Why I Stopped Using Bastion Hosts for EC2 Access & You should too
Aakash ChoudharyTable of contents
- First, a quick “to know” fact
- How to connect to EC2 in private subnet?
- Why we need VPC Endpoints?
- Disadvantages of using NAT Gateway
- How does VPC Endpoints works?
- How to Access EC2 in Private Subnet?
- Connecting to EC2 via Session Manager
- Infrastructure of Session Manager
- Flow of Request from User to EC2 via SSM and VPC Endpoint
- Follow for More
- Thank you for being a part of the community
How VPC Endpoint internally resolved DNS to allow private access to AWS Services
We’ve all been there, trying to connect to an EC2 instance in a private subnet, only to end up fighting in a web of NAT Gateways, route tables, and Bastion Hosts. You assign Elastic IPs, configure security groups, triple-check the routing… and still something breaks.
I used to do all that too*, until I found a two-step setup using VPC Endpoints and SSM that changed everything.*
No more Bastion hosts. No more SSH keys. No more over-complicated networking.
Give me 4 minutes, and I’ll show you exactly how to set it up.
For Non-Medium member, CLICK HERE
First, a quick “to know” fact
Before we jump in, let’s understand one key AWS concept:
Each AWS Service has an endpoint allocated to it. When we make a request, we hit this URL and the request is handled by AWS Services endpoint.
Example of such endpoint are:
com.amazonaws.us-east-2.ssm
com.amazonaws.us-east-2.ec2
com.amazonaws.us-east-2.s3
These are not public websites you browse. Instead, they are service endpoints that your EC2, Lambda, or SDK uses behind the scenes to talk to AWS.
How to connect to EC2 in private subnet?
EC2 in a private subnet cannot reach the internet. To connect with EC2, we need this to be accessible from Internet.
The most followed approach is to attach a NAT Gateway with the private instance, thus providing internet access to it. The EC2 is now accessible using the NAT Gateway.
This is one way of doing this. This is easy, reliable. The only thing here is that there will be public IP involvement in this, which might prove as a security threat, in case something goes wrong.
The other way, which is secured, fast, realiable, and easy to use, is to connect with EC2 using VPC Endpoints.
Connect with EC2 in private subnet via Session Manager
Why we need VPC Endpoints?
There might be some scenario when you are in a private subnet, and wants to connect to EC2. Still we cannot access it, by default. But why? Because:
It don’t have any public IP
Is not exposed to internet
Have no inbound from Internet
To remove the involvement of Internet( like for a EC2 in private subnet ), we can use VPC Endpoints to help user connect to this private ec2 without needing any NAT Gateway.
Allow private access to AWS services (e.g., S3, DynamoDB) without Internet
Use Interface Endpoints for services like SSM, STS
Use Gateway Endpoints for S3, DynamoDB
Disadvantages of using NAT Gateway
When I use AWS CLI, my traffic goes over the internet to AWS service endpoints, authenticated via IAM credentials. It’s secure (TLS), but it’s still public network access.
I would say that this is not a disadvantage, but still, Its something that you will be worried if your IP is listed somewhere( which you were planning to keep top-secret from world).
How does VPC Endpoints works?
Imagine you’re in a VPC (private subnet), and you want to talk to AWS EC2 APIs (ec2.us-east-1.amazonaws.com), normally, this is a public API endpoint resolved via public DNS. But that requires Internet access (and a NAT if you're private).
So, how to handle this?
Enter Interface VPC Endpoints:
AWS creates a network interface (ENI) in your subnet. Yes, an actual physical entity inside your VPC.
This ENI connects to the AWS service’s backend privately, via AWS’s backbone, not the internet.
Now, when your EC2 tries to hit the EC2 public API, the DNS is hijacked (proxied) to resolve to this internal ENI (that lives in your VPC).
This is why enabling
DNS hostnamesandDNS supportin your VPC is critical as they allow internal DNS mapping like:
ec2.us-east-1.amazonaws.com → vpce-012345.vpce-svc-abcde.amazonaws.com (private IP)
This means:
— Traffic never leaves the VPC — No public IP or NAT Gateway is needed
— Connection happens via AWS’s internal network
How to Access EC2 in Private Subnet?
SSH via Bastion Host (in a public subnet)
Use SSM (AWS Systems Manager)
No SSH keys needed. SSM Agent + IAM Role + Session Manager
For now, lets just go through on how to setup the connection to ec2 using a session manager using a VPC endpoint
Connecting to EC2 via Session Manager
Session Manager is a managed service that provides you with one-click secure access to your instances without the need to open inbound ports and manage bastion hosts.
You have centralized access control over who can access your instances and full auditing capabilities to ensure compliance with corporate policies.
To have any EC2 managed by Session Manager, we need to follow below steps:
Attach the
AmazonSSMManagedInstanceCoreto the EC2 via IAM section.Enabling this, goto Session Manager.
If the Role attachemnet is successfull, your EC2 will be listed under Target instances section of Session Manager.
Click on Start Session, and you are good to go with internal VPC network enable for Ec2 where all the communication to the public endpoint of the AWS servcies are going proxied endpoint( within the AWS Internal network ).
Infrastructure of Session Manager
How SSM Works?
Flow of Request from User to EC2 via SSM and VPC Endpoint
User initiates access
The user connects to the EC2 instance in the private subnet via SSM Session Manager.
No need for SSH or public IP.
Private EC2 wants to talk to S3
The EC2 instance wants to upload, fetch, or list data in an S3 bucket.
Normally, this would require internet access, since
s3.us-east-2.amazonaws.comis a public endpoint.
VPC Endpoint resolved DNS
The EC2 instance still targets the standard public hostname (
s3.us-east-2.amazonaws.com).But AWS’s internal VPC DNS resolver intercepts the DNS query.
It returns the private endpoint: something like
vpce-xx.s3.us-east-2.vpce.amazonaws.com.
Traffic routing:
The network traffic is now routed internally through the VPC, directly to the S3 service over the private AWS network.
No need for an Internet Gateway, NAT Gateway, or even public IP.
That’s it from the VPC Endpoint and how SSM works. Shortly, I will be sharing the working of SSM.
Follow for More
If this helped or sparked an idea, drop a comment, a clap, or reach out!
Thank you for being a part of the community
Before you go:
Be sure to clap and follow the writer ️👏️️
Follow us: X | LinkedIn | YouTube | Newsletter | Podcast | Twitch
For more content, visit plainenglish.io + stackademic.com
Subscribe to my newsletter
Read articles from Aakash Choudhary directly inside your inbox. Subscribe to the newsletter, and don't miss out.
Written by