AWS recently announced Amazon EC2 Instance Connect (EIC) Endpoint, a new feature that allows users to connect securely to their instances and other Amazon Virtual Private Cloud (Amazon VPC) resources from the Internet.
Earlier, users had to connect to a bastion host with a public IP address that their administrator set up over an Internet Gateway (IGW) in their VPC and then use port forwarding to reach their destination. With EIC Endpoint, users no longer need an IGW in their VPC, a public IP address on their resource, a bastion host, or any agent to connect to their resources.
The EIC Endpoint merges identity-based and network-based access controls to fulfill the organization's security needs, ensuring isolation, control, and comprehensive logging. Moreover, it alleviates the burden on the organization's administrator by eliminating the operational tasks associated with maintaining and patching bastion hosts for connectivity. It works with the AWS Management Console and AWS Command Line Interface (AWS CLI) and provides the flexibility to continue using tools such as PuTTY and OpenSSH.
The EIC Endpoint serves as an identity-aware TCP proxy, offering two modes of operation. The first mode enables secure WebSocket tunneling from the workstation to the endpoint using AWS Identity and Access Management (IAM) credentials, allowing users to connect to resources as usual. In the second mode, when not using the AWS CLI, the Console provides secure access to VPC resources by evaluating authentication and authorization before traffic enters the VPC.
Source: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/Connect-using-EC2-Instance-Connect-Endpoint.html
Ariana Rahgozar, solutions architect, and Kenneth Kitts, Sr. technical account manager at AWS, explain in an AWS Compute blog post:
EIC Endpoints provide a high degree of flexibility. First, they don’t require your VPC to have direct Internet connectivity using an IGW or NAT Gateway. Second, no agent is needed on the resource you wish to connect to, allowing for easy remote administration of resources which may not support agents, like third-party appliances. Third, they preserve existing workflows, enabling you to continue using your preferred client software on your local workstation to connect and manage your resources. And finally, IAM and Security Groups can be used to control access.
Other Public Cloud providers offer a capability like EIC Endpoints. Microsoft, for instance, offers Azure Bastion, which provides secure and seamless RDP and SSH connectivity to virtual machines (VMs) in Azure without public IP addresses or VPN connections. In addition, another example is Google Cloud, offering Cloud Identity-Aware Proxy (Cloud IAP), which provides secure access to VMs and applications hosted on Google Cloud Platform (GCP) without exposing them to the public internet.
A respondent in a Reddit thread commented:
This feels like competing against one of the best things in GCP, which is their private IAP offering.
In addition, Abdulsamad Kazeem, a data Center network capacity planner at Liberty, commented in a LinkedIn post:
EIC is highly available, and operational maintenance is the responsibility of AWS... This is more like "Bastion host as a service" - BHaaS!
EIC Endpoint is available in all AWS commercial regions and the AWS GovCloud (US) regions. Pricing-wise, customers do not incur costs for using EIC endpoints and only pay for standard data transfer.
Lastly, more details of EIC are available on the documentation pages.