I tried accessing the console without internet connection using AWS Management Console Private Access
This page has been translated by machine translation. View original
Introduction
On June 15, 2026, AWS Management Console Private Access added support for operation without an internet connection.
The traditional Console Private Access allowed you to configure account and network restrictions, but displaying the console itself required an internet connection. With this update, supported services now allow console display and sign-in to be used via VPC endpoints.
In this article, we placed a Windows EC2 instance in a VPC without internet access, operated a browser via Fleet Manager Remote Desktop, and verified sign-in to the console as well as the display of certain service screens and API communication.
Verification Environment and Configuration
- Region: ap-northeast-1 (Tokyo)
- VPC: 10.0.0.0/16, DNS support / DNS hostnames enabled
- Subnet: Private only (10.0.1.0/24), no IGW / NAT
- EC2: Windows Server 2022, t3.medium, no public IP
- Connection method: SSM Fleet Manager (Remote Desktop)
- Sign-in method: IAM user
The scope of "no internet connection" refers to the communication path from the EC2 instance within the VPC to the console / AWS API. The path from the management terminal that opens Fleet Manager is out of scope.
VPC Endpoints
For Management Console (Interface type, PrivateDNS enabled)
| Service Name | Purpose |
|---|---|
| com.amazonaws.ap-northeast-1.console | Management Console |
| com.amazonaws.ap-northeast-1.signin | Sign-in |
| com.amazonaws.ap-northeast-1.console-static | Static content delivery |
For SSM connection (Interface type, PrivateDNS enabled)
| Service Name | Purpose |
|---|---|
| com.amazonaws.ap-northeast-1.ssm | SSM service |
| com.amazonaws.ap-northeast-1.ssmmessages | SSM session communication |
| com.amazonaws.ap-northeast-1.ec2messages | EC2 messages |
For service API (Gateway type)
| Service Name | Purpose |
|---|---|
| com.amazonaws.ap-northeast-1.s3 | S3 API (for verifying bucket list screen display) |
| com.amazonaws.ap-northeast-1.dynamodb | DynamoDB API (for verifying console screen display) |
The security group allows inbound 443/TCP from the VPC CIDR for the endpoints.
CloudFormation Template
CloudFormation template (console-private-access.yaml)
AWSTemplateFormatVersion: "2010-09-09"
Description: Console Private Access - Internet-free VPC with Management Console access via PrivateLink
Parameters:
LatestWindowsAmi:
Type: AWS::SSM::Parameter::Value<AWS::EC2::Image::Id>
Default: /aws/service/ami-windows-latest/Windows_Server-2022-English-Full-Base
Resources:
# VPC
VPC:
Type: AWS::EC2::VPC
Properties:
CidrBlock: 10.0.0.0/16
EnableDnsSupport: true
EnableDnsHostnames: true
Tags:
- Key: Name
Value: console-private-access-vpc
# Private Subnet
PrivateSubnet:
Type: AWS::EC2::Subnet
Properties:
VpcId: !Ref VPC
CidrBlock: 10.0.1.0/24
AvailabilityZone: !Select [0, !GetAZs ""]
MapPublicIpOnLaunch: false
Tags:
- Key: Name
Value: console-private-access-private-subnet
# Route Table (no routes to internet)
PrivateRouteTable:
Type: AWS::EC2::RouteTable
Properties:
VpcId: !Ref VPC
Tags:
- Key: Name
Value: console-private-access-rt
PrivateSubnetRouteTableAssociation:
Type: AWS::EC2::SubnetRouteTableAssociation
Properties:
SubnetId: !Ref PrivateSubnet
RouteTableId: !Ref PrivateRouteTable
# Security Group for VPC Endpoints
EndpointSG:
Type: AWS::EC2::SecurityGroup
Properties:
GroupDescription: Allow HTTPS from VPC
VpcId: !Ref VPC
SecurityGroupIngress:
- IpProtocol: tcp
FromPort: 443
ToPort: 443
CidrIp: 10.0.0.0/16
Tags:
- Key: Name
Value: console-private-access-endpoint-sg
# Security Group for EC2
EC2SG:
Type: AWS::EC2::SecurityGroup
Properties:
GroupDescription: EC2 instance SG
VpcId: !Ref VPC
Tags:
- Key: Name
Value: console-private-access-ec2-sg
# VPC Endpoints - Console
ConsoleEndpoint:
Type: AWS::EC2::VPCEndpoint
Properties:
VpcId: !Ref VPC
ServiceName: !Sub com.amazonaws.${AWS::Region}.console
VpcEndpointType: Interface
SubnetIds:
- !Ref PrivateSubnet
SecurityGroupIds:
- !Ref EndpointSG
PrivateDnsEnabled: true
SigninEndpoint:
Type: AWS::EC2::VPCEndpoint
Properties:
VpcId: !Ref VPC
ServiceName: !Sub com.amazonaws.${AWS::Region}.signin
VpcEndpointType: Interface
SubnetIds:
- !Ref PrivateSubnet
SecurityGroupIds:
- !Ref EndpointSG
PrivateDnsEnabled: true
ConsoleStaticEndpoint:
Type: AWS::EC2::VPCEndpoint
Properties:
VpcId: !Ref VPC
ServiceName: !Sub com.amazonaws.${AWS::Region}.console-static
VpcEndpointType: Interface
SubnetIds:
- !Ref PrivateSubnet
SecurityGroupIds:
- !Ref EndpointSG
PrivateDnsEnabled: true
# VPC Endpoints - SSM
SsmEndpoint:
Type: AWS::EC2::VPCEndpoint
Properties:
VpcId: !Ref VPC
ServiceName: !Sub com.amazonaws.${AWS::Region}.ssm
