In step 4.2 test connection, to access EC2 Private you need to:
-> As you can see, now EC2 Public acts as Bastion Host and we need to pay for this instance. So is there a way to save costs, reduce configuration steps while still accessing EC2 Private and ensuring security?
On June 13, 2023, AWS launched the EC2 Instance Connect Endpoint (EIC Endpoint) function to help customers access EC2 instances without needing public IP addresses, through the protocol SSH and RDP.
EIC Endpoint replaces Bastion Host, which means eliminating the workload: patching, managing, auditing and the cost of the previous Bastion Host instance. There are no additional costs for EIC Endpoint, however data transfer costs will apply
Create Security Group for EIC Endpoint
EIC Endpoint
Allow SSH for MyIP
Create EC2 Instance Connect Endpoint
In the search box, enter: endpoint services
, in the Features section select endpoint services
Select Create endpoint
In the Name tag section, enter: EC2 private endpoint
In the Service category section, select: EC2 Instance Connect Endpoint
In VPC section, select ASG-VPC
In the Security groups section, select: EIC Endpoint created in step 1
In the Subnet section, select: subnet-0da7e5096deb895e1 (Private subnet 2) is the subnet of EC2 Private
Select Create endpoint
Wait for Status to change to Available and go to the next step
Access EC2 Private via EC2 Instance Connect Endpoint
At the EC2 interface, check the box of EC2 Private
In the Public IPv4 address section, check and see: there is no Public IP value - meaning we cannot access this EC2 via Public IP
Select Connect
In the Connection Type section, select Connect using EC2 Instance Connect Endpoint
In the EC2 Instance Connect Endpoint section, select the EIC just created in step 2
Select Connect
Normally, you will do the lab using a user with AdministratorAccess permission . In the opposite case, you need to refer to the documentation to grant the User permission to operate the above steps. IAM permissions to use EC2 Instance Connect Endpoint