AWS EC2 Instance Connect Endpoint: New feature, Great convenience, Its installation step by step
We will miss you Bastion Host/Jump Box… Thanks to EIC Endpoint, we now have SSH and RDP connectivity to our EC2 instances in the private subnet using private IP addresses, without using Bastion Host.
AWS gave customers new ways to securely and seamlessly connect their EC2 instances in the public and private subnets without the need for a bastion host, at its annual re:Inforce security conference: AWS Instance Connect Endpoint (EIC Endpoint). Thanks to EIC Endpoint, we now have SSH and RDP connectivity to our EC2 instances using private IP addresses, without using Bastion Host.
In this article, we will create step-by-step an AWS Instance Connect Endpoint to Amazon Elastic Compute Cloud (Amazon EC2) instances in private subnets and we will connect it without the need for a Bastion Host.
Also, we will talk about AWS Instance Connect Endpoint, its feature, limitations, and the ways to use it.
We will do it all step by step.
Topics we will cover:
4. a. Creating the role
4. a. Creating the policy
4. d. Update AWS CLI.
5. As a result
6. Next post
If you like the article, I will be happy if you click on the Medium Following button to encourage me to write more, and not miss future articles.
Your clap, follow, or subscribe, they help my articles to reach the broader audience. Thank you in advance for them.
1. What is the AWS Instance Connect Endpoint?
Before EIC Endpoint, in order to connect to an Amazon EC2 instance within our Amazon Virtual Private Cloud (Amazon VPC) over the Internet. First, we have to connect to a bastion host with a public IP address that our administrator set up over an Internet Gateway (IGW) in your VPC, and then use port forwarding to reach your destination. For example, a database instance in a private subnet of your Amazon VPC.
The Bastion Host runs on an Amazon EC2 instance that is typically in a public subnet of your Amazon VPC. Linux instances are in a subnet that is not publicly accessible, and they are set up with a security group that allows SSH access from the security group attached to the underlying EC2 instance running the bastion host. Bastion host users connect to the bastion host to connect to the Linux instances, as shown in Figure 1. (1)
Nowadays, EC2 Instance Connect Endpoint is the new way to securely and seamlessly connect EC2 instances in the public and private subnets without the need for a bastion host. It allows us to connect to an instance without requiring the instance to have a public IPv4 address. We can connect to any instances that support TCP. (1) No need to use Bastion Host, anymore, as shown in Figure 2.
It works by using the new AWS Instance Connect API to push a one-time-use public key to an EC2 instance accessible through its metadata service.(2)
Thanks to EC2 Instance Connect Endpoint;
* No need for a bastion host: With EC2 Instance Connect Endpoint, you don’t need a separate bastion host to establish a secure connection to your EC2 instances. This simplifies the setup and reduces management overhead.
* Enhanced security and isolation: EC2 Instance Connect Endpoint leverages IAM-based authentication and authorization, along with security groups, to ensure that only authorized users can access your EC2 instances. This provides granular access control and protects your private resources.
* Simplified administration: By eliminating the need for a bastion host, EC2 Instance Connect Endpoint reduces the complexity of managing connectivity to your EC2 instances. You don’t have to worry about maintaining and patching additional infrastructure.
* Compatibility with existing tools: You can continue using PuTTY and OpenSSH to connect to your EC2 instances through EC2 Instance Connect Endpoint. This means you don’t have to learn new tools or workflows.
* Security Controls and Capabilities: EC2 Instance Connect Endpoint incorporates robust security controls to ensure the integrity and confidentiality of the connection process. (3)
Limitations of the EC2 Instance Connect Endpoint;
* EC2 Instance Connect Endpoint doesn’t support connections to an instance using IPv6 addresses.
* When client IP preservation is enabled, the instance to connect to must be in the same VPC as the EC2 Instance Connect Endpoint.
* Client IP preservation is not supported when traffic is routed through an AWS Transit Gateway.
