AWS Linux EC2 instance by default use SSH key file instead of user id and password for authentication. This reduces the chances of somebody typing to guess the user id and password.
In this article, we would discuss how to securely connect to an EC2 hosted in private VPC subnet.
Connect EC2 in private subnet with Bastion host
AWS lets you to login EC2 in private subnet using key pairs with a bastion host. However, this is not secure and AWS does not recommend this approach. As you need to store the private key in bastion host which is a public server hosted in public subnet to connect to the EC2.
The following demonstration requires a non default VPC with public and private subnet. If you already have setup, then directly jump to the below steps. Otherwise, refer Configure your own VPC in AWS.
Launch EC2 in VPC Subnets
Sign-in to AWS Console (link) and open EC2 service
Here, we would launch one EC2 in each public and private subnet. Refer How to launch an Amazon EC2 to create an EC2 in AWS.
Launch an Amazon RHEL EC2 in public subnet


Please note the EC2 launched in public subnet is considered as bastion host.
Launch an Amazon RHEL EC2 in private subnet


Connect to EC2 (Bastion) in Public Subnet
Lets connect to the instance using EC2 public IP

Now we have successfully connected to EC2 (Bastion Host) in public subnet. Further, we need to connect to EC2 in private subnet.
For this, we need to store the private key of private subnet EC2 in bastion host.
Connect to EC2 in Private Subnet
- First, we need to copy the .pem file of private EC2 and place it in bastion host. For that, open the .pem key file in a notepad or in other supported apps and then copy the key file content. Make sure no additional space is copied here.
- Create a file in Bastion and paste the copy content there
- Execute chmod 400 on the key file
- Now login to the EC2 using private key from Bastion using below commands
ssh -i <yourkeyfile.pem> ec2-user@EC2IP_PrivateSubnet

We’re able to successfully connect to EC2 in private subnet. However, this is not secure. As we are storing the key file in Bastion host to access to the EC2. In next section we would discuss how securely we could access to the private instance.
Client SSH Agent Forwarding (ssh-agent)
This option allow you to connect to the EC2 in private subnet without storing the key file in bastion host. Lets follow the below steps here
1. Download Pageant from link
Pageant helps for SSH agent forwarding functionality. Once Pageant is installed you could use putty from windows for agent forwarding.
2. Convert the .pem to .ppk key file
In windows, you could use putty to connect to an amazon Linux EC2 instance. So to connect through putty from windows, you would need this key file conversion.
Refer the EC2 launch article to know how to convert pem to ppk file.
3. Configure ssh-agent on Windows
Once your .ppk key file of EC2 (private subnet) is ready, then proceed to launch Pageant, which runs as windows service. Now click on Add Key

Once you click on Add Key, it would prompt you to provide .ppk key file of your private EC2 instance.

Close the Pageant after adding the .ppk file.
Now, open putty and then check the Allow agent forwarding under Auth

With this Allow agent forwarding option, login to your bastion host using SSH on port 22
Note: a. If you have created both EC2’s in public and private subnet with different private keys. Then during SSH to bastion, you need to provide the .ppk file of public EC2
b. If you have launched both EC2 with same key file, then leave the private key file for authentication empty during SSH. Only allow agen forwarind option need to enable

Now, connect to private EC2 from bastion without the .pem file of private EC2

We are able to securely connect to the EC2 instance in private subnet using agent forwarding.
I hope this article helps. Please comment below if you have any questions related to this article. Also like or share your suggestions on any topic that you want me to post.