Secure Private Connectivity using EC2 Instance Connect Endpoint

Introduction

An Amazon Elastic Compute Cloud (Amazon EC2) instance is launched in the private subnet of Amazon Virtual Private Cloud (Amazon VPC). A user who wants to connect to a private instance must first connect to the bastion host, an instance with a public IP address provisioned in the public subnet through an internet gateway. This requires the additional overhead of maintaining and patching the bastion host to ensure connectivity. The architecture below shows how to connect to the private instance using a bastion host through an internet gateway.

Figure 1: Connect to the private instance using a bastion host

Amazon EC2 Instance Connect Endpoint (EIC Endpoint) allows a secure connection to the instances in a private subnet from the internet. It does not require a bastion host, internet gateway in VPC, a public IP address on the resource, or even any agent to connect to the resource. EIC Endpoint provides control, isolation, and logging to ensure organizations’ security requirements using identity and network-based controls. An organization administrator is free from the overhead of maintaining and patching bastion hosts.

In the following figure, a user can connect to private instances using Amazon EC2 Instance Connect Endpoint without an internet gateway.

Figure 2: Connect to the private instance using a bastion host

Security groups are allocated to the instance you wish to connect to and the EC2 Instance Connect Endpoint. Attach a security group with inbound and outbound rules for the EIC endpoint group by adding the following rule.

For private instances, attach a security group to allow traffic from the EIC Endpoint security group by adding the following inbound rule.

Create VPC with two private subnets in a single availability zone.

Launch two Amazon Linux instances in both the private subnets.

Step 1– Go to the VPC console and select endpoint. Click on “Create Endpoint.”

Step 2– Select “EC2 Instance Connect Endpoint “ from the service category.

Step 3– Select the VPC and Endpoint security group created earlier.

Step 4– Select one of the private subnets and click on Create endpoint.

Step 5– Select the EC2 instance from the EC2 console and click on “connect.”

Step 6– Select “Connect using EC2 instance Connect Endpoint” and choose the endpoint created in step 1. Click on “Connect”. You will be connected to a private EC2 instance.

Step 7– Repeat step 6 to connect to another private EC2 instance.

Conclusion

With no need for IGWs, public IPs, agents, or bastion hosts, EIC Endpoint offers a safe way to establish SSH or RDP connections with your instances on private subnets. You can use the Console/AWS CLI or your current client tools to establish a secure connection by setting up an EIC Endpoint for your VPC.

About CloudThat