Create an EC2 Instance Connect Endpoint - Amazon Elastic Compute Cloud
PrerequisitesShared subnetsCreate using the consoleCreate using the Amazon CLI
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Create an EC2 Instance Connect Endpoint

You can create an EC2 Instance Connect Endpoint to allow secure connection to your instances.

You can't modify an EC2 Instance Connect Endpoint after you've created it. Instead, you must delete the EC2 Instance Connect Endpoint and create a new one with the settings that you need.

Prerequisites

You must have the required IAM permissions to create an EC2 Instance Connect Endpoint. For more information, see Permissions to create, describe, and delete EC2 Instance Connect Endpoints.

Shared subnets

You can create an EC2 Instance Connect Endpoint in a subnet that is shared with you. You can't use a EC2 Instance Connect Endpoint that the VPC owner created in a subnet that is shared with you.

Create the endpoint using the console

Use the following procedure to create an EC2 Instance Connect Endpoint.

To create an EC2 Instance Connect Endpoint

  1. Open the Amazon VPC console at https://console.amazonaws.cn/vpc/.

  2. In the left navigation pane, choose Endpoints.

  3. Choose Create endpoint, and then specify the endpoint settings as follows:

    1. (Optional) For Name tag, enter a name for the endpoint.

    2. For Service category, choose EC2 Instance Connect Endpoint.

    3. For VPC, select the VPC that has the target instances.

    4. (Optional) To preserve client IP addresses, expand Additional settings and select the check box. Otherwise, the default is to use the endpoint network interface as the client IP address.

    5. (Optional) For Security groups, select the security group to associate with the endpoint. Otherwise, the default is to use the default security group for the VPC. For more information, see Security groups for EC2 Instance Connect Endpoint.

    6. For Subnet, select the subnet in which to create the endpoint.

    7. (Optional) To add a tag, choose Add new tag and enter the tag key and the tag value.

  4. Review your settings and then choose Create endpoint.

    The initial status of the endpoint is Pending. Before you can connect to an instance using this endpoint, you must wait until the endpoint status is Available. This can take a few minutes.

  5. To connect to an instance using your endpoint, see Connect to an instance.

Create the endpoint using the Amazon CLI

Use the create-instance-connect-endpoint Amazon CLI command.

Prerequisites

Install Amazon CLI version 2 and configure it using your credentials. For more information, see Install or update to the latest version of the Amazon CLI and Configure the Amazon CLI in the Amazon Command Line Interface User Guide. Alternatively, open Amazon CloudShell and run Amazon CLI commands in its pre-authenticated shell.

To create the endpoint

Use the following command to create an endpoint network interface for your EC2 Instance Connect Endpoint in the specified subnet.

aws ec2 create-instance-connect-endpoint --subnet-id subnet-0123456789example

The following is example output.

 {
        "OwnerId": "111111111111",
        "InstanceConnectEndpointId": "eice-0123456789example",
        "InstanceConnectEndpointArn": "arn:aws:ec2:us-east-1:111111111111:instance-connect-endpoint/eice-0123456789example",
        "State": "create-complete",
        "StateMessage": "",
        "DnsName": "eice-0123456789example.0123abcd.ec2-instance-connect-endpoint.us-east-1.amazonaws.com",
        "FipsDnsName": "eice-0123456789example.0123abcd.fips.ec2-instance-connect-endpoint.us-east-1.amazonaws.com",
        "NetworkInterfaceIds": [
            "eni-0123abcd"
        ],
        "VpcId": "vpc-0123abcd",
        "AvailabilityZone": "us-east-1a",
        "CreatedAt": "2023-04-07T15:43:53.000Z"
        "SubnetId": "subnet-0123abcd",
        "PreserveClientIp": false,
        "SecurityGroupIds": [
            "sg-0123abcd"
        ],
        "Tags": []
}
To monitor the creation status

The initial value for the State field is create-in-progress. Before you can connect to an instance using this endpoint, wait until the state is create-complete. Use the describe-instance-connect-endpoints Amazon CLI command to monitor the status of the EC2 Instance Connect Endpoint. The --query parameter filters the results to the State field.

aws ec2 describe-instance-connect-endpoints --instance-connect-endpoint-ids eice-0123456789example --query InstanceConnectEndpoints[*].State --output text

The following is example output.

create-complete