Security groups for EC2 Instance Connect Endpoint

A security group controls the traffic that is allowed to reach and leave the resources that it is associated with. For example, we deny traffic to and from an Amazon EC2 instance unless it is specifically allowed by the security groups associated with the instance.

The following examples show you how to configure the security group rules for the EC2 Instance Connect Endpoint and the target instances.

EC2 Instance Connect Endpoint security group rules

The security group rules for an EC2 Instance Connect Endpoint must allow outbound traffic destined for the target instances to leave the endpoint. You can specify either the instance security group or the IPv4 address range of the VPC as the destination.

Traffic to the endpoint originates from the EC2 Instance Connect Endpoint Service, and it is allowed regardless of the inbound rules for the endpoint security group. To control who can use EC2 Instance Connect Endpoint to connect to an instance, use an IAM policy. For more information, see Permissions to use EC2 Instance Connect Endpoint to connect to instances.

Example outbound rule: Security group referencing

The following example uses security group referencing, which means that the destination is a security group associated with the target instances. This rule allows outbound traffic from the endpoint to all instances that use this security group.

Protocol	Destination	Port range	Comment
TCP	ID of instance security group	22	Allows outbound SSH traffic to all instances associated with the instance security group

Example outbound rule: IPv4 address range

The following example allows outbound traffic to the specified IPv4 address range. The IPv4 addresses of an instance is assigned from its subnet, so you can use the IPv4 address range of the VPC.

Protocol	Destination	Port range	Comment
TCP	VPC IPv4 CIDR	22	Allows outbound SSH traffic to the VPC

Target instance security group rules

The security group rules for target instances must allow inbound traffic from the EC2 Instance Connect Endpoint. You can specify either the endpoint security group or an IPv4 address range as the source. If you specify an IPv4 address range, the source depends on whether client IP preservation is off or on. For more information, see Considerations.

Because security groups are stateful, the response traffic is allowed to leave the VPC regardless of the outbound rules for the instance security group.

Example inbound rule: Security group referencing

The following example uses security group referencing, which means that the source is the security group associated with the endpoint. This rule allows inbound SSH traffic from the endpoint to all instances that use this security group, whether client IP preservation is on or off. If there are no other inbound security group rules for SSH, then the instances accept SSH traffic only from the endpoint.

Protocol	Source	Port range	Comment
TCP	ID of endpoint security group	22	Allows inbound SSH traffic from the resources associated with the endpoint security group

Example inbound rule: Client IP preservation off

The following example allows inbound SSH traffic from the specified IPv4 address range. Because client IP preservation is off, the source IPv4 address is the address of the endpoint network interface. The address of the endpoint network interface is assigned from its subnet, so you can use the IPv4 address range of the VPC to allow connections to all instances in the VPC.

Protocol	Source	Port range	Comment
TCP	VPC IPv4 CIDR	22	Allows inbound SSH traffic from the VPC

Example inbound rule: Client IP preservation on

The following example allows inbound SSH traffic from the specified IPv4 address range. Because client IP preservation is on, the source IPv4 address is the address of the client.

Protocol	Source	Port range	Comment
TCP	Public IPv4 address range	22	Allows inbound traffic from the specified client IPv4 address range