AWS recently launched a new feature called Amazon EC2 Instance Connect (EIC) Endpoint
EIC Endpoint provides a secure solution to connect to your instances via SSH or RDP in private subnets without IGWs, public IPs, agents, and bastion hosts. By configuring an EIC Endpoint for your VPC, you can securely connect using your existing client tools or the Console/AWS CLI.
Connect to private EC2 instances through an EIC Endpoint - Image Copyright AWS
In this post i am going to show you how you can create an EIC Endpoint and connect to an instance in a Private subnet, by using the AWS console and AWS CLI.
Create the EC2 Instance Connect (EIC) Endpoint
Login to the AWS Console and Click on VPC. Then at the menu on the left, click Endpoints and then on Create Endpoint
In the next screen select the Instance Connect Endpoint option, your VPC, Security Group and Subnet.
When done click on Create Endpoint
Wait a few minutes, then hit refresh on the next screen. Your Endpoint should be now shown as Available.
If you prefer to create it using the AWS CLI, run the following command and replace SUBNET and SG-ID.
aws ec2 create-instance-connect-endpoint \
--subnet-id [_SUBNET_] \
--security-group-id [_SG-ID_]
Connect to your instance through AWS Console
For the purpose of this tutorial, i have created an EC2 instance in a Private Subnet
Click on Connect
Select Connect using EC2 Instance Connect Endpoint and then pick your Endpoint from the list. Next click Connect
You have now successfully connected to your instance
Connect using the AWS CLI
This option requires some extra steps. At first you need to attach a policy to your user. You can use an AWS Managed one, to start and test the service.
But for best practises and security you can refer to this link about how to create a custom policy.
Once done you can proceed.
To connect to your instance from the AWS CLI, you can run the following command where [INSTANCE] is the instance ID of your EC2 instance:
aws ec2-instance-connect ssh --instance-id [INSTANCE]
The new EC2 Instance Connect Endpoint feature has been added to AWS CLI v2.12.0. If you are having issues, you just need to update your AWS CLI to the latest version.
Conclusion
EC2 Instance Connect Endpoint offers several significant benefits to remote access management. As we can see, it eliminates the need to manage SSH key pairs manually, reducing the chances of key exposure or unauthorised access. Additionally, it allows you to grant temporary access to users by specifying the duration of their access, adding an extra layer of security. With EC2 Instance Connect Endpoint, you can also audit and track all remote access requests for compliance and governance purposes in CloudTrail.
You can read more about this great feature at this AWS post:Secure Connectivity from Public to Private: Introducing EC2 Instance Connect Endpoint
Top comments (0)