Amazon EC2 Instance Connect - CLI error

Hello.

As mentioned in the prerequisites, are you using an OS supported by EC2 Instance Connect?
https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-instance-connect-prerequisites.html

• AL2023
• Amazon Linux 2 2.0.20190618 or later
• macOS Sonoma 14.2.1 or later
• macOS Ventura 13.6.3 or later
• macOS Monterey 12.7.2 or later
• Ubuntu 20.04 or later

By the way, you need to install EC2 Instance Connect for the following OS.

EC2 Instance Connect is not preinstalled on the following AMIs, but you can install it on instances that are launched using the following AMIs:

• Amazon Linux 2 prior to version 2.0.20190618
• CentOS Stream 8 and 9
• macOS Sonoma prior to 14.2.1, Ventura prior to 13.6.3, and Monterey prior to 12.7.2
• Red Hat Enterprise Linux (RHEL) 8 and 9
• Ubuntu 16.04 or 18.04

I created a new Ubuntu instance from amazon/ubuntu/images/hvm-ssd/ubuntu-jammy-22.04-amd64-server-20240301 So I am guessing that "EC2 Instance Connect" is already available.

Also when I run the aws command with --debug I see that eventually it figures out the InstanceConnectEndpointId and adds the appropriate options to the ssh command. Here are some of the details from the debug output -

debug1: Executing proxy command: exec aws ec2-instance-connect open-tunnel --instance-id REDACTED --private-ip-address 10.0.1.246 --remote-port 22 --instance-connect-endpoint-id eice-REDACTED --instance-connect-endpoint-dns-name eice-REDACTED-instance-connect-endpoint.us-east-1.amazonaws.com

debug1: identity file ....

Finally the same error that I posted in the original post

Websocket Closure Reason: Unable to connect to target kex_exchange_identification: Connection closed by remote host Connection closed by UNKNOWN port 65535

Thanks for helping here. My Inbound rules for the security group attached to this eice endpoint allow SSH traffic on port 22 from my specific IP. From the documentation link that you posted, I guess I am using the "Allow inbound traffic from the client IP address.". I dont have any restrictions on the Outbound rules for this security group.

There are two separate security groups that have be considered here.

The security group associated with the instance endpoint (not the instance itself) should allow inbound from the client IP address, and outbound to all (actually you can tighten up the outbound rule to just the CIDR range of the VPC) https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/eice-security-groups.html#eice-security-group-rules

The security group associated with the instance itself (not the endpoint) needs at least two inbound rules, the first of which the source is the EC2 Instance Connect Endpoint security group.

And a second rule whose setting is dependent on the value of Preserve Client IP (this is a value you would have set when you created the endpoint, the default is that the box is unchecked and so the parameter is set to false)

https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/eice-security-groups.html#resource-security-group-rules

• if preserveClientIp is false (the default) then the security group associated with the instance must allow inbound traffic from the VPC CIDR.
• if preserveClientIp is true then allow inbound traffic from the client IP address.

Also worth noting here that, depending on the EC2 instance type, you may not have a choice https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/connect-using-eice.html#ec2-instance-connect-endpoint-limitations

The following instance types do not support client IP preservation: C1, CG1, CG2, G1, HI1, M1, M2, M3, and T1. If you are using these instance types, set the preserveClientIp parameter to false