Posted on Jun 28 • Originally published at Medium We’re using bastion hosts to connect our EC2 instances via SSH or RDP for years. Using these hosts causes operational challenges (updates, additional configurations, audits, etc.) and additional costs. In addition to hosts, AWS has two different solutions to connect your instances. The first solution is AWS Instance Connect, but we need a public IP address to use it. The second solution is System Manager, but we need agent-based connectivity.🌹 From now on, we’re able to use EC2 Instance Connect for all remote connections without public Ips, Internet Gateways, and bastion hosts.EC2 Instance Connect combines authorization with IAM restrictions and network controls with security group rules. This feature is also auditable with AWS CloudTrail. Today, we will configure and understand the EC2 Instance Connect Endpoint step by step. Let’s start together! ⛅️Step 1: IAM Permissions to use EC2 Instance Connect EndpointFirst of all, to create an EC2 Instance Connect Endpoint, you need these permissions:You can do some restrictions about EC2 Instance Connect remote port, your EC2 private IP address, or tunnel duration that we’ve built between EC2 Instance Connect and your instance. You can see all example policies and scenarios that are related to IAM from here.Step 2: Security Groups ConfigurationsFor the EC2 Instance Connect Endpoint, AWS recommends outbound rule should allow outbound traffic to the specified destination (specific security group of your EC2 instances).For your resources, if the preservation of client IP is set to false in the EIC configuration, you should allow inbound traffic from the EIC security group and inbound traffic from the VPC CIDR. For other preservation issues, you can check this documentation.Step 3: Create EC2 Instance Connect EndpointFor creation, you should VPC à Endpoints and select “Create Endpoint”. Your endpoint and resources should be in the same VPC.You should select private subnet and the security group that you’ve created. If you select subnet in different availability zone from your resources, additional data transfer costs can occur.After that, you need to wait until the status is “Available”. You can create 1 EC2 Instance Connect Endpoint per VPC & per subnet.Step 4: Connect your EC2 InstanceFrom AWS Console, you need to select EC2 Instance Connect Endpoint.We got a successful connection!From our client, you can use this command:ssh -i ‘key_file’ ubuntu@instance_id -o ProxyCommand=’aws ec2-instance-connect open-tunnel — instance-id instance_id’We got successful connection again!🫠 Advantages of using EC2 Instance Connect Endpoint:Thanks for reading! Stay safe in the cloud! 👻Templates let you quickly answer FAQs or store snippets for re-use.Awesome Are you sure you want to hide this comment? It will become hidden in your post, but will still be visible via the comment's permalink. Hide child comments as well Confirm For further actions, you may consider blocking this person and/or reporting abuse Frank Rosner - May 17 Scofield Idehen - Jun 15 Hussein Alamutu - Jun 15 Chris White - May 26 Would you like to become an AWS Community Builder? Learn more about the program and apply to join when applications are open next. Once suspended, aws-builders will not be able to comment or publish posts until their suspension is removed. Once unsuspended, aws-builders will be able to comment and publish posts again. Once unpublished, all posts by aws-builders will become hidden and only accessible to themselves. If aws-builders is not suspended, they can still re-publish their posts from their dashboard. Note: Once unpublished, this post will become invisible to the public and only accessible to Sena Yakut. They can still re-publish the post if they are not suspended. Thanks for keeping DEV Community safe. Here is what you can do to flag aws-builders: aws-builders consistently posts content that violates DEV Community's code of conduct because it is harassing, offensive or spammy. Unflagging aws-builders will restore default visibility to their posts. DEV Community — A constructive and inclusive social network for software developers. With you every step of your journey. Built on Forem — the open source software that powers DEV and other inclusive communities.Made with love and Ruby on Rails. DEV Community © 2016 - 2023. We're a place where coders share, stay up-to-date and grow their careers.