Connect using EC2 Instance Connect - Amazon Elastic Compute Cloud
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Connect using EC2 Instance Connect

The following instructions explain how to connect to your Linux instance using EC2 Instance Connect through the Amazon EC2 console, the Amazon CLI, or an SSH client.

Requirements

Before you begin, be sure to review the prerequisites.

Connect using the Amazon EC2 console

You can connect to an instance using EC2 Instance Connect through the Amazon EC2 console. Instance Connect handles the permissions.

Requirement

To connect using the Amazon EC2 console, the instance must have a public IPv4 address. If the instance has only an IPv6 address, you can connect using the ec2-instance-connect Amazon CLI commands.

To connect to your instance using the Amazon EC2 console
  1. Open the Amazon EC2 console at https://console.amazonaws.cn/ec2/.

  2. In the navigation pane, choose Instances.

  3. Select the instance and choose Connect.

  4. Choose the EC2 Instance Connect tab.

  5. For Connection type, choose Connect using EC2 Instance Connect.

  6. For Username, verify the username.

  7. Choose Connect to open a terminal window.

Connect using the Amazon CLI

You can use the ec2-instance-connect Amazon CLI commands to connect to your instance using an SSH client.

If you don't specify a connection type, EC2 Instance Connect tries to connect to the instance as follows:

  • Connect using the public IPv4 address.

  • If there is no public IPv4 address, connect using the private IPv4 address and an EC2 Instance Connect Endpoint

  • If there is no private IPv4 address or no EC2 Instance Connect Endpoint, connect using the IPv6 address.

Requirements

You must prepare to use the Amazon CLI version 2. For more information, see Install or update to the latest version of the Amazon CLI.

Connection types
auto (default)

The CLI tries to connect using the instance's IP addresses in the following order and with the corresponding connection type:

  • Public IPv4: direct

  • Private IPv4: eice

  • IPv6: direct

direct

The CLI tries to connect using the instance's IP addresses in the following order (it does not connect over an EC2 Instance Connect Endpoint):

  • Public IPv4

  • IPv6

  • Private IPv4

eice

The CLI always uses the instance's private IPv4 address.

Note

In the future, we might change the behavior of the auto connection type. To ensure that your desired connection type is used, we recommend that you explictly set the --connection-type to either direct or eice.

When you connect to an instance using EC2 Instance Connect, the EC2 Instance Connect API pushes an SSH public key to the instance metadata where it remains for 60 seconds. An IAM policy attached to your user authorizes your user to push the public key to the instance metadata.

To connect to an instance using the instance ID

If you only know the instance ID, and want to let EC2 Instance Connect determine the connection type to use when connecting to your instance, use the ec2-instance-connect CLI command and specify the ssh parameter and the instance ID.

aws ec2-instance-connect ssh --instance-id i-1234567890example
Tip

If you get an error when using this command, make sure that you're using Amazon CLI version 2. The ssh parameter is only available in Amazon CLI version 2. For more information, see About Amazon CLI version 2 in the Amazon Command Line Interface User Guide.

To connect to an instance using the instance ID and an EC2 Instance Connect Endpoint

If you want to connect to your instance over an EC2 Instance Connect Endpoint, use the preceding command and also specify the --connection-type parameter with the eice value.

aws ec2-instance-connect ssh --instance-id i-1234567890example --connection-type eice
To connect to an instance using the instance ID and your own private key file

If you want to connect to your instance over an EC2 Instance Connect Endpoint using your own private key, specify the instance ID and the path to the private key file. Do not include file:// in the path; the following example will fail: file:///path/to/key.

aws ec2-instance-connect ssh --instance-id i-1234567890example --private-key-file /path/to/key.pem

Connect using your own key and SSH client

You can use your own SSH key and connect to your instance from the SSH client of your choice while using the EC2 Instance Connect API. This enables you to benefit from the Instance Connect capability to push a public key to the instance. This connection method works for instances with public and private IP addresses.

Requirements
  • Requirements for key pairs

  • When connecting to an instance that has only private IP addresses, the local computer from which you are initiating the SSH session must have connectivity to the EC2 Instance Connect service endpoint (to push your SSH public key to the instance) as well as network connectivity to the instance's private IP address to establish the SSH session. The EC2 Instance Connect service endpoint is reachable over the internet or over an Amazon Direct Connect public virtual interface. To connect to the instance's private IP address, you can leverage services such as Amazon Direct Connect, Amazon Site-to-Site VPN, or VPC peering.

To connect to your instance using your own key and any SSH client
  1. (Optional) Generate new SSH private and public keys

    You can generate new SSH private and public keys, my_key and my_key.pub, using the following command:

    ssh-keygen -t rsa -f my_key
  2. Push your SSH public key to the instance

    Use the send-ssh-public-key command to push your SSH public key to the instance. If you launched your instance using AL2023 or Amazon Linux 2, the default username for the AMI is ec2-user. If you launched your instance using Ubuntu, the default username for the AMI is ubuntu.

    The following example pushes the public key to the specified instance in the specified Availability Zone, to authenticate ec2-user.

    aws ec2-instance-connect send-ssh-public-key \ --region us-west-2 \ --availability-zone us-west-2b \ --instance-id i-001234a4bf70dec41EXAMPLE \ --instance-os-user ec2-user \ --ssh-public-key file://my_key.pub
  3. Connect to the instance using your private key

    Use the ssh command to connect to the instance using the private key before the public key is removed from the instance metadata (you have 60 seconds before it is removed). Specify the private key that corresponds to the public key, the default username for the AMI that you used to launch your instance, and the instance's public DNS name (if connecting over a private network, specify the private DNS name or IP address). Add the IdentitiesOnly=yes option to ensure that only the files in the ssh config and the specified key are used for the connection.

    ssh -o "IdentitiesOnly=yes" -i my_key ec2-user@ec2-198-51-100-1.compute-1.amazonaws.com

Troubleshoot

If you receive an error while attempting to connect to your instance, see the following: