Create an EC2 Instance Connect Endpoint

You can create an EC2 Instance Connect Endpoint to allow secure connection to your instances.

You can't modify an EC2 Instance Connect Endpoint after you've created it. Instead, you must delete the EC2 Instance Connect Endpoint and create a new one with the settings that you need.

Prerequisites

You must have the required IAM permissions to create an EC2 Instance Connect Endpoint. For more information, see Permissions to create, describe, and delete EC2 Instance Connect Endpoints.

Shared subnets

You can create an EC2 Instance Connect Endpoint in a subnet that is shared with you. You can't use a EC2 Instance Connect Endpoint that the VPC owner created in a subnet that is shared with you.

Console

To create an EC2 Instance Connect Endpoint

Open the Amazon VPC console at https://console.amazonaws.cn/vpc/.
In the left navigation pane, choose Endpoints.
Choose Create endpoint, and then specify the endpoint settings as follows:
1. (Optional) For Name tag, enter a name for the endpoint.
2. For Type, choose EC2 Instance Connect Endpoint.
3. Under Network settings, for VPC, select the VPC that has the target instances.
4. (Optional) To preserve client IP addresses, expand Additional settings and select the Preserve Client IP check box. Otherwise, the default is to use the endpoint network interface as the client IP address.
5. (Optional) For Security groups, select the security group to associate with the endpoint. Otherwise, the default is to use the default security group for the VPC. For more information, see Security groups for EC2 Instance Connect Endpoint.
6. For Subnet, select the subnet in which to create the endpoint.
7. (Optional) To add a tag, choose Add new tag and enter the tag key and the tag value.
Review your settings and then choose Create endpoint.

The initial status of the endpoint is Pending. Before you can connect to an instance using this endpoint, you must wait until the endpoint status is Available. This can take a few minutes.
To connect to an instance using your endpoint, see Connect to an instance.

Amazon CLI

To create an EC2 Instance Connect Endpoint

Use the create-instance-connect-endpoint command.


aws ec2 create-instance-connect-endpoint --subnet-id subnet-0123456789example

The following is example output.


{
        "OwnerId": "111111111111",
        "InstanceConnectEndpointId": "eice-0123456789example",
        "InstanceConnectEndpointArn": "arn:aws:ec2:us-east-1:111111111111:instance-connect-endpoint/eice-0123456789example",
        "State": "create-complete",
        "StateMessage": "",
        "DnsName": "eice-0123456789example.0123abcd.ec2-instance-connect-endpoint.us-east-1.amazonaws.com",
        "FipsDnsName": "eice-0123456789example.0123abcd.fips.ec2-instance-connect-endpoint.us-east-1.amazonaws.com",
        "NetworkInterfaceIds": [
            "eni-0123abcd"
        ],
        "VpcId": "vpc-0123abcd",
        "AvailabilityZone": "us-east-1a",
        "CreatedAt": "2023-04-07T15:43:53.000Z",
        "SubnetId": "subnet-0123abcd",
        "PreserveClientIp": false,
        "SecurityGroupIds": [
            "sg-0123abcd"
        ],
        "Tags": []
}

To monitor the creation status

The initial value for the State field is create-in-progress. Before you can connect to an instance using this endpoint, wait until the state is create-complete. Use the describe-instance-connect-endpoints command to monitor the status of the EC2 Instance Connect Endpoint. The --query parameter filters the results to the State field.


aws ec2 describe-instance-connect-endpoints --instance-connect-endpoint-ids eice-0123456789example --query InstanceConnectEndpoints[*].State --output text

The following is example output.


create-complete

PowerShell

To create the EC2 Instance Connect Endpoint

Use the New-EC2InstanceConnectEndpoint cmdlet.


New-EC2InstanceConnectEndpoint -SubnetId subnet-0123456789example

The following is example output.


OwnerId                     : 111111111111
InstanceConnectEndpointId   : eice-0123456789example
InstanceConnectEndpointArn  : arn:aws:ec2:us-east-1:111111111111:instance-connect-endpoint/eice-0123456789example
State                       : create-complete
StateMessage                : 
DnsName                     : eice-0123456789example.0123abcd.ec2-instance-connect-endpoint.us-east-1.amazonaws.com
FipsDnsName                 : eice-0123456789example.0123abcd.fips.ec2-instance-connect-endpoint.us-east-1.amazonaws.com
NetworkInterfaceIds         : {eni-0123abcd}
VpcId                       : vpc-0123abcd
AvailabilityZone            : us-east-1a
CreatedAt                   : 4/7/2023 3:43:53 PM
SubnetId                    : subnet-0123abcd
PreserveClientIp            : False
SecurityGroupIds            : {sg-0123abcd}
Tags                        : {}

To monitor the creation status

The initial value for the State field is create-in-progress. Before you can connect to an instance using this endpoint, wait until the state is create-complete. Use the Get-EC2InstanceConnectEndpoint cmdlet to monitor the status of the EC2 Instance Connect Endpoint. .State.Value filters the results to the State field.


(Get-EC2InstanceConnectEndpoint -InstanceConnectEndpointId "eice-0123456789example").State.Value

The following is example output.


create-complete

Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Security groups

Connect to an instance