VpcEndpointType: Interface
SubnetIds:
- !Ref PrivateSubnet
SecurityGroupIds:
- !Ref EndpointSG
PrivateDnsEnabled: true
SsmMessagesEndpoint:
Type: AWS::EC2::VPCEndpoint
Properties:
VpcId: !Ref VPC
ServiceName: !Sub com.amazonaws.${AWS::Region}.ssmmessages
VpcEndpointType: Interface
SubnetIds:
- !Ref PrivateSubnet
SecurityGroupIds:
- !Ref EndpointSG
PrivateDnsEnabled: true
Ec2MessagesEndpoint:
Type: AWS::EC2::VPCEndpoint
Properties:
VpcId: !Ref VPC
ServiceName: !Sub com.amazonaws.${AWS::Region}.ec2messages
VpcEndpointType: Interface
SubnetIds:
- !Ref PrivateSubnet
SecurityGroupIds:
- !Ref EndpointSG
PrivateDnsEnabled: true
# VPC Endpoints - Gateway
S3Endpoint:
Type: AWS::EC2::VPCEndpoint
Properties:
VpcId: !Ref VPC
ServiceName: !Sub com.amazonaws.${AWS::Region}.s3
VpcEndpointType: Gateway
RouteTableIds:
- !Ref PrivateRouteTable
DynamoDBEndpoint:
Type: AWS::EC2::VPCEndpoint
Properties:
VpcId: !Ref VPC
ServiceName: !Sub com.amazonaws.${AWS::Region}.dynamodb
VpcEndpointType: Gateway
RouteTableIds:
- !Ref PrivateRouteTable
# IAM Role for EC2 (SSM)
EC2Role:
Type: AWS::IAM::Role
Properties:
RoleName: console-private-access-ec2-role
AssumeRolePolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: Allow
Principal:
Service: ec2.amazonaws.com
Action: sts:AssumeRole
ManagedPolicyArns:
- arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore
EC2InstanceProfile:
Type: AWS::IAM::InstanceProfile
Properties:
Roles:
- !Ref EC2Role
# EC2 Instance
WindowsInstance:
Type: AWS::EC2::Instance
Properties:
ImageId: !Ref LatestWindowsAmi
InstanceType: t3.medium
SubnetId: !Ref PrivateSubnet
SecurityGroupIds:
- !Ref EC2SG
IamInstanceProfile: !Ref EC2InstanceProfile
Tags:
- Key: Name
Value: console-private-access-windows
Outputs:
InstanceId:
Value: !Ref WindowsInstance
Description: EC2 Instance ID (use SSM Fleet Manager to RDP)
VpcId:
Value: !Ref VPC
Trying It Out
Sign-in
After deploying the CloudFormation stack, I confirmed that the EC2 instance was registered as an SSM managed instance, then connected via RDP using Fleet Manager's Remote Desktop. I accessed https://console.aws.amazon.com in the Edge browser inside the EC2 instance.
After entering the IAM user credentials and signing in, the Console Home was displayed. A Private Access banner is shown at the top of the screen.
Console Verification for Supported Services
I checked the console screens for S3 and DynamoDB. Since this configuration creates Gateway Endpoints for S3 and DynamoDB, I was able to display the S3 bucket list screen and the DynamoDB console screen.
S3
DynamoDB
Behavior When Service API Endpoint Is Not Added
When I opened the EC2 console screen, the screen itself displayed, but since no EC2 service API endpoint was added, retrieval of resource information failed and numerous API Errors occurred.
The console UI display (via console / signin / console-static endpoints) and service API connectivity are separate layers. Even if the console screen can be displayed, if the service API endpoint required by that screen or its operations is absent, data retrieval may fail.
Notes
- The list of supported services is published in the official documentation (approximately 45 services as of June 16, 2026). Service consoles not on the list are not supported via Private Access. A separate route such as an internet path is required to use them
- AWS CloudShell and the Default Region setting cannot be used via Private Access
- Depending on the console operations performed, additional service API endpoints may be required
- This verification uses a minimal configuration prioritizing reproducibility. For production use, please control the access scope with IAM policies, endpoint policies for the corresponding VPC Endpoints, etc.
- Gateway Endpoints are for resources within the VPC only. Separate design is required when using them from on-premises via Direct Connect
Summary
With the update to AWS Management Console Private Access, supported console screens can now be accessed via VPC endpoints without an internet connection.
In this verification, by combining Interface Endpoints for console display (console / signin / console-static) with VPC Endpoints for the required service APIs from a Windows EC2 instance placed in a VPC without IGW / NAT, I confirmed sign-in to the AWS Management Console, display of the S3 bucket list screen, and display of the DynamoDB console screen.
Within the supported scope, console access can now be configured via VPC Endpoints, expanding the options for network control. On the other hand, configurations that eliminate the internet path introduce additional considerations such as availability design for closed-network connectivity and costs, so we recommend evaluating these factors when adopting this approach.
Reference Links
