Amazon EC2 Instance Connect provides a simple and secure way to connect to your Linux instances using Secure Shell (SSH). With EC2 Instance Connect, you use AWS Identity and Access Management (IAM) policies to control SSH access to your instances, removing the need to share and manage SSH keys. All connection requests using EC2 Instance Connect are logged to AWS CloudTrail so that you can audit connection requests.
You can use EC2 Instance Connect to connect to your instances using the Amazon EC2 console or an SSH client of your choice.
When you connect to an instance using EC2 Instance Connect, the Instance Connect API pushes an SSH public key to the instance metadata where it remains for 60 seconds. An IAM policy attached to your user authorizes your user to push the public key to the instance metadata. The SSH daemon uses AuthorizedKeysCommand and AuthorizedKeysCommandUser, which are configured when Instance Connect is installed, to look up the public key from the instance metadata for authentication, and connects you to the instance.
How it works
First, you create an EC2 Instance Connect Endpoint in a subnet in your virtual private cloud (VPC). Then, when you want to connect to an instance, you specify the ID of the instance. You can optionally provide the EC2 Instance Connect Endpoint. The endpoint acts as a private tunnel to the instance.
Once you create an EC2 Instance Connect Endpoint in a subnet, you can use the endpoint to connect to any instance in any subnet in your VPC provided your VPC is configured to allow subnets to communicate.
Architecture to follow
Prerequisite
- Create VPC with subnets
- EC2 instance connect Installed
- EC2 instance with port 22 open
Steps to follow
- Security group with port 22 open
- IAM instance profile
- EC2 Instance connect endpoint
- EC2 instance
- Testing
Security Group
Security group for EC2 instance
- Navigate to EC2 instance, under network & security click on security groups
- Click on create security group, fill the name, choose the VPC
- Under inbound rule, click add rule
- Create both inbound and outbound rule for ssh
- Now the security group has been created
EC2 Instance Connect Endpoint
Let’s create the Instance Connect Endpoint, navigate to VPC section
- Click on endpoints, create Endpoints
- Fill the name and choose service category as EC2 Instance Connect Endpoint
- Choose the VPC, security group and subnets
- Endpoint has been created and available
EC2 Instance
Navigate to EC2 instance console, click on Launch instance
- Fill the name, choose Amazon linux AMI
- Choose t2.micro as instance-type, choose a key pair
- Choose the dev vpc, subnet and security group
- Click on launch instance. Now EC2 instance has been provisioned
Testing
Let’s click EC2 instance and click on connect
- Click on EC2 instance connect, choose Connect using EC2 instance connect endpoint
- Then choose the EC2 instance connect endpoint created earlier
- After click on connect a new ssh window will open, where you can interact with EC2 instance directly
Conclusion
EC2 instance connect is a feature by which you can connect your EC2 instance without needing a public IP. You will be able to connect EC2 instance over openssh or cli using ssh-key we used earlier without public IP or private connection.
Read More:
AWS for Beginners: How to Create Amazon EKS cluster using CLI? – Part 45
AWS Mastery for Beginners: Elevate Your IT Career with Our Comprehensive Series
Follow our Twitter and Facebook feeds for new releases, updates, insightful posts and more.