* The following instance types do not support client IP preservation:C1, CC1, CC2, CG1, CG2, CR1, G1, G2, HI1, HS1, M1, M2, M3, and T1. (4)
* The following AMIs come preinstalled with EC2 Instance Connect:(5)
- Amazon Linux 2 2.0.20190618 or later
- Ubuntu 20.04 or later
* Another prerequisite is to update your AWS-Cli to version 2.12.0 for the using
* You must have the required IAM permission to connect to an EC2 Instance Connect Endpoint (check this link). If you have admin rights, this is not needed.
2. Creating an AWS Instance Connect Endpoint.
2. a. Creating the test environment
In order to test the service, I created a test environment. My AWS environment has 2 public and 2 private subnets. I have launched an EC2 instance in one of the private subnets, as shown in Figures 2–3.
I typed the codes required to install the web server in User data and clicked the “launch instance” button, as shown in Figure 4.
2. b. Create an EC2 Instance Connect Endpoint
Open the Amazon VPC console at https://console.aws.amazon.com/vpc/.
In the left navigation pane, choose Endpoints. Choose “Create endpoint”, as shown in Figure 5.
Then complete the settings below, as shown in Figure 7;
- (Optional) For Name tag, enter a name for the endpoint.
- For Service category, choose EC2 Instance Connect Endpoint.
- For VPC, select the VPC in which to create the endpoint.
- (Optional) For Security groups, select the security group to associate with the endpoint. If you don’t select a security group, the default security group for your VPC will be associated with the endpoint. This security group controls the inbound traffic to the endpoint and should allow SSH traffic (port 22) from the authorized clients. We can set EIC Endpoint Security Group, for example; In the following image, the EC2 Instance Connect Endpoint is assigned the security group EIC Endpoint Security Group. The EIC Endpoint Security Group has one outbound rule that allows TCP traffic to the Development Security Group. This configuration means that the EC2 Instance Connect Endpoint can only send traffic to instances that are assigned to the Development Security Group. In the image, the instance is assigned the Development Security Group, which means that, in this example, the EC2 Instance Connect Endpoint can send TCP traffic to the instance, as shown in Figure 6. (6)
- For Subnet, select the subnet in which to create the endpoint.
- (Optional) To add a tag, choose Add new tag and enter the tag key and the tag value.
Finally, choose “Create endpoint”, as shown in Figure 7.
Note: The initial status is Pending. Before you can connect to an instance using this endpoint, wait until the status is Available. This can take a few minutes when it is created as shown in Figure 8. (7)
3. Connecting the EC2 Linux instance in the private subnet using the Amazon EC2 console
Open the Amazon EC2 console at https://console.aws.amazon.com/ec2/.
In the navigation pane, choose Instances. Select the instance that we created, and choose Connect, as shown in Figure 9.
Choose the EC2 Instance Connect tab. For Connection type, choose “Connect using EC2 Instance Connect Endpoint”. For User name, verify the user name(for EC2 instance must be “ec2-user”).
For Max tunnel duration (seconds), enter the maximum allowed duration for the SSH connection. The duration must comply with the
maxTunnelDuration condition specified in the IAM policy. If you don't have access to the IAM policy, ask your administrator to verify it. If
maxTunnelDuration is not specified in the IAM policy, enter the default, which is 3600 seconds (1 hour), as shown in Figure 10.
For EC2 Instance Connect Endpoint, choose the EC2 Instance Connect Endpoint that we created in the instance’s VPC, as shown in Figure 11.
Finally, choose “Connect” to open a terminal window, as shown in Figures 12–13.
Now, we are connected to the EC2 instance on the private IP via SSH using AWS Instance Connect End-Point, as shown in Figure 13.
With Linux “cat” command, I can see my index.html file in the EC2 instance in the private subnets, as shown in Figure 14.
4. Connecting the EC2 Linux instance in the private subnet using the SSH
4. a. Creating role
By using EC2 Instance Connect, to connect to the EC2 Linux instance in the private subnet, we must create a role and we must assign the IAM policy we will create to this.
Go to IAM in the AWS console and click on the “Create role” button, as shown in Figure 15.
