I have instance connect working fine from the CLI on my local machine as I have my ip added to the security group for the ec2 instance for inbound ssh access.
However, the browser-based version in the EC2 Console seems to need me to add all internet for inbound access to make it work! I am sure it just needs to be certain AWS IP ranges, but there is no documentation anywhere that I can find to tell me what they are. Also, I have no idea how much of a pain this might be to maintain if those ranges are dynamic or something.
Can anyone help?
Thanks
From Set Up EC2 Instance Connect - Amazon Elastic Compute Cloud:
(Browser-based client) We recommend that your instance allows inbound SSH traffic from the recommended IP block published for the service. Use the
EC2_INSTANCE_CONNECTfilter for theserviceparameter to get the IP address ranges in the EC2 Instance Connect subset.
This is because the web browser client connects via HTTPS to the EC2 Instance Connect "service" in AWS. This service then makes the actual SSH connection to the instance.
A sample of the IP address file is:
{
"ip_prefix": "18.252.4.0/30",
"region": "us-gov-east-1",
"service": "EC2_INSTANCE_CONNECT",
"network_border_group": "us-gov-east-1"
}
{
"ip_prefix": "15.200.28.80/30",
"region": "us-gov-west-1",
"service": "EC2_INSTANCE_CONNECT",
"network_border_group": "us-gov-west-1"
}
{
"ip_prefix": "13.244.121.196/30",
"region": "af-south-1",
"service": "EC2_INSTANCE_CONNECT",
"network_border_group": "af-south-1"
}
{
"ip_prefix": "3.112.23.0/29",
"region": "ap-northeast-1",
"service": "EC2_INSTANCE_CONNECT",
"network_border_group": "ap-northeast-1"
}
{
"ip_prefix": "13.209.1.56/29",
"region": "ap-northeast-2",
"service": "EC2_INSTANCE_CONNECT",
"network_border_group": "ap-northeast-2"
}
{
"ip_prefix": "13.233.177.0/29",
"region": "ap-south-1",
"service": "EC2_INSTANCE_CONNECT",
"network_border_group": "ap-south-1"
}
{
"ip_prefix": "3.0.5.32/29",
"region": "ap-southeast-1",
"service": "EC2_INSTANCE_CONNECT",
"network_border_group": "ap-southeast-1"
}
{
"ip_prefix": "13.239.158.0/29",
"region": "ap-southeast-2",
"service": "EC2_INSTANCE_CONNECT",
"network_border_group": "ap-southeast-2"
}
{
"ip_prefix": "35.183.92.176/29",
"region": "ca-central-1",
"service": "EC2_INSTANCE_CONNECT",
"network_border_group": "ca-central-1"
}
{
"ip_prefix": "3.120.181.40/29",
"region": "eu-central-1",
"service": "EC2_INSTANCE_CONNECT",
"network_border_group": "eu-central-1"
}
{
"ip_prefix": "13.48.4.200/30",
"region": "eu-north-1",
"service": "EC2_INSTANCE_CONNECT",
"network_border_group": "eu-north-1"
}
{
"ip_prefix": "15.161.135.164/30",
"region": "eu-south-1",
"service": "EC2_INSTANCE_CONNECT",
"network_border_group": "eu-south-1"
}
{
"ip_prefix": "18.202.216.48/29",
"region": "eu-west-1",
"service": "EC2_INSTANCE_CONNECT",
"network_border_group": "eu-west-1"
}
{
"ip_prefix": "3.8.37.24/29",
"region": "eu-west-2",
"service": "EC2_INSTANCE_CONNECT",
"network_border_group": "eu-west-2"
}
{
"ip_prefix": "35.180.112.80/29",
"region": "eu-west-3",
"service": "EC2_INSTANCE_CONNECT",
"network_border_group": "eu-west-3"
}
{
"ip_prefix": "18.228.70.32/29",
"region": "sa-east-1",
"service": "EC2_INSTANCE_CONNECT",
"network_border_group": "sa-east-1"
}
{
"ip_prefix": "18.206.107.24/29",
"region": "us-east-1",
"service": "EC2_INSTANCE_CONNECT",
"network_border_group": "us-east-1"
}
{
"ip_prefix": "3.16.146.0/29",
"region": "us-east-2",
"service": "EC2_INSTANCE_CONNECT",
"network_border_group": "us-east-2"
}
{
"ip_prefix": "13.52.6.112/29",
"region": "us-west-1",
"service": "EC2_INSTANCE_CONNECT",
"network_border_group": "us-west-1"
}
{
"ip_prefix": "18.237.140.160/29",
"region": "us-west-2",
"service": "EC2_INSTANCE_CONNECT",
"network_border_group": "us-west-2"
}
Thus, these are the ranges you should add to the Security Group. Just use the range(s) for the region where you are invoking EC2 Instance Connect.
NOTE: This IPs get updated, you can fetch an updated version by running (required: curl and jq):
curl -f -s -# https://ip-ranges.amazonaws.com/ip-ranges.json | jq -r '.prefixes[] | select(.service == "EC2_INSTANCE_CONNECT")'
or
curl -f -s -# https://ip-ranges.amazonaws.com/ip-ranges.json | jq -r '.prefixes[] | select(.service == "EC2_INSTANCE_CONNECT") | .ip_prefix'
to only have the IP range list