Prerequisites - Amazon Elastic Compute Cloud

Prerequisites

The following are the prerequisites for installing EC2 Instance Connect and for using EC2 Instance Connect to connect to an instance:

AWS Regions

Supported in all AWS Regions.

Local Zones

Not supported.

AMIs

EC2 Instance Connect comes pre-installed on the following AMIs:

  • AL2023

  • Amazon Linux 2 2.0.20190618 or later

  • macOS Sonoma 14.2.1 or later

  • macOS Ventura 13.6.3 or later

  • macOS Monterey 12.7.2 or later

  • Ubuntu 20.04 or later

EC2 Instance Connect is not pre-installed on the following AMIs, but you can install it on instances that are launched using the following AMIs:

  • Amazon Linux 2 prior to version 2.0.20190618

  • CentOS Stream 8 and 9

  • macOS Sonoma prior to 14.2.1, Ventura prior to 13.6.3, and Monterey prior to 12.7.2

  • Red Hat Enterprise Linux (RHEL) 8 and 9

  • Ubuntu 16.04 or 18.04

Install EC2 Instance Connect

To use EC2 Instance Connect to connect to an instance, the instance must have EC2 Instance Connect installed. You can either launch the instance using an AMI that comes pre-installed with EC2 Instance Connect, or you can install EC2 Instance Connect on instances that are launched with supported AMIs. For the supported AMIs, see the preceding section. For the installation instructions, see Install EC2 Instance Connect on your EC2 instances.

IPv4 address

Your instance must have an IPv4 address (either private or public). EC2 Instance Connect does not support connecting using an IPv6 address.

Network access

Instances can be configured to allow users to connect to your instance over the internet or through the instance's private IP address. Depending on how your users will connect to your instance using EC2 Instance Connect, you must configure the following network access:

  • If your users will connect to your instance over the internet, then your instance must have a public IP address and be in a public subnet. For more information, see Enable internet access in the Amazon VPC User Guide.

  • If your users will connect to your instance through the instance's private IP address, then you must establish private network connectivity to your VPC, such as by using AWS Direct Connect, AWS Site-to-Site VPN, or VPC peering, so that your users can reach the instance's private IP address.

If your instance does not have a public IPv4 address and you prefer not to configure the network access as described above, you can consider EC2 Instance Connect Endpoint as an alternative to EC2 Instance Connect. EC2 Instance Connect Endpoint allows you to connect to an instance via SSH or RDP without requiring the instance to have a public IPv4 address. For more information, see Connect to your Linux instance using the Amazon EC2 console.

Security group rule

Ensure that the security group associated with your instance allows inbound SSH traffic on port 22 from your IP address or from your network. The default security group for the VPC does not allow incoming SSH traffic by default. The security group created by the launch instance wizard allows incoming SSH traffic by default. For more information, see Rules to connect to instances from your computer.

EC2 Instance Connect uses specific IP address ranges for browser-based SSH connections to your instance (when users use the Amazon EC2 console to connect to an instance). If your users will use the Amazon EC2 console to connect to an instance, ensure that the security group associated with your instance allows inbound SSH traffic from the IP address range for EC2_INSTANCE_CONNECT. To identify the address range, download the JSON file provided by AWS and filter for the subset for EC2 Instance Connect, using EC2_INSTANCE_CONNECT as the service value. These IP address ranges differ between AWS Regions. For more information about downloading the JSON file and filtering by service, see AWS IP address ranges in the Amazon VPC User Guide.

Grant permissions

You must grant the required permissions to every IAM user who will use EC2 Instance Connect to connect to an instance. For more information, see Grant IAM permissions for EC2 Instance Connect.

Local computer setup

If your users will connect using SSH, they must ensure that their local computer has an SSH client.

A user's local computer most likely has an SSH client installed by default. They can check for an SSH client by typing ssh at the command line. If their local computer doesn't recognize the command, they can install an SSH client. For information about installing an SSH client on Linux or macOS X, see http://www.openssh.com. For information about installing an SSH client on Windows 10, see OpenSSH in Windows.

There is no need to install an SSH client on a local computer if your users only use the Amazon EC2 console to connect to an instance.

Username

When using EC2 Instance Connect to connect to an instance, the username must meet the following prerequisites:

  • First character: Must be a letter (A-Z, a-z), a digit (0-9), or an underscore (_)

  • Subsequent characters: Can be letters (A-Z, a-z), digits (0-9), or the following characters: @ . _ -

  • Minimum length: 1 character

  • Maximum length: 31 characters