.0.1.0/31"
                },
                "NumericLessThanEquals": {
                    "ec2-instance-connect:maxTunnelDuration": "60"
                }
            }
        },
        {
            "Sid": "Describe",
            "Action": [
                "ec2:DescribeInstances",
                "ec2:DescribeInstanceConnectEndpoints"
            ],
            "Effect": "Allow",
            "Resource": "*"
        }
    ]
}

Configuring the Security Group

When you create the EC2 Instance Connect Endpoint, if you don't specify a security group, the default security group for the VPC is assigned. The default outbound rule allows all outbound traffic to all destinations. To limit connectivity to only the instances in the VPC, it is recommended to allow traffic only to the specified destinations.

For The EC2 Instance SG specify one or more of the following rules, depending on your security needs and whether client IP preservation is enabled

• Allow inbound traffic from the EC2 Instance Connect Endpoint security group.

• Allow inbound traffic from the client IP address.

• Allow inbound traffic from the VPC CIDR so that any instances in the VPC can send traffic to the destination instance.

Creating the Instance Connect Endpoint Using AWS CLI

aws ec2 create-instance-connect-endpoint \
    --subnet-id [SUBNET] \
    --security-group-id [SG-ID]

Connecting to your Linux Instance using SSH

aws ec2-instance-connect ssh --instance-id [INSTANCE]

Reference:

• https://aws.amazon.com/blogs/compute/secure-connectivity-from-public-to-private-introducing-ec2-instance-connect-endpoint-june-13-2023/
• https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/Connect-using-EC2-Instance-Connect-Endpoint.html