Connect using EC2 Instance Connect
The following instructions explain how to connect to your Linux instance using EC2 Instance Connect.
Decide which connection option to use. The connection option to use depends on whether your instance has a public IPv4 address:
-
Amazon EC2 console – To connect using the Amazon EC2 console, the instance must have a public IPv4 address.
-
SSH client – If the instance does not have a public IP address, you can connect to the instance over a private network using an SSH client. For example, you can connect from within the same VPC or through a VPN connection, transit gateway, or AWS Direct Connect.
EC2 Instance Connect does not support connecting using an IPv6 address.
Tip
EC2 Instance Connect is one of the options to connect to your Linux instance. For other options, see Connect to your Linux instance. To connect to a Windows instance, see Connect to your Windows instance.
Connection options for EC2 Instance Connect
Connect using the Amazon EC2 console
You can connect to an instance using the Amazon EC2 console by selecting the instance from the console and choosing to connect using EC2 Instance Connect. Instance Connect handles the permissions and provides a successful connection.
To connect using the Amazon EC2 console, the instance must have a public IPv4 address. Before connecting, be sure to review all the prerequisites.
To connect to your instance using the browser-based client from the Amazon EC2 console
Open the Amazon EC2 console at https://console.aws.amazon.com/ec2/
. -
In the navigation pane, choose Instances.
-
Select the instance and choose Connect.
-
Choose EC2 Instance Connect.
-
Verify the user name and choose Connect to open a terminal window.
Connect using your own key and SSH client
You can use your own SSH key and connect to your instance from the SSH client of your choice while using the EC2 Instance Connect API. This enables you to benefit from the Instance Connect capability to push a public key to the instance. This connection method works for instances with public and private IP addresses.
Requirements
-
Requirements for key pairs
-
Supported types: RSA (OpenSSH and SSH2) and ED25519
-
Supported lengths: 2048 and 4096
-
For more information, see Create a key pair using a third-party tool and import the public key to Amazon EC2.
-
-
When connecting to an instance that only has private IP addresses, the local computer from which you are initiating the SSH session must have connectivity to the EC2 Instance Connect service endpoint (to push your SSH public key to the instance) as well as network connectivity to the instance's private IP address to establish the SSH session. The EC2 Instance Connect service endpoint is reachable over the internet or over an AWS Direct Connect public virtual interface. To connect to the instance's private IP address, you can leverage services such as AWS Direct Connect
, AWS Site-to-Site VPN , or VPC peering.
Before connecting, be sure to review all the prerequisites.
To connect to your instance using your own key and any SSH client
-
(Optional) Generate new SSH private and public keys
You can generate new SSH private and public keys,
my_key
andmy_key.pub
, using the following command:$
ssh-keygen -t rsa -f my_key
-
Push your SSH public key to the instance
Use the send-ssh-public-key command to push your SSH public key to the instance. If you launched your instance using AL2023 or Amazon Linux 2, the default user name for the AMI is
ec2-user
. If you launched your instance using Ubuntu, the default user name for the AMI isubuntu
.The following example pushes the public key to the specified instance in the specified Availability Zone, to authenticate
ec2-user
.$
aws ec2-instance-connect send-ssh-public-key \ --region
us-west-2
\ --availability-zoneus-west-2b
\ --instance-idi-001234a4bf70dec41EXAMPLE
\ --instance-os-userec2-user
\ --ssh-public-key file://my_key.pub
-
Connect to the instance using your private key
Use the ssh command to connect to the instance using the private key before the public key is removed from the instance metadata (you have 60 seconds before it is removed). Specify the private key that corresponds to the public key, the default user name for the AMI that you used to launch your instance, and the instance's public DNS name (if connecting over a private network, specify the private DNS name or IP address). Add the
IdentitiesOnly=yes
option to ensure that only the files in the ssh config and the specified key are used for the connection.$
ssh -o "IdentitiesOnly=yes" -i
my_key
ec2-user
@ec2-198-51-100-1.compute-1.amazonaws.com
Use EC2 Instance Connect to connect to your Linux instance with the AWS CLI
If you know your instance ID, you can use Amazon EC2 Instance Connect to connect to your instance using an SSH client. If you don't specify a connection type, EC2 Instance Connect automatically tries to connect to your instance's public IPv4 address. If your instance doesn't have a public IPv4 address, EC2 Instance Connect then tries to connect to your instance's private IPv4 address through an EC2 Instance Connect Endpoint. If your instance doesn't have a private IPv4 address or your VPC doesn't have an EC2 Instance Connect Endpoint, then EC2 Instance Connect tries to connect to your instance's IPv6 address.
Before you connect with this method, ensure that you have configured the AWS CLI, including the credentials that it uses, and that you're using the latest version of the AWS CLI. For more information, see Installing or updating the latest version of the AWS CLI and Configuring the AWS CLI in the AWS Command Line Interface User Guide.
Connection types
auto
(default)-
The CLI tries to connect using the instance's IP addresses in the following order and with the corresponding connection type:
-
Public IPv4:
direct
-
Private IPv4:
eice
-
IPv6:
direct
-
direct
-
The CLI tries to connect using the instance's IP addresses in the following order (it does not connect over an EC2 Instance Connect Endpoint):
-
Public IPv4
-
IPv6
-
Private IPv4
-
eice
-
The CLI always uses the instance's private IPv4 address.
Note
In the future, we might change the behavior of the auto
connection type.
To ensure that your desired connection type is used, we recommend that you explictly set
the --connection-type
to either direct
or
eice
.
When you connect to an instance using EC2 Instance Connect, the EC2 Instance Connect API pushes an SSH public key to the instance metadata where it remains for 60 seconds. An IAM policy attached to your user authorizes your user to push the public key to the instance metadata. For more information about EC2 Instance Connect, see Connect to your Linux instance with EC2 Instance Connect.
To connect to an instance using the instance ID
If you only know the instance ID, and want to let EC2 Instance Connect determine the connection
type to use when connecting to your instance, use the ec2-instance-connect
CLI and specify the ssh
command and the instance ID.
aws ec2-instance-connect ssh --instance-id
i-1234567890example
To connect to an instance using the instance ID and an EC2 Instance Connect Endpoint
If you want to connect to your instance over an EC2 Instance Connect Endpoint, use the preceding command
and also specify the --connection-type
parameter with the eice
value.
aws ec2-instance-connect ssh --instance-id
i-1234567890example
--connection-type eice
To connect to an instance using the instance ID and your own private key file
If you want to connect to your instance over an EC2 Instance Connect Endpoint using your own private key,
specify the instance ID and the path to the private key file. Do not include
file://
in the path; the following example will fail:
file:///path/to/key
.
aws ec2-instance-connect ssh --instance-id
i-1234567890example
--private-key-file/path/to/key
.pem
Troubleshoot
If you receive an error while attempting to connect to your instance, see the following: