Connect to your instances without requiring a public IPv4 address using EC2 Instance Connect Endpoint
EC2 Instance Connect Endpoint allows you to connect to an instance via SSH or RDP without requiring the instance to have a public IPv4 address.
How it works
First, you create an EC2 Instance Connect Endpoint in a subnet in your virtual private cloud (VPC). Then, when you want to connect to an instance, you specify the ID of the instance. You can optionally provide the EC2 Instance Connect Endpoint. The endpoint acts as a private tunnel to the instance.
Once you create an EC2 Instance Connect Endpoint in a subnet, you can use the endpoint to connect to any instance in any subnet in your VPC provided your VPC is configured to allow subnets to communicate.
Note
If you use an EC2 Instance Connect Endpoint in one subnet to connect to an instance in another
subnet that is in a different Availability Zone, there is an additional
charge for data transfer
The following diagram shows a user from the internet connecting to their instances, which are located in private subnets in a VPC. The diagram illustrates the following key components:
-
The EC2 Instance Connect Endpoint Service is an AWS service that allows the user to use the EC2 Instance Connect Endpoint to connect from the internet to their instances that are in private subnets.
-
The EC2 Instance Connect Endpoint in Private subnet A acts as a private tunnel so that the user can connect to their instances that are in the private subnets.
Access to create and connect to EC2 Instance Connect Endpoints is controlled by IAM permissions. You can configure additional security group rules on your instances to restrict inbound traffic. For example, you can use inbound rules on your instances to only allow traffic on management ports from the EC2 Instance Connect Endpoint.
-
Private subnet A has an EC2 Instance Connect Endpoint, but Private subnet B does not. Based on your VPC configuration, if Private subnet A and Private subnet B are allowed to communicate, then you can use the EC2 Instance Connect Endpoint in Private subnet A to connect to an instance in Private subnet B.

Benefits
EC2 Instance Connect Endpoint provides the following benefits:
-
You can connect to your instances without requiring the instances to have a public IPv4 address.
-
You can connect to your instances from the internet without requiring your VPC to have an internet gateway.
-
You can control access to the creation and use of the EC2 Instance Connect Endpoints to connect to instances with IAM policies and permissions.
-
All attempts to connect to instances, both successful and unsuccessful, are logged to CloudTrail.
Contents
- Prerequisites
- Grant IAM permissions to use EC2 Instance Connect Endpoint
- Security groups for EC2 Instance Connect Endpoint
- Create an EC2 Instance Connect Endpoint
- Connect using EC2 Instance Connect Endpoint to a Linux instance
- Log connections established over EC2 Instance Connect Endpoint
- Remove EC2 Instance Connect Endpoint
- Service-linked role for EC2 Instance Connect Endpoint
- Quotas