DEV Community

Cover image for Remotely Connect to Your Instances without a Public IP Address
Sena Yakut for AWS Community Builders

Posted on • Originally published at Medium

Remotely Connect to Your Instances without a Public IP Address

We’re using bastion hosts to connect our EC2 instances via SSH or RDP for years. Using these hosts causes operational challenges (updates, additional configurations, audits, etc.) and additional costs. In addition to hosts, AWS has two different solutions to connect your instances. The first solution is AWS Instance Connect, but we need a public IP address to use it. The second solution is System Manager, but we need agent-based connectivity.

🌹 From now on, we’re able to use EC2 Instance Connect for all remote connections without public Ips, Internet Gateways, and bastion hosts.

[EIC Endpoint overview](
EC2 Instance Connect combines authorization with IAM restrictions and network controls with security group rules. This feature is also auditable with AWS CloudTrail. Today, we will configure and understand the EC2 Instance Connect Endpoint step by step. Let’s start together! ⛅️

Step 1: IAM Permissions to use EC2 Instance Connect Endpoint
First of all, to create an EC2 Instance Connect Endpoint, you need these permissions:

  • ec2:CreateInstanceConnectEndpoint
  • ec2:CreateNetworkInterface
  • ec2:CreateTags
  • iam:CreateServiceLinkedRole

You can do some restrictions about EC2 Instance Connect remote port, your EC2 private IP address, or tunnel duration that we’ve built between EC2 Instance Connect and your instance. You can see all example policies and scenarios that are related to IAM from here.

Step 2: Security Groups Configurations

  • For the EC2 Instance Connect Endpoint, AWS recommends outbound rule should allow outbound traffic to the specified destination (specific security group of your EC2 instances).
    Outbound rules for EIC

  • For your resources, if the preservation of client IP is set to false in the EIC configuration, you should allow inbound traffic from the EIC security group and inbound traffic from the VPC CIDR. For other preservation issues, you can check this documentation.
    Inbound rules for EC2

Step 3: Create EC2 Instance Connect Endpoint
For creation, you should VPC à Endpoints and select “Create Endpoint”. Your endpoint and resources should be in the same VPC.
Create EC2 Instance Connect Endpoint
You should select private subnet and the security group that you’ve created. If you select subnet in different availability zone from your resources, additional data transfer costs can occur.

Security Group of EIC

After that, you need to wait until the status is “Available”. You can create 1 EC2 Instance Connect Endpoint per VPC & per subnet.

EIC Status

Step 4: Connect your EC2 Instance
From AWS Console, you need to select EC2 Instance Connect Endpoint.
Image description

We got a successful connection!

Image description

From our client, you can use this command:

ssh -i ‘key_file’ ubuntu@instance_id -o ProxyCommand=’aws ec2-instance-connect open-tunnel — instance-id instance_id’

Image description

We got successful connection again!

🫠 Advantages of using EC2 Instance Connect Endpoint:

  • We do not need agent configuration.
  • We do not need publicly accessible resources.
  • We can audit all connections via AWS CloudTrail.
  • No additional cost, we only pay for the data transfer.

Thanks for reading! Stay safe in the cloud! 👻

Top comments (4)

shubhamt619 profile image
Shubham Thakur


senaykt profile image
Sena Yakut


petereskandar profile image
Peter Eskandar

Hi Sena,
Thanks for the great article,

so the only differences between EC2 Instance Connect Endpoint and SSM Session Manager :

  • no need to install SSM Agent on your EC2 instances
  • the ability to track connections via Cloudtrail

is it right ?

basebandit profile image
basebandit • Edited

Not only that, For EC2 Instance Connect you will need to make use of a ssh key pair ,while for AWS SSM you do not need as it uses HTTPS. Also note that most of the recommended Amazon AMIs come with aws-ssm agent preinstalled. Nice article @senaykt