Create an EC2 Instance Connect Endpoint
You can create an EC2 Instance Connect Endpoint to allow secure connection to your instances.
You can't modify an EC2 Instance Connect Endpoint after you've created it. Instead, you must delete the EC2 Instance Connect Endpoint and create a new one with the settings that you need.
Prerequisites
You must have the required IAM permissions to create an EC2 Instance Connect Endpoint. For more information, see Permissions to create, describe, and delete EC2 Instance Connect Endpoints.
Shared subnets
You can create an EC2 Instance Connect Endpoint in a subnet that is shared with you. You can't use a EC2 Instance Connect Endpoint that the VPC owner created in a subnet that is shared with you.
Create the endpoint using the console
Use the following procedure to create an EC2 Instance Connect Endpoint.
To create an EC2 Instance Connect Endpoint
Open the Amazon VPC console at https://console.amazonaws.cn/vpc/
. -
In the left navigation pane, choose Endpoints.
-
Choose Create endpoint, and then specify the endpoint settings as follows:
-
(Optional) For Name tag, enter a name for the endpoint.
-
For Service category, choose EC2 Instance Connect Endpoint.
-
For VPC, select the VPC that has the target instances.
-
(Optional) To preserve client IP addresses, expand Additional settings and select the check box. Otherwise, the default is to use the endpoint network interface as the client IP address.
-
(Optional) For Security groups, select the security group to associate with the endpoint. Otherwise, the default is to use the default security group for the VPC. For more information, see Security groups for EC2 Instance Connect Endpoint.
-
For Subnet, select the subnet in which to create the endpoint.
-
(Optional) To add a tag, choose Add new tag and enter the tag key and the tag value.
-
-
Review your settings and then choose Create endpoint.
The initial status of the endpoint is Pending. Before you can connect to an instance using this endpoint, you must wait until the endpoint status is Available. This can take a few minutes.
-
To connect to an instance using your endpoint, see Connect to an instance.
Create the endpoint using the Amazon CLI
Use the create-instance-connect-endpoint
Prerequisites
Install Amazon CLI version 2 and configure it using your credentials. For more information, see Install or update to the latest version of the Amazon CLI and Configure the Amazon CLI in the Amazon Command Line Interface User Guide. Alternatively, open Amazon CloudShell and run Amazon CLI commands in its pre-authenticated shell.
To create the endpoint
Use the following command to create an endpoint network interface for your EC2 Instance Connect Endpoint in the specified subnet.
aws ec2 create-instance-connect-endpoint --subnet-id
subnet-0123456789example
The following is example output.
{
"OwnerId": "111111111111
",
"InstanceConnectEndpointId": "eice-0123456789example
",
"InstanceConnectEndpointArn": "arn:aws:ec2:us-east-1
:111111111111
:instance-connect-endpoint/eice-0123456789example
",
"State": "create-complete",
"StateMessage": "",
"DnsName": "eice-0123456789example
.0123abcd
.ec2-instance-connect-endpoint.us-east-1
.amazonaws.com",
"FipsDnsName": "eice-0123456789example
.0123abcd
.fips.ec2-instance-connect-endpoint.us-east-1
.amazonaws.com",
"NetworkInterfaceIds": [
"eni-0123abcd
"
],
"VpcId": "vpc-0123abcd
",
"AvailabilityZone": "us-east-1a
",
"CreatedAt": "2023-04-07T15:43:53.000Z
",
"SubnetId": "subnet-0123abcd
",
"PreserveClientIp": false,
"SecurityGroupIds": [
"sg-0123abcd
"
],
"Tags": []
}
To monitor the creation status
The initial value for the State
field is
create-in-progress
. Before you can connect to an instance using
this endpoint, wait until the state is create-complete
. Use the
describe-instance-connect-endpointsState
field.
aws ec2 describe-instance-connect-endpoints --instance-connect-endpoint-ids
eice-0123456789example
--query InstanceConnectEndpoints[*].State --output text
The following is example output.
create-complete