Connecting to AWS private EC2 instance using open ssh without a Bastion Host


2 min read

Connecting to an AWS private EC2 instance using OpenSSH requires a few prerequisites and steps.


  1. Ensure you have OpenSSH installed.

  2. Make sure you have AWS CLI version 2.12.6 or above installed.

  3. Set up an EC2 instance connect endpoint (EICE) in your VPC for the subnet where your EC2 instance resides.

Steps to connect your private instance using ssh:

  1. Create a private EC2 instance and an EC2 instance connect endpoint in your VPC for the relevant subnet.

  2. Ensure that the proper security group is associated which allows ssh (port 22) for your IP addresses

  3. On your local machine or the device, you will use to connect via SSH, verify that the correct version of AWS CLI is installed. You can check this by running the command aws ec2-instance-connect help and ensuring that the -o open-tunnel and -o ssh options are available. If not, update your AWS CLI version

    For a single connection to your EC2 instance,

    use the following command

    ssh -i my-key-pair.pem ec2-user@i-0123456789example \ -o ProxyCommand='aws ec2-instance-connect open-tunnel --instance-id i-0123456789example'

  • Ensure that you have properly configured your AWS cli

  • -i – Specify the key pair that was used to launch the instance.

  • ec2-user@i-0123456789example – Specify the username of the AMI that was used to launch the instance, and the instance ID.

  • --instance-id – Specify the ID of the instance to connect to. Alternatively, specify %h, which extracts the instance ID from the user as shown in the figure above.

    To enable multiple connections to your EC2 instance,

    Follow these steps:

  • Start listening for new TCP connections by running the "open-tunnel" command using the AWS CLI. This command sets up a secure tunneling service.

aws ec2-instance-connect open-tunnel \ --instance-id i-0123456789example \ --local-port 8888

  • Once the tunnel is established, you can create new TCP connections and private tunnels to your EC2 instance using the "ssh" command, allowing multiple users to connect simultaneously.

  • In a new terminal window, run the following SSH command to create a new TCP connection and a private tunnel to your instance:

    ssh -i my-key-pair.pem ec2-user@localhost -p 8888

  • By initiating the "open-tunnel" command and utilising SSH to create private tunnels, you can enable multiple connections to your EC2 instance, facilitating collaboration and remote access for multiple users.

Author: Sathiya Narayanan S

BootLabs Technologies