4 Mins Read

Secure Private Connectivity using EC2 Instance Connect Endpoint

Voiced by Amazon Polly


An Amazon Elastic Compute Cloud (Amazon EC2) instance is launched in the private subnet of Amazon Virtual Private Cloud (Amazon VPC). A user who wants to connect to a private instance must first connect to the bastion host, an instance with a public IP address provisioned in the public subnet through an internet gateway. This requires the additional overhead of maintaining and patching the bastion host to ensure connectivity. The architecture below shows how to connect to the private instance using a bastion host through an internet gateway.

Figure 1: Connect to the private instance using a bastion host

Figure 1: Connect to the private instance using a bastion host

Amazon EC2 Instance Connect Endpoint (EIC Endpoint) allows a secure connection to the instances in a private subnet from the internet. It does not require a bastion host, internet gateway in VPC, a public IP address on the resource, or even any agent to connect to the resource. EIC Endpoint provides control, isolation, and logging to ensure organizations’ security requirements using identity and network-based controls. An organization administrator is free from the overhead of maintaining and patching bastion hosts.

In the following figure, a user can connect to private instances using Amazon EC2 Instance Connect Endpoint without an internet gateway.

Figure 2: Connect to the private instance using a bastion host

Security groups are allocated to the instance you wish to connect to and the EC2 Instance Connect Endpoint. Attach a security group with inbound and outbound rules for the EIC endpoint group by adding the following rule.

For private instances, attach a security group to allow traffic from the EIC Endpoint security group by adding the following inbound rule.

Create VPC with two private subnets in a single availability zone.

Launch two Amazon Linux instances in both the private subnets.

  • Cloud Migration
  • Devops
  • AIML & IoT
Know More

Step 1– Go to the VPC console and select endpoint. Click on “Create Endpoint.”


Step 2– Select “EC2 Instance Connect Endpoint “ from the service category.


Step 3– Select the VPC and Endpoint security group created earlier.

Amazon EC2


Step 4– Select one of the private subnets and click on Create endpoint.

Amazon EC2

Step 5– Select the EC2 instance from the EC2 console and click on “connect.”

Amazon EC2


Step 6– Select “Connect using EC2 instance Connect Endpoint” and choose the endpoint created in step 1. Click on “Connect”. You will be connected to a private EC2 instance.


Step 7– Repeat step 6 to connect to another private EC2 instance.



With no need for IGWs, public IPs, agents, or bastion hosts, EIC Endpoint offers a safe way to establish SSH or RDP connections with your instances on private subnets. You can use the Console/AWS CLI or your current client tools to establish a secure connection by setting up an EIC Endpoint for your VPC.

Get your new hires billable within 1-60 days. Experience our Capability Development Framework today.

  • Cloud Training
  • Customized Training
  • Experiential Learning
Read More

About CloudThat

CloudThat is an official AWS (Amazon Web Services) Advanced Consulting Partner and Training partner, AWS Migration Partner, AWS Data and Analytics Partner, AWS DevOps Competency Partner, Amazon QuickSight Service Delivery Partner, AWS EKS Service Delivery Partner, and Microsoft Gold Partner, helping people develop knowledge of the cloud and help their businesses aim for higher goals using best-in-industry cloud computing practices and expertise. We are on a mission to build a robust cloud computing ecosystem by disseminating knowledge on technological intricacies within the cloud space. Our blogs, webinars, case studies, and white papers enable all the stakeholders in the cloud computing sphere.

To get started, go through our Consultancy page and Managed Services PackageCloudThat’s offerings.


Rashmi Dhumal is working as a Subject Matter Expert in AWS Team at CloudThat, India. Being a passionate trainer, “technofreak and a quick learner”, is what aptly describes her. She has an immense experience of 20+ years as a technical trainer, an academician, mentor, and active involvement in curriculum development. She trained many professionals and student graduates pan India.



    Click to Comment

Get The Most Out Of Us

Our support doesn't end here. We have monthly newsletters, study guides, practice questions, and more to assist you in upgrading your cloud career. Subscribe to get them all!