AWS Step-by-Step

Connecting to an EC2 Instance Using EC2 Instance Connect, Part 2

• By Brien Posey
• 03/03/2025

In my previous article in this series, I explained how EC2 Instance Connect could be used to simplify connectivity to Linux virtual machine instances. At the beginning of that article, I also hinted that in some situations using EC2 Instance Connect might also improve security and lower your costs. With that being said, I want to take a step back and talk about an optional EC2 Instance Connect component called EC2 Instance Connect Endpoint.

In my previous article, I explained that one of the major requirements for using EC2 Instance Connect is that you must have some type of IP connectivity to the instance. Historically, there have been three main options for providing this connectivity.

The first option is to assign a public IP address to the virtual machine instance. The problem with this of course, is that doing so exposes both the instance and its VPC to the Internet (because of the required Internet gateway).

Of course there are also costs associated with using this approach since Amazon charges for any public IP addresses that you use. Some organizations seek to minimize these costs by powering down instances when they are not in use. However, unless the instance has been provisioned with an elastic IP, the instance's IP address will change the next time that it is powered up, which can sometimes be undesirable.

The second option for connecting to an EC2 instance is to connect through the instance's private IPv4 address. Of course, since you can't connect directly from the Internet to a private address, you will need a VPN, a direct connection, or a similar mechanism to provide the necessary connectivity. This VPN or other means of connectivity increases both your complexity and the infrastructure cost.

The third option is to set up a bastion host. There are a few different ways to accomplish this, but it generally means creating a hardened instance that is publicly accessible and then using that instance to establish connectivity to whatever instance you need to manage. In doing so, the bastion host essentially acts as a management proxy. This tends to be the more secure of the three methods, but again, there is cost and complexity that must be considered.

The EC2 Instance Connect Endpoint exists as an alternative to the techniques that I have discussed so far. The EC2 Instance Connect Endpoint is a special type of proxy that is specifically intended for use in managing EC2 instances. In other words, you instances do not have to be provisioned with public IP addresses, nor do you have to create a route from the Internet to a private IP address. The EC2 Instance Connect Endpoint can provide the connectivity for you. It is worth noting however, that even though your instances do not have to be publicly accessible, they must be configured with an IPv4 address (either public or private).

It's worth noting that even though the EC2 Instance Connect Endpoint does allow you to access your EC2 instances from the outside world, it is intended for use only as a management portal. In fact, Amazon has even gone so far as to suggest that it will throttle any high volume data transfers that an admin might attempt through an EC2 Instance Connect Endpoint.

Even if you are not thinking of trying to perform high volume data transfers through an EC2 Instance Connect Endpoint, there are some additional limitations that you need to be aware of. For starters, you can only have a single EC2 Instance Connect Endpoint in each VPC. Initially, this limitation might not seem all that significant. Keep in mind however, that a single VPC can include multiple subnets and might even span across multiple availability zones. On a side note, an EC2 Instance Connect Endpoint is a VPC structure, as opposed to being a part of EC2. You can create an Instance Connect Endpoint by opening the VPC console, and clicking Endpoints, followed by Create Endpoint. You can see the EC2 Instance Connect Endpoint option in Figure 1.

With this being the case, it can be helpful to think of an EC2 Instance Connect Endpoint as a temporary infrastructure component that you can tear down and rebuild on an as needed basis. In fact, Amazon's documentation even goes so far as to say that, “If you need to create another EC2 Instance Connect Endpoint in a different Availability Zone within the same VPC, you must first delete the existing EC2 Instance Connect Endpoint. Otherwise, you'll receive a quota error”.

Additionally, an EC2 Instance Connect Endpoint has a limit of 20 concurrent management sessions that it can support. Likewise, each of these sessions is limited to one hour in duration. As such, if you need to perform a long duration management task on an EC2 instance, then you may be better off connecting to the instance through a conventional SSL session as opposed to using EC2 Instance Connect.