Select AWS Account and next, as shown in Figure 16.
Click on the “next” button in the window below and continue, as shown in Figure 17.
Write the role name and description, then click on “Create role” in the window below, as shown in Figure 18.
The role was created, as shown in Figure 19.
4. b. Creating policy
Go to IAM in the AWS console and click on the “Create policy” button, as shown in Figure 20.
Select JSON, as shown in Figure 22, and copy the policy above and paste it within(or from my GitHub repo).
And, as warned, change the relevant places in the policy according to your own resources. For example, for “arn:aws:ec2:<AWS_REGION>:<AWS_ACCOUNT_ID>”, go to the VPC console, as shown in Figure 21. Copy it and paste to the policy. Then click on the “next” button.
"Resource": "arn:aws:ec2:<AWS_REGION>:<AWS_ACCOUNT_ID>:instance-connect-endpoint/<eice-01d696f4d67ed9bdd>", //You must change with your endpoint ARN
"ec2-instance-connect:privateIpAddress": "22.214.171.124" //You must change with your Linux instance private IP
"ec2-instance-connect:maxTunnelDuration": "3600" //You must set with your max tunnel duration
Note: Don’t forget the description in this policy, Otherwise you may get an error when you click on the next button.
Write the policy name and click on create policy, as shown in Figure 23.
4. c. Assigning the policy to the role
We created the role and the policy, now we will assign the policy to the role.
Go back the role and click on the role we created, as shown in Figure 24.
Click on the “attach policy”, as shown in Figure 25.
Select the policy we created and add permission, as shown in Figure 26.
The role is ready, as shown in Figure 27.
4. d. Update AWS CLI, the command below
Check the AWS CLI version with the command below,
and update it if it is less than 2.12.0 with the command below.
curl "https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip" -o "awscliv2.zip"
4. e. Connecting the EC2 Linux instance in the private subnet using the SSH
Now, we can use SSH to connect to your Linux instance in a private subnet and use the
open-tunnel command to establish a private tunnel. I used the command below to connect to your Linux instance in the private subnet. I used my Instance ID, as shown in Figure 28.
ssh -i my-key-pair.pem ec2-user@i-0123456789example \
-o ProxyCommand='aws ec2-instance-connect open-tunnel --instance-id i-0123456789example'
We are connected to the EC2 Linux instance in the private subnet using SSH, as shown in Figure 29.
4. f. EC2 Instance Connect Endpoint Pricing
There is no additional cost for using EIC endpoints, it’s simple to configure and doesn’t cost anything. (8) If you use an EC2 Instance Connect Endpoint in one subnet to connect to an instance in another subnet that is in a different Availability Zone, there is an additional charge for data transfer across Availability Zones (9) and only pay for standard data transfer.
5. As a result
We have successfully created and used an EC2 Instance Connect endpoint to connect to your EC2 instances securely using SSH. EC2 Instance Connect Endpoint simplifies and enhances the security of connecting to private EC2 instances via SSH.
Using Bastions Hosts involves the operational overhead of patching, managing, and auditing, as well as additional costs. EIC Endpoint eliminates the cost and operational overhead of maintaining Bastions Hosts.
Even though we didn’t mention it in this article, EIC Endpoint combines AWS Identity and Access Management (IAM) based access controls to restrict access to trusted principals, with network-based controls such as Security Group rules, and provides an audit of all connections via AWS CloudTrail, helping customers improve their security posture. (10)
You can find the policies, and necessary commands in my GitHub repo.
If you liked the article, I would be happy if you click on the Medium Following button to encourage me to write and not miss future articles.
Your clap, follow or subscribe, they help my articles to reach the broader audience. Thank you in advance for them.
6. Next post
In the next post, “AWS Instance Connect End-Point-2: RDP connectivity to Windows EC2 instance without using public IP addresses, without using Bastion Host”.
We will see how to connect to a Windows EC2 instance with RDP connectivity without using public IP addresses, and without using Bastion Host. We will do it all step by step.