Remote connectivity using Amazon EC2 Instance Connect endpoints Hands-on

AWS introduced the EC2 Instance Connect Endpoint (EIC Endpoint), a groundbreaking solution that allows you to securely connect to your instances and other Virtual Private Cloud (VPC) resources directly from the Internet. With the EIC Endpoint, you no longer require an Internet Gateway (IGW) in your VPC, a public IP address on your resource, a bastion host, or any additional agent to establish a secure connection. This innovative feature combines identity-based and network-based access controls, providing the necessary isolation, control, and logging capabilities to meet your organization's strict security requirements.

In this tutorial, you will learn how to connect to your Linux EC2 instance using the AWS Console and AWS Command Line Interface (CLI). We will guide you through the process, covering each step in detail to ensure a successful connection. Now, let's delve into the step-by-step tutorial, where we'll cover the following topics:

Prerequisites

1. Install the latest version of the AWS CLI on your computer. Link: Install AWS CLI

2. Create an IAM policy that allows users to create, describe, and delete EC2 Instance Connect Endpoints. Link:permissions-for-ec2-instance-connect-endpoint

3. Create an IAM policy that allows users to use the EC2 Instance Connect Endpoints. Link:permissions-for-user-ec2-instance-connect-endpoint

4. Run the "aws configure" command to configure the IAM user's credentials on your computer.

5. Verify that the OpenSSH client is installed on your computer. Command: ssh -V

6. Create an IAM user that has an access key and secret access key, and attach the policies to the user.

Prerequisite Environment Details

1. Create VPC

2. where two private subnets associate in two different Availability zones (AZs). Set up one or more Amazon EC2 instances with your desired configuration, which should be located within each private subnet and should not have a public IP address.

3. Create private route table and associate to private subnets

4. create Ec2 instances security groups inbound rules SSH 22 port allow

5. EC2 Instance Connect Endpoint (EICE) we need to create a security group for it. EICE doesn’t require inbound rules, but we should open outbound ports to the specific resource security group to Enhance the Security of the environment. In the below screenshot, I have used the resources(EC2) security group as the destination.

6. create an instance and attach subnet and security groups, key per download

7. 

Once these prerequisites are in place, we can proceed to set up the EC2 Instance Connect Endpoint.

Deploy Amazon EC2 Instance Connect Endpoint

Now, navigate to the VPC service in the AWS Management Console. Go to the “Endpoints” menu and select the “EC2 Instance Connect Endpoint” option. Choose the VPC where your end resources are located, select the security group you created in the previous step, and choose a private subnet.

After Clicking on the Create endpoint, allow it some time to become available.

Connectivity Test

There are two straightforward methods to access an EC2 instance using the EC2 Instance Connect endpoint: using the AWS console and AWS CLI.

From Amazon EC2 Console

We can access EC2 directly through the AWS web console. To do that we navigate to the EC2 console, right-click on the corresponding EC2 instance, and select ‘Connect’. This action will open a terminal connected to our EC2 instance. Choose the EC2 Instance Connect tab. To establish an SSH connection to our EC2 instance using the Amazon EC2 console, we need to follow these steps. First, select the “Connect using EC2 Instance Connect Endpoint” option from the Connection type menu. Then, verify the correct user name for your instance. In the Max tunnel duration (seconds) field, enter the maximum duration for the SSH connection, allowing maximum time for our tasks. Finally, choose the appropriate EC2 Instance Connect Endpoint from the instance’s Virtual Private Cloud (VPC).

By following the above steps, we will be able to establish a secure and efficient SSH connection to our EC2 instance from aws web console

From SSH

To connect to our private EC2 instances Aws (CLi). Run the following command in your local terminal

aws ec2-instance-connect ssh --instance-id i-<your instance-id>

For:

• -instance-id – Specify the ID of the instance to connect to. Alternatively, specify, which extracts the instance ID from the user.

Conclusion,

EC2 Instance Connect Endpoint is a secure solution to connect to your instances via SSH or AWS web console in private subnets without IGWs, public IPs, agents, and bastion hosts. By configuring an EIC Endpoint for your VPC, you can securely connect using your existing client tools or the Console/AWS CLI. To learn more, visit the EIC Endpoint documentation.