Over the past many years, connecting to an EC2 Linux instance using SSH keys has been a common practice. Generally, we create an SSH key and use it to connect to EC2 instances.
If we were asked to connect to an EC2 instance without a public IP over the internet, the general route we take is to create a jump server and then use it to reach our instance.
But now with the introduction of the EC2 Instance Connect Endpoint, we can easily connect to an EC2 instance without the need to provision any SSH key or a Public IP.
Existing options to connect to EC2
Currently, if we were to connect to an EC2 Linux instance in AWS we have 3 options:
- Use an existing EC2 key pair to ssh into an instance using an SSH client. This involves storing the private key in a secure vault and retrieving it to gain access.
- Using Sessions Manager we can connect to an EC2 instance without using a key pair. Here the additional requirement is that an SSM agent has to be installed on the EC2 instance.
- EC2 Instance connect is another option where we can connect to an EC2 instance without provisioning an SSH key or an installed agent as the EC2 Instance connect API pushes temporary keys valid for 60 seconds to establish a connection to the EC2 instance(shown in figure 1.1). But the drawback here is that the instance needs a public IP using which the connection to the instance needs to be established.
Figure 1.1 – EC2 Instance Connect workflow
Introducing EC2 Instance connect Endpoint
This is the newly available feature from AWS, which was released in 2023 and enables users to Connect to EC2 instances without a public IP or SSH key. It harnesses the power of IAM credentials to establish a secure private tunnel between your Instance connect endpoint and an instance. The following are the benefits of using this feature:
- It does not require the VPC where it is provisioned to have Internet Gateway or NAT Gateway as it directly establishes a secure tunnel.
- No external agent needs to be provisioned to establish connectivity between an EIC endpoint and an instance.
- It allows the usage of existing client software on your local workstation to connect and manage your resources
- As with other AWS services, EIC endpoint access can be controlled using IAM and security groups.
The following figure shows an example implementation of the EIC endpoint in the US-East-1 region.
Figure 1.2 – Users connecting to EIC endpoint service
Scalability, Performance, and Availability of EIC Endpoint
As you can see from the diagram above 1 EIC endpoint can be used to connect to multiple EC2 instances and across subnets. As it is a fully managed service by AWS, the scalability, availability, and performance is managed by AWS itself. By default, AWS provides only 1 EIC endpoint per VPC and from an availability perspective, if you plan to provision more EIPs, then you need to request AWS for the same.
Security lens
While provisioning the EIC endpoint service, we also need to attach a Security Group along with it. Since EIC endpoints cater to private connectivity the principle of least privilege must be applied to this Security Group and ingress should be allowed only from known sources.
EIC also separates privileges between service management and consumption as well. For instance, an AWS admin may have permission to create an EIC endpoint but need not necessarily have permission to use them. Similarly, the developers can use the EIC endpoint but need not have permission to create or delete them. All these can be controlled using IAM.
Apart from this EIC endpoint supports Source IP Preservation which is quintessential for some organizations
Let’s get our hands dirty
To create EIC endpoints we can use any of the traditional methods viz. CLI, SDK, or Console. I will be creating an EIC endpoint using AWS CLI
Create EIC endpoint using AWS CLI
Kindly note that the AWS EIC endpoint feature is available only in the latest AWS CLI as it was released in June 2023. I am using the 2.12.1 version and if you are using an older one, kindly update it.
As per AWS Documentation, to create, describe and delete an EC2 Instance Connect Endpoint, users require permissions for the following actions:
- ec2:CreateInstanceConnectEndpoint
- ec2:CreateNetworkInterface
- ec2:CreateTags
- iam:CreateServiceLinkedRole
- ec2:DescribeInstanceConnectEndpoints
- ec2:DeleteInstanceConnectEndpoint
The ec2-instance-connect:OpenTunnel action in the IAM policy can be used to grant permission to establish a TCP connection to an instance to connect over the EC2 Instance Connect Endpoint.
Ensure that the above permissions are attached to the user/role you are using to create the EIC endpoint.
CLI Command to create EIC endpoint:
aws ec2 create-instance-connect-endpoint \ –subnet-id [your SUBNET] \ –security-group-id [your SG-ID] |
You will get the below output once you execute it
It takes a few minutes for the EIC endpoint to be created. You can view the progress in the console as well as shown below:
Figure 1.3 – EIC endpoint details
Connecting to an instance using EIC endpoint
Once the EIC endpoint is created, we can use it to connect to EC2 instances in the same subnet or in a different subnet but under the same VPC. We can use the console, CLI or SDK for the same as well. The below figure shows the Console option.
Figure 1.4 – Connecting to EC2 instance using EIC endpoint
To connect to an EC2 instance using EIC endpoint, we can use the below command:
aws ec2-instance-connect-ssh –instance-id [your-instance-id]
Once this command is executed, we get the below output as shown in figure 1.5
Figure 1.5 – Connection to EC2 instance using EIC endpoint
Conclusion
EC2 Instance Connect endpoint is an effective and secure way to connect to private EC2 instances without having to save and rotate SSH keys and create additional Bastion Hosts.