Amazon EC2 Instance Connect
First Thoughts
I've been a long-time fan and user of AWS' Session Manager. It gives your users an easy way to access both Linux and Windows servers from the AWS Console. For those users that are comfortable with the command line, there are a plethora of advanced options available. It does take some work to get configured, though.
Last week, AWS announced Amazon EC2 Instance Connect Endpoint (EIC Endpoint). This promised to deliver SSH and RDP connectivity to EC2 instances without using public IP addresses. Moreover, "there is no additional cost for using EIC endpoints."
Today, I finally had a chance to check out EIC endpoints. Does it work as advertised? Yes. Would I use it over Session Manager? Probably not. It does have its uses, though. It will likely be better than Session Manager in a predominantly Linux environment. If you generally don't access servers from the console, then it is also a good option. Where Systems Manager has a LOT of possibilities, EIC is a one-trick pony. If all you need is access, it's simple to configure and doesn't cost anything.
The Tech Stuff
So, where to start? For me, I'd start with the Security Groups. The EIC Endpoint requires a Security Group but only needs outbound entries. The entries should cover SSH and RDP to the CIDR range of your EC2 instances. After that, the Security Group(s) attached to your EC2 instances must allow SSH or RDP. When you configure the EIC Endpoint, you can choose PreserveClientIP or not. If you do PreserveClintIP, then your inbound rules need to allow access from external IPs.
After configuring the Security Groups, you can now configure the EIC Endpoint. Configuration can be via AWS Console, CLI, or CloudFormation. The latter was a pleasant surprise as CloudFormation often comes well after the Console option. Like other interface endpoints, it takes several minutes for the EIC Endpoint to become available.
While the Endpoint is creating, the next step is to look at IAM permissions. At a minimum, users will need ec2-instance-connect:OpenTunnel. Along with CloudFormation, the IAM Policy Simulator has been updated. This service can check if your users, groups, and roles are ready.
Oh, and remember... update your CLI! Updating the CLI is often overlooked when trying new features.
So, we've created our EIC Endpoint, we have the proper permissions, and our CLI is updated. How do we test this?
Recommended by LinkedIn
The commands
aws ec2-instance-connect ssh --instance-id i-12343567
The EIC Endpoint was configured without PreserveClientIP. As such, you can see that the "incoming" IP is the same as the instance's own IP.
ssh -i my-key-pair.pem ec2-user@i-1234567 \
-o ProxyCommand='aws ec2-instance-connect open-tunnel --instance-id i-1234567'
aws ec2-instance-connect open-tunnel \
--instance-id i-1234567 \
--remote-port 3389 \
--local-port 1234
It is worth adding that EC2 Instance Connect Endpoint allows you to connect not only to EC2 instance, but also to any resource within VPC. In order to do this, you should use the --private-ip-address and --remote-port parameters 🔗 https://www.garudax.id/posts/roman-siewko_aws-awscommunity-awscommunitybuilders-activity-7075536906003845120-VDkv
Hey Jason, congratulations on becoming an AWS Ambassador! 🎉👏 It's awesome to see your passion for AWS and cloud technology being recognized. Keep up the great work, and I'm excited to see the amazing things you'll accomplish in this role! 🌟
that was such a good read. and RDP is what i'm really looking forward to trying on this sometime!