AWS has recently unveiled an exceptional feature that enables direct connections to instances in a Private Subnet without the need to assign them a Public IP address. With the assistance of EC2 Instance Connect Endpoint, you can now conveniently establish SSH/RDS connections to these instances.
Previously, customers had to rely on a bastion host to establish connections with instances in a Private Subnet. However, the reality is that managing a bastion host can be burdensome in itself.
In this blog, i will show you simple steps to SSH your instance in Private Subnet from browser and local machine.
There is no additional cost for using EIC endpoints. Standard data transfer charges apply.
Here are the steps to setup this configuration:
- First of all ensure to grant required IAM permissions to user who want to use EC2 Instance Connect Endpoint
- Setup Security groups for EC2 Instance Connect Endpoint
- To setup security group, consider following sample setup
- The EIC Endpoint Security Group has one outbound rule that allows TCP traffic to the Development Security Group. This configuration means that the EC2 Instance Connect Endpoint can only send traffic to instances that are assigned the Development Security Group
- EIC Endpoint SG send outbound TCP request (SSH and RDP) to Development SG
- Development SG accept inbound TCP traffic (SSH and RDP) from EIC Endpoint SG
- Create new endpoint as shown below
- Name – MyEndPoint
- Service Category – EC2 Instance Connect Endpoint
- VPC of your choice
- Security Group – EIC Endpoing Security Group
- Subnect – Select your Private Subnet in which Instance will be launched
- click ‘create endpoint’ button
- Provision new EC2 Instance in Private Subnet and associate Development SG to it.
- Note there is new EC2 instance created without and Public IP address. There is Private IP assigned -10.0.4.135
- In order to connect EC2 instance, simply select instance -> click Connect button
- Select ‘Connect using EC2 Instance Connect Endpoint’
- Select EC2 Instance Connect Endpoint created in step #3 and click on Connect
- You are successfully connected to EC2 instance from browser.
- Alternatively, if you want to connect EC2 instance from local machine using Powershell then simply run this command aws
ec2-instance-connect ssh –instance-id i-0a9e3ddcddfaedb2c
- ta-da, you are conneted to instance in Private Subnet.