Revolutionizing Secure Connectivity: Introducing EC2 Instance Connect Endpoint for Public-to-Private Connections

by arun danielin Connectivityon Posted on

Introduction

We have all been there, where we are in need of connecting to an EC2 within your VPC over the Internet. In the past, the process involved connecting to a bastion host with a public IP address via IGW in your VPC, and then utilizing that connection to reach the private EC2 hosts. To enhance access management from public address space into a VPC, AWS previously provided two key services.

The first service, EC2 Instance Connect, used IAM credentials to deliver temporary SSH keys to an instance, eliminating the need for long-lived keys. However, until now, EC2 Instance Connect required a public IP address for instances connected over the Internet. This new launch combines EC2 Instance Connect with EIC Endpoints, enabling ephemeral-key-based SSH to your instances without exposing them to the public Internet.

The second service, Systems Manager Session Manager (SSM), offers agent-based connectivity to instances. SSM employs IAM for authentication and authorization, making it well-suited for environments where an agent can be configured to run.

Recently, AWS introduced the Amazon EC2 Instance Connect (EIC) Endpoint, a remarkable feature that provides secure connectivity to your instances and other VPC resources directly from the Internet. With EIC Endpoint, there is no longer a need for an IGW in your VPC, a public IP address on your resource, a bastion host, or any agent to establish connections to your resources. By combining identity-based and network-based access controls, EIC Endpoint offers the necessary isolation, control, and logging to meet your organization’s security requirements. Additionally, this feature relieves the administrative burden of maintaining and patching bastion hosts for connectivity. EIC Endpoint seamlessly integrates with the AWS Management Console and AWS CLI, while allowing the continued use of favorite tools like PuTTY and OpenSSH.

The EIC Endpoint functions as an identity-aware TCP proxy and offers two modes of operation. In the first mode, an AWS CLI client establishes a secure WebSocket tunnel from your workstation to the endpoint using your AWS Identity and Access Management (IAM) credentials. Once the tunnel is established, you can connect to your preferred client by directing it to the loopback address (127.0.0.1 or localhost) as usual. In the second mode, when the AWS CLI is not used, the Console provides secure and seamless access to resources within your VPC, similar to the SSM option without agent installation. Authentication and authorization occur before traffic reaches the VPC, ensuring a robust security posture.

Logical

Pre-requistes

  1. Admin with permission to create EIC Endpoint
    • ec2:CreateInstanceConnectEndpoint
    • ec2:CreateNetworkInterface
    • ec2:CreateTags
    • iam:CreateServiceLinkedRole
    • ec2:DescribeInstanceConnectEndpoints
    • ec2:DeleteInstanceConnectEndpoint
  2. Admin with permission to create/modify security groups
    • ec2:CreateSecurityGroup
    • ec2:DeleteSecurityGroup
    • ec2:AuthorizeSecurityGroupIngress
    • ec2:AuthorizeSecurityGroupEgress
    • ec2:RevokeSecurityGroupIngress
    • ec2:RevokeSecurityGroupEgress
    • ec2:UpdateSecurityGroupRuleDescriptionsIngress
    • ec2:UpdateSecurityGroupRuleDescriptionsEgress
  3. Enduser with Access Key, Secret Access Key, Token (optional) and policy to connect to EIC
    • ec2:DescribeInstanceConnectEndpoints
    • ec2:DescribeInstances
    • ec2-instance-connect:OpenTunnel
  4. Enduser computer with the latest AWS CLI
    • Read here on how to install the latest CLI
  5. Enduser computer with SSH client

Example

The following steps will use these attributes to create and connect to the EIC:

  • VPC: 10.0.0.0/16
  • Private Subnet in AZ A: 10.0.1.0/24 with subnet id: subnet-070a596e12f0e1d91
  • Private Subnet in AZ B: 10.0.2.0/24 with subnet id: subnet-06a9f9a4dbdd6c5b6
  • EC2 in AZ A: 10.0.1.175 and instance ID of i-03430245617ca561b
  • EC2 in AZ B: 10.0.2.173 and instance ID of i-0ae7e8cc0e005486f
  • Security Group (sg-0f650fa12ac8c21ec) for EC2 to allow inbound traffic from VPC CIDR and outbound to all
  • Security Group (sg-02122cb4355185c29) for EIC Endpoint to not have any inbound traffic and outbound SSH to only the EC2 Security Group
  • A user/computer with programatic access and with the policies to connect to the EIC

Create EIC Endpoint

  • Using AWS CLI, to create the EIC Endpoint we run:
aws ec2 create-instance-connect-endpoint --subnet-id subnet-070a596e12f0e1d91 --security-group-id sg-02122cb4355185c29
  • This will output the result with a State of ‘create-in-progress”, which will take some time:
  • Using AWS CLI, to find the status of the EIC Endpoint we run:
aws ec2 describe-instance-connect-endpoints
  • When the State reaches ‘create-complete ‘, we are ready to proceed to the next step of connecting on the enduser’s computer

Enduser Computer

Open up two Powershell or Command Line windows

In the first window we will open the tunnel to the instance in private subnet 1 (you can connect to either instance):

aws ec2-instance-connect open-tunnel --instance-id i-03430245617ca561b --local-port 8888

Here you can see that the command ran succesfully and there is a port listening for connections on 8888

In the second window we will SSH directly to the instance (for testing purposes i am connecting directly as root):

ssh root@localhost -p 8888

Here you can see that the Window 2 connects to the listening port which is really connecting to the EC2 instance in private subnet A. We can also see in Window 1 that the connection is established

Once you put in the password to the EC2 instance, you are connected and can either work on this machine (seen below with the IP address of 10.0.1.175) or jump to other instances. Here you can see that i can ping the second instance (IP address of 10.0.2.173) from this EC2:

Upon completion, you can close out of both windows.

How About Windows?

What was shown above is great for a private EC2 Linux instance; however what about Windows instances? EIC will work for Windows as well. The steps are almost similar in nature where you:

  1. Open the tunnel to the instance ID for the Windows Instance
  2. Use Remote Destkop Protocol to connect to the localhost on port 8888 (or whatever port you choose)
mstsc /v:localhost:8888

This will give you the usual certificate warning which you can bypass, upon which you are prompted for the userid and password to login to the Windows instance.

Conclusion

The EIC Endpoint offers a secure and streamlined solution for connecting to instances in private subnets without the need for IGWs, public IPs, agents, or bastion hosts. By setting up an EIC Endpoint in your VPC, you can establish secure connections using your preferred client tools or through the Console/AWS CLI, ensuring a seamless experience.

Leave a Comment

Your email address will not be published. Required fields are marked *