Overview
EC2 Instance Connect Endpoint (EIC) allows secure SSH or RDP connections to EC2 Instances in a private subnet, eliminating the need for the instance to have a public IP address or a bastion host.
You can SSH into an EC2 Linux Server using the EC2 Instance Connect Endpoint from the AWS Management Console. However, making an RDP connection to an EC2 Windows Server using the EC2 Instance Connect Endpoint requires the use of the AWS CLI.
EC2 Instance Connect Endpoint
- Create a security group to attach to the EC2 Instance Connect Endpoint. Inbound rules are not necessary to connect to an EC2 Instance using EIC.
- Sign in to the AWS Management Console and navigate to the Amazon VPC console.
- Choose Endpoints from the left navigation pane and click Create endpoint.
- Enter a name for your endpoint, select EC2 Instance Connect Endpoint as the Service Category, and select the VPC in which you wish to create the EIC endpoint.
- Select the security group you previously created, choose the subnet, and then create the endpoint. Once the endpoint status becomes available, you can use it to connect to EC2 Instance.
Connect to EC2 Linux Server using EC2 Instance Connect Endpoint
- Create an EC2 Linux Instance in a private subnet.
- Add the following inbound rule to the Instance security group.
- Type: SSH
- Protocol: TCP
- Port: 22
- Source: EC2 Instance Connect Endpoint security group.
- Add the following outbound rule to the EC2 Instance Connect Endpoint security group. (AWS recommends limiting connectivity by allowing outbound traffic to specific instances.)
- Type: SSH
- Protocol: TCP
- Port: 22
- Source: EC2 Instance security group.
- Select the Linux Instance from the EC2 console and then choose Connect.
- Choose Connect using EC2 Instance Connect Endpoint as the Connection Type and click Connect.
- Connection to the EC2 Linux Server was successfully made using the EC2 Instance Connect Endpoint.
Connect to EC2 Window Server using EC2 Instance Connect Endpoint
Prerequisite: Install and configure AWS CLI on your PC (Reference: AWS CLI).
- Create an EC2 Windows Instance in a private subnet.
- Add the following inbound rule to the Instance security group.
- Type: RDP
- Protocol: TCP
- Port: 3389
- Source: EC2 Instance Connect Endpoint security group.
- Add the following outbound rule to the EC2 Instance Connect Endpoint security group.
- Type: RDP
- Protocol: TCP
- Port: 3389
- Source: EC2 Instance security group.
- Open the terminal on your local machine and run the following command to start listening for a new TCP connection. Specify your EC2 Windows Instance ID and any local port in the command. For this article, port 13389 has been used.
% aws ec2-instance-connect open-tunnel --instance-id i-00000000000 --remote-port 3389 --local-port 13389 --region us-east-1
Listening for connections on port 13389.- Open Remote Desktop and connect to the EC2 Windows server by entering the following details.
- PC name: localhost:local-port (localhost:13389)
- Username: Administrator
- Password: EC2 Windows server Admin password.
- Connection to the EC2 Windows Server was successfully made using the EC2 Instance Connect Endpoint.
Reference
Please refer to the articles below for more information about EC2 Instance Connect Endpoint.
2
