Lesson 3-AWS SysOps Administrator Associate

EC2 SSH Connectivity & Troubleshooting

Master SSH connections to EC2 instances, including traditional SSH, EC2 Instance Connect, and EIC Endpoints for private instances.

16 Topics
5 Quiz Questions
70 XP Reward

What You'll Learn

1

Connecting to Your EC2 Instances

Secure Shell (SSH) is the primary method for connecting to Linux EC2 instances. As a CloudOps engineer, you'll frequently need to troubleshoot connection issues and understand the various methods AWS provides for accessing instances. This lesson covers traditional SSH, EC2 Instance Connect, and the newer EIC Endpoints for private instances.

Key Point

AWS provides multiple methods for SSH access: traditional SSH, EC2 Instance Connect, and EIC Endpoints for private instances.

Vocabulary

Key Terms

|

A cryptographic network protocol for secure remote login and command execution over unsecured networks

|

A virtual firewall that controls inbound and outbound traffic for EC2 instances

|

An AWS service that allows browser-based SSH access without managing SSH keys on your local machine

3

SSH Troubleshooting

When SSH connections fail, the error messages provide clues about what went wrong. Understanding these common errors and their solutions is essential for any CloudOps engineer. Let's examine the most frequent SSH issues and how to resolve them.

Key Point

SSH errors can be diagnosed by understanding the specific error messages and their causes.

Comparison

Common SSH Errors and Solutions

Error MessageCauseSolution
Unprotected Private Key FileKey file permissions too openchmod 400 on the .pem file
Host Key Not FoundWrong username for the AMIUse correct OS username (ec2-user, ubuntu, etc.)
Permission DeniedWrong username or keyVerify username and key pair match
Connection Closed by Port 22Wrong username or SSH configCheck username and SSH service status
Connection Timed OutNetwork/firewall issueCheck SG, NACL, routes, public IP

Private Key Permissions

Your private key (.pem file) must have permissions set to 400 on Linux/Mac. Run: chmod 400 your-key.pem. If permissions are too open, SSH will refuse to use the key for security reasons.

Connection Timed Out Checklist

  1. Security Group: Verify inbound rule allows SSH (TCP 22) from your IP address
  2. Network ACL: Check that the subnet's NACL allows inbound port 22 and outbound ephemeral ports
  3. Route Table: Confirm the subnet has a route to an Internet Gateway for public instances
  4. Public IP: Ensure the instance has a public IPv4 address (or Elastic IP)
  5. CPU Load: High CPU utilization can prevent SSH daemon from responding

AMI-Specific Usernames

Different AMIs use different default usernames: • Amazon Linux: ec2-user • Ubuntu: ubuntu • RHEL: ec2-user or root • CentOS: centos • Debian: admin • SUSE: ec2-user

8

Traditional SSH vs EC2 Instance Connect

Traditional SSH requires you to manage private keys locally and configure security groups to allow your specific IP address. EC2 Instance Connect simplifies this by pushing a temporary SSH public key to the instance that's valid for only 60 seconds. Instead of allowing your personal IP, you allow AWS's EC2 Instance Connect IP ranges.

Key Point

EC2 Instance Connect uses temporary keys valid for 60 seconds, simplifying key management.

SSH Connection Methods

Comparison of traditional SSH and EC2 Instance Connect

SSH Methods

Ways to connect to EC2

Traditional SSH

Direct connection with your key

SG: Your IP

Allow your specific IP (e.g., 1.2.3.4/32)

EC2 Instance Connect

Browser-based with temp keys

SG: AWS IP Range

Allow EC2_INSTANCE_CONNECT IPs

How EC2 Instance Connect Works

1

User Initiates Connection

User clicks 'Connect' in the EC2 console or uses the EC2 Instance Connect CLI

2

API Pushes Temporary Key

The EC2 Instance Connect API pushes a one-time SSH public key to the instance's metadata

3

60-Second Window

The temporary key is valid for only 60 seconds, providing secure short-lived access

4

SSH Connection Established

The user connects via SSH using the temporary credentials from AWS's IP range

EC2 Instance Connect IP Ranges

To use EC2 Instance Connect, your security group must allow SSH from AWS's EC2_INSTANCE_CONNECT service IP ranges. You can find these ranges at: https://ip-ranges.amazonaws.com/ip-ranges.json (filter for service: EC2_INSTANCE_CONNECT)

12

EC2 Instance Connect Endpoint (EIC Endpoint)

What about private instances with no public IP and no Internet access? The EC2 Instance Connect Endpoint solves this problem. It allows you to connect securely to private EC2 instances without requiring an Internet Gateway, NAT Gateway, or any Internet connectivity. The EIC Endpoint acts as a secure tunnel from your network to your private instances.

Key Point

EIC Endpoints enable SSH access to private instances without any Internet connectivity requirements.

EIC Endpoint Architecture

How EIC Endpoint enables private instance access

Administrator

User needing access

EIC Endpoint

In private subnet

Private EC2

No public IP, no IGW needed

Comparison

EIC Endpoint Security Group Requirements

ComponentRule TypeConfiguration
EIC Endpoint SGOutboundSSH (TCP 22) to target EC2 instances
EC2 Instance SGInboundSSH (TCP 22) from EIC Endpoint SG

Security groups must be configured on both the EIC Endpoint and the target EC2 instances

EIC Endpoint Benefits

  • No Internet Gateway required in your VPC
  • No NAT Gateway costs for SSH access
  • No public IP addresses on instances
  • No bastion hosts to manage
  • Secure access to fully private instances
Reflection

Pause & Ponder

When would you choose each SSH access method for your EC2 instances?

  • Consider a development environment with frequently changing developer IPs
  • Think about a production environment with strict security requirements
  • What about compliance requirements that prohibit public IP addresses?

Ready to Start Learning?

Dive deeper into this lesson with our interactive learning experience. Complete the quiz and earn 70 XP!

Start This Lesson

Continue Your Journey

Lesson 1

EC2 Instance Type Management

Learn how to change EC2 instance types and understand the requirements for resiz...

Lesson 2

EC2 Placement Groups

Master EC2 placement group strategies to optimize instance placement for perform...

Lesson 4

CloudWatch Metrics for EC2

Understand AWS-provided and custom CloudWatch metrics for EC2 instances, includi...