Skip to main content

One post tagged with "EC2 Private Subnet"

View All Tags

Secure EC2 Private Subnet Access Without Bastion Hosts - Save Costs

· 5 min read

Introduction

This approach of using EC2 Endpoint compared to a Bastion host not only streamlines the connection process but also saves costs associated with maintaining a bastion host.

The Traditional Method

EC2 endpoint

Typically, to connect to an EC2 instance in a private subnet, you would use a bastion host. The process involves:

  1. Setting up a bastion host in a public subnet.
  2. Connecting to the bastion host from your local machine.
  3. Using the bastion host to access the EC2 instance in the private subnet.

While this method is effective, it can be cumbersome and costly.

The New Approach: EC2 Instance Connect Endpoint

AWS recently introduced a new service called EC2 Instance Connect Endpoint. This service allows you to connect directly to your EC2 instance in a private subnet without the need for a bastion host.

EC2 Traditional Method

Here's how to set it up:

Step-by-Step Guide

Set Up Your VPC and Subnets

EC2 setup VPC

First, create a Virtual Private Cloud (VPC) with both public and private subnets:

  1. Public Subnet: This is where you will create the EC2 Instance Connect Endpoint.
  2. Private Subnet: This is where your EC2 instance will reside.
  3. Delete Default VPC: Start by deleting the default VPC in your AWS region to avoid conflicts.
  4. Create a New VPC:
    1. Navigate to the VPC console.
    2. Choose “VPC and more” and give it a suitable name (e.g., "YouTubeDemoVPC").
    3. Create one public subnet and one private subnet.
    4. No need for an S3 gateway in this setup.

Step 2: Launching the EC2 Instance

EC2 launch instance

  1. Launch an EC2 Instance in the Private Subnet:

    1. Go to the EC2 console and launch a new instance.
    2. Choose the private subnet for your instance.
    3. Select an instance type (e.g., t-nano).
    4. Create a key pair or use an existing one for SSH access.

  2. Set Up Security Groups:

    1. Create a new security group allowing all traffic within the VPC.
    2. Ensure the security group is attached to your EC2 instance.

Step 3: Creating the EC2 Instance Endpoint

  1. Navigate to the VPC console and select “Endpoints.”

  2. Create a new endpoint and attach it to the VPC.

  3. Assign a security group to the endpoint that allows all traffic.

  4. Configure Security Groups:

    1. Ensure the public security group for the endpoint allows inbound traffic from your local IP.

Step 4: Connecting via AWS CLI

EC2 connecting

  1. Install and Configure AWS CLI:

    1. Ensure AWS CLI is installed on your local machine.
    2. Configure AWS CLI with your access keys.

  2. Connect to the EC2 Instance:

    1. Use the following command with the correct private key and endpoint details to connect to the EC2 instance.
    ssh -i <keyName>.pem <username>@<instance-id> -o ProxyCommand="aws ec2-instance-connect open-tunnel --instance-id <instance-id>" --profile <profile-name>

Step 5: Connecting via WinSCP

EC2 WinSCP

  1. Download and Install WinSCP:

    1. Install WinSCP for a graphical interface to manage files on your EC2 instance.

  2. Set Up WinSCP:

EC2 continue

  1. Open WinSCP and configure a new session.

    1. Enter the private IP of the EC2 instance.

    2. Use the private key for authentication.

    3. Set up a proxy command to use the EC2 endpoint.

      1. Click Advanced --> Connection --> Proxy --> Local and enter following command:
      aws ec2-instance-connect open-tunnel --instance-id <instance-id>

  2. Connect and Manage Files:

EC2 cont

  1. Save the session settings and connect.
    1. You should now be able to manage files on your EC2 instance via WinSCP.

Troubleshooting Common Issues

  1. Permission Denied Errors:

  2. Ensure your private key file has the correct permissions (chmod 400 your-key.pem).

  3. Verify the security group rules allow inbound traffic from your IP.

  4. Endpoint Initialization Issues:

  5. Check the VPC and subnet configurations.

  6. Ensure the endpoint is associated with the correct security group.

Benefits of Using EC2 Instance Endpoints

  1. Cost Savings: Avoid additional costs associated with running a bastion host.
  2. Simplicity: Simplify the connection process by eliminating the need for an intermediary host.
  3. Security: Maintain secure access to instances in private subnets without exposing a bastion host.

Conclusion

Using EC2 instance endpoints is a powerful and cost-effective way to manage instances in private subnets. This guide has provided a comprehensive walkthrough of setting up and connecting to an EC2 instance without a bastion host, utilizing both AWS CLI and WinSCP. Implementing this approach can streamline your workflow and reduce costs, making your cloud infrastructure more efficient and manageable.

🔚 Call to Action

Choosing the right platform depends on your organizations needs. For more insights, subscribe to our newsletter for insights on cloud computing, tips, and the latest trends in technology. or follow our video series on cloud comparisons.

Interested in having your organization setup on cloud? If yes, please contact us and we'll be more than glad to help you embark on cloud journey.

💬 Comment below:
Which tool is your favorite? What do you want us to review next?