DEV Community

Secure Remote Access - EC2 Instance Connect Endpoint

AWS recently launched a new feature called Amazon EC2 Instance Connect (EIC) Endpoint

EIC Endpoint provides a secure solution to connect to your instances via SSH or RDP in private subnets without IGWs, public IPs, agents, and bastion hosts. By configuring an EIC Endpoint for your VPC, you can securely connect using your existing client tools or the Console/AWS CLI.

EIC Endpoint

Connect to private EC2 instances through an EIC Endpoint - Image Copyright AWS

In this post i am going to show you how you can create an EIC Endpoint and connect to an instance in a Private subnet, by using the AWS console and AWS CLI.

Create the EC2 Instance Connect (EIC) Endpoint

Login to the AWS Console and Click on VPC. Then at the menu on the left, click Endpoints and then on Create Endpoint

Create EIC Endpoint
In the next screen select the Instance Connect Endpoint option, your VPC, Security Group and Subnet.

Create EIC Endpoint 1Create EIC Endpoint 11
When done click on Create Endpoint

Create EIC Endpoint 2

Wait a few minutes, then hit refresh on the next screen. Your Endpoint should be now shown as Available.
Create EIC Endpoint 3

If you prefer to create it using the AWS CLI, run the following command and replace SUBNET and SG-ID.

aws ec2 create-instance-connect-endpoint \
    --subnet-id [_SUBNET_] \
    --security-group-id [_SG-ID_]
Enter fullscreen mode Exit fullscreen mode

Connect to your instance through AWS Console

For the purpose of this tutorial, i have created an EC2 instance in a Private Subnet

Click on Connect
ec2
Select Connect using EC2 Instance Connect Endpoint and then pick your Endpoint from the list. Next click Connect

ec2 connect
You have now successfully connected to your instance
ec2 endpoing connection

Connect using the AWS CLI

This option requires some extra steps. At first you need to attach a policy to your user. You can use an AWS Managed one, to start and test the service.
EIC endpoint policy
But for best practises and security you can refer to this link about how to create a custom policy.
Once done you can proceed.

To connect to your instance from the AWS CLI, you can run the following command where [INSTANCE] is the instance ID of your EC2 instance:

aws ec2-instance-connect ssh --instance-id [INSTANCE]
Enter fullscreen mode Exit fullscreen mode

The new EC2 Instance Connect Endpoint feature has been added to AWS CLI v2.12.0. If you are having issues, you just need to update your AWS CLI to the latest version.

EIC Connect
EIC Ebdpoint connect

Conclusion

EC2 Instance Connect Endpoint offers several significant benefits to remote access management. As we can see, it eliminates the need to manage SSH key pairs manually, reducing the chances of key exposure or unauthorised access. Additionally, it allows you to grant temporary access to users by specifying the duration of their access, adding an extra layer of security. With EC2 Instance Connect Endpoint, you can also audit and track all remote access requests for compliance and governance purposes in CloudTrail.

You can read more about this great feature at this AWS post:Secure Connectivity from Public to Private: Introducing EC2 Instance Connect Endpoint

Top comments (0)