EC2 Instance Connect Endpoint blocks ports other than 22 and 3389


On June 14th, 2023 AWS launched new connectivity options for EC2 Instance Connect -

This was a great improvement as it allowed direct secure access to RDS databases in private subnets without having to go through an existing EC2 instance (either via SSH or AWS SSM). In our particular case we have no need to run any EC2 instances at all as we're "serverless".

Around June 28th this stopped working.

Running the following:

aws ec2-instance-connect open-tunnel \
  --private-ip-address <IP-ADDRESS-WAS-HERE> \
  --instance-connect-endpoint-id "<ENDPOINT-ID-WAS-HERE>" \
  --remote-port 5432 \
  --local-port 5432 \
  --region us-west-2

now returns

Listening for connections on port 5432.
[1] Accepted new tcp connection, opening websocket tunnel.

awscli.customizations.ec2instanceconnect.websocket - ERROR - {"ErrorCode":"InvalidParameter","Message":"The specified RemotePort is not valid. Specify either 22 or 3389 as the RemotePort and retry your request."}

AWS_ERROR_HTTP_WEBSOCKET_UPGRADE_FAILURE: Failed to upgrade HTTP connection to Websocket.

Now of course we can spin up an EC2 instance and use SSH or AWS SSM to port forward access to our database, but the original approach worked fantastically and reduced our security and audit burden. Can anyone from AWS comment on why the pre-existing solution was disabled and if we can expect it to be fixed in the future?

asked 9 months ago1125 views
3 Answers

EC2 Instance Endpoint Connect is developed for purpose of connecting EC2 instances in Private Subnet Securely, without a need of Bastion Host/ VPN. It supports only SSH and RDP as of now. It doesn't support any database connectivity as the tools to connect database uses different protocols and handshakes. EC2 Instance Endpoint Connect is designed only to serve purpose to connect to EC2.

For you use case to eliminate the need of EC2 to connect Database, you may optionally set the AWS Client Endpoint VPN.

If someone visiting this post wanted to take a look at how to setup EC2 Endpoint Connect - here is a blog -

answered 9 months ago

Looks like with EC2 Instance Connect Endpoint (EIC Endpoint), customers have SSH and RDP connectivity to their EC2 instances without using public IP addresses currently.

profile pictureAWS
answered 9 months ago

Here, a tunnel connection is not necessary. The primary objective of this feature is to disable the public IP and private key. You can achieve this by simply creating an IAM policy and configuring the security group. For additional details, please refer to this GitHub repository:

answered 7 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions