Secure Private Connectivity using EC2 Instance Connect Endpoint

Introduction

An Amazon Elastic Compute Cloud (Amazon EC2) instance is launched in the private subnet of Amazon Virtual Private Cloud (Amazon VPC). A user who wants to connect to a private instance must first connect to the bastion host, an instance with a public IP address provisioned in the public subnet through an internet gateway. This requires the additional overhead of maintaining and patching the bastion host to ensure connectivity. The architecture below shows how to connect to the private instance using a bastion host through an internet gateway.

Figure 1: Connect to the private instance using a bastion host

Amazon EC2 Instance Connect Endpoint (EIC Endpoint) allows a secure connection to the instances in a private subnet from the internet. It does not require a bastion host, internet gateway in VPC, a public IP address on the resource, or even any agent to connect to the resource. EIC Endpoint provides control, isolation, and logging to ensure organizations’ security requirements using identity and network-based controls. An organization administrator is free from the overhead of maintaining and patching bastion hosts.

In the following figure, a user can connect to private instances using Amazon EC2 Instance Connect Endpoint without an internet gateway.

Figure 2: Connect to the private instance using a bastion host

Security groups are allocated to the instance you wish to connect to and the EC2 Instance Connect Endpoint. Attach a security group with inbound and outbound rules for the EIC endpoint group by adding the following rule.

For private instances, attach a security group to allow traffic from the EIC Endpoint security group by adding the following inbound rule.

Create VPC with two private subnets in a single availability zone.

Launch two Amazon Linux instances in both the private subnets.

Step 1– Go to the VPC console and select endpoint. Click on “Create Endpoint.”

Step 2– Select “EC2 Instance Connect Endpoint “ from the service category.

Step 3– Select the VPC and Endpoint security group created earlier.

Step 4– Select one of the private subnets and click on Create endpoint.

Step 5– Select the EC2 instance from the EC2 console and click on “connect.”

Step 6– Select “Connect using EC2 instance Connect Endpoint” and choose the endpoint created in step 1. Click on “Connect”. You will be connected to a private EC2 instance.

Step 7– Repeat step 6 to connect to another private EC2 instance.

Conclusion

With no need for IGWs, public IPs, agents, or bastion hosts, EIC Endpoint offers a safe way to establish SSH or RDP connections with your instances on private subnets. You can use the Console/AWS CLI or your current client tools to establish a secure connection by setting up an EIC Endpoint for your VPC.

About CloudThat

CloudThat is an official AWS (Amazon Web Services) Advanced Consulting Partner and Training partner, AWS Migration Partner, AWS Data and Analytics Partner, AWS DevOps Competency Partner, Amazon QuickSight Service Delivery Partner, AWS EKS Service Delivery Partner, and Microsoft Gold Partner, helping people develop knowledge of the cloud and help their businesses aim for higher goals using best-in-industry cloud computing practices and expertise. We are on a mission to build a robust cloud computing ecosystem by disseminating knowledge on technological intricacies within the cloud space. Our blogs, webinars, case studies, and white papers enable all the stakeholders in the cloud computing sphere.

To get started, go through our Consultancy page and Managed Services Package, CloudThat’s offerings.