EIC Endpoint - Secure & Cost effective Solution

EIC endpoint connection architecture

AWS provided several methods for connecting to your running EC2 instances. They are EC2 instance connect (only for public IP instances), Systems Manager Session Manager, and bastion hosts. AWS recently announced a new service called EC2 Instance Connect Endpoint in June 2023, which essentially delivers better security and lower costs than previous options. In this tutorial, we will look at the benefits of using it as well as how to build EIC endpoints and use them to initiate connections.

Many AWS customers still use public IP addresses on the necessary resources when remotely administering resources inside their VPCs from the Internet, or at best a bastion host strategy combined with long-lived SSH keys. Using public IPs can be partially restricted by using IGW routes and/or security groups. These controls, however, can be difficult to handle in a dynamic environment. As a result, careful management of long-lived SSH keys remains the single layer of defence, which isn't ideal because we all know that these safeguards occasionally fail, thus defense-in-depth is essential. Although bastion hosts might be useful, they considerably raise the operational overhead of administering, patching, and sustaining infrastructure.

EIC Endpoint overview

With EIC Endpoints, customers can have remote connectivity to their instances in private subnets, eliminating the need to use public IPv4 addresses for connectivity. EIC Endpoint eliminates the cost and operational overhead of maintaining bastions. EIC Endpoint combines AWS Identity and Access Management (IAM) based access controls to restrict access to trusted principals, with network based controls such as Security Group rules, and provides an audit of all connections via AWS CloudTrail, helping customers improve their security posture.

How to create EIC endpoint

Only one endpoint is required per VPC. To create or modify an endpoint and connect to a resource, a user must have the required IAM permissions, and any security groups associated with your VPC resources must have a rule to allow connectivity. Refer to the following resources for more details on configuring security groups . You can create AWS EIC endpoint through AWS console or CLI. For Console, you can refer the official documentation here.

Creating an EIC Endpoint with the AWS CLI

To create an EIC Endpoint with the AWS CLI, run the following command, replacing [SUBNET] with your subnet ID and [SG-ID] with your security group ID:

aws ec2 create-instance-connect-endpoint \
    --subnet-id [SUBNET] \
    --security-group-id [SG-ID]

It will take around 4/5 minutes to create this endpoint and make it available.

How to connect to the instance using EIC endpoint

Assume that I have created an instance into my private subnet. That instance's security group has been considered to allow SSH access from EIC endpoint security group and VPC CIDR range. Now, you get two options for connecting to the private instance using your EIC endpoint.

  • AWS Console: AWS has provided a GUI to make the connection:

    AWS Console based connection window
    AWS Console based connection made
    AWS Console view upon successful SSH connection to your instance

  • AWS CLI Client
    You can use aws ec2-instance-connect ssh command. By default, it picks your EIC endpoint available into your VPC subnet in which your instance is running.

AWS CLI based connection
AWS CLI view upon successful SSH connection to your instance

Conclusion

EIC Endpoint offers a safe way to access to your instances through SSH or RDP on private subnets without the use of IGWs, public IPs, agents, or bastion hosts. You can securely connect to your VPC by configuring an EIC Endpoint with your existing client tools or the Console/AWS CLI. Visit the EIC Endpoint documentation to learn more.