The Best Secure Way to Access Private EC2 Instances – No Bastion Host Needed!
Navya ATable of contents
Introduction
AWS EC2 Instance Connect Endpoint allows secure SSH access to private EC2 instances without requiring a bastion host or public IP address. This method simplifies access while keeping your infrastructure private and secure.
In this step-by-step guide, we will:
Set up an EC2 Instance Connect Endpoint
Configure security groups properly
Connect to a private EC2 instance securely
Let's dive in! 🚀
Problem Without EC2 Instance Connect Endpoint
Traditionally, accessing private EC2 instances required setting up a bastion host or using a VPN, both of which introduce security risks and additional management overhead. The problems include:
Increased Costs – Running a bastion host 24/7 incurs extra costs for EC2 instances, Elastic IPs, and potential data transfer charges.
Security Risks – Bastion hosts, if misconfigured, can become attack vectors.
Complex Setup – VPNs and bastion hosts require additional networking configurations.
With EC2 Instance Connect Endpoint, you eliminate the need for a bastion host, reducing complexity and saving potentially hundreds of dollars per month, depending on your infrastructure size.
Why Use EC2 Instance Connect Endpoint?
✅ No need for bastion hosts – Eliminates extra management overhead.
✅ Enhanced security – Keeps EC2 instances private within the VPC.
✅ IAM-controlled access – Permissions define who can use EC2 Instance Connect.
✅ Simple setup – No complex VPNs or NAT configurations required.
✅ Cost Savings – Reduces infrastructure costs by removing bastion hosts.
Step 1: Create an EC2 Instance (Private)
Go to the AWS EC2 Console.
Click Launch Instance and choose Amazon Linux 2.
Place the instance in a private subnet (without public IP).
Attach a security group (we will configure this later).
Launch the instance.
Step 2: Create an EC2 Instance Connect Endpoint
Navigate to VPC Console → Endpoints.
Click Create Endpoint.
Choose AWS Services and search for
ec2-instance-connect-endpoint.Select the VPC and private subnet where the EC2 instance resides.
Under Security Group, create or select an SG (we will configure it below).
Click Create Endpoint. ( It will take some mins to create )
Step 3: Configure Security Groups Properly
1️⃣ Security Group for EC2 Instance
| Rule Type | Protocol | Source | Port | Description |
| Inbound | TCP | EC2 Instance Connect Endpoint SG | 22 | Allows SSH from Endpoint |
| Outbound | All Traffic | Anywhere | Any | Allows all outbound traffic |
2️⃣ Security Group for EC2 Instance Connect Endpoint
| Rule Type | Protocol | Source | Port | Description |
| Inbound | ❌ No Rules Needed ❌ | AWS manages internal connections | ||
| Outbound | TCP | EC2 Instance SG | 22 | Allows SSH traffic to EC2 |
✅ This setup ensures that only SSH traffic from the EC2 Instance Connect Endpoint reaches the EC2 instance.
Step 4: Connect to the Private EC2 Instance
Open the AWS EC2 Console.
Select the private EC2 instance.
Click Connect → EC2 Instance Connect Endpoint.
Click Connect – You are now securely connected! 🎉
Best Practices 🔒
Limit access with IAM policies – Define who can use EC2 Instance Connect.
Restrict security groups – Allow SSH access only from trusted sources.
Enable logging and monitoring – Use AWS CloudTrail to track connection attempts.
Conclusion
EC2 Instance Connect Endpoint provides a secure, efficient way to access private EC2 instances without the complexity of a bastion host. By following this step-by-step guide, you can set up and configure everything correctly while maintaining a strong security posture.
By eliminating bastion hosts, you save infrastructure costs while improving security and ease of access.
If you found this helpful, share it with your network! 🚀
Subscribe to my newsletter
Read articles from Navya A directly inside your inbox. Subscribe to the newsletter, and don't miss out.
Written by
Navya A
Navya A
👋 Welcome to my Hashnode profile! I'm a passionate technologist with expertise in AWS, DevOps, Kubernetes, Terraform, Datree, and various cloud technologies. Here's a glimpse into what I bring to the table: 🌟 Cloud Aficionado: I thrive in the world of cloud technologies, particularly AWS. From architecting scalable infrastructure to optimizing cost efficiency, I love diving deep into the AWS ecosystem and crafting robust solutions. 🚀 DevOps Champion: As a DevOps enthusiast, I embrace the culture of collaboration and continuous improvement. I specialize in streamlining development workflows, implementing CI/CD pipelines, and automating infrastructure deployment using modern tools like Kubernetes. ⛵ Kubernetes Navigator: Navigating the seas of containerization is my forte. With a solid grasp on Kubernetes, I orchestrate containerized applications, manage deployments, and ensure seamless scalability while maximizing resource utilization. 🏗️ Terraform Magician: Building infrastructure as code is where I excel. With Terraform, I conjure up infrastructure blueprints, define infrastructure-as-code, and provision resources across multiple cloud platforms, ensuring consistent and reproducible deployments. 🌳 Datree Guardian: In my quest for secure and compliant code, I leverage Datree to enforce best practices and prevent misconfigurations. I'm passionate about maintaining code quality, security, and reliability in every project I undertake. 🌐 Cloud Explorer: The ever-evolving cloud landscape fascinates me, and I'm constantly exploring new technologies and trends. From serverless architectures to big data analytics, I'm eager to stay ahead of the curve and help you harness the full potential of the cloud. Whether you need assistance in designing scalable architectures, optimizing your infrastructure, or enhancing your DevOps practices, I'm here to collaborate and share my knowledge. Let's embark on a journey together, where we leverage cutting-edge technologies to build robust and efficient solutions in the cloud! 🚀💻