Recently I setup a NAT gateway using fck-nat and deployed an ECS service to the private subnet with an EC2 Auto Scaling Group.

Initially I had some issues with the ECS service deployment, and the AWS Console wasn’t giving me enough information to resolve the problem, so I needed to SSH into the deployment to get more information.

So I created an EC2 Instance Connect Endpoint in the private subnet and added security groups to the ECS’s Auto Scaling Group to allow SSH traffic from the EC2 Instance Connect Endpoint’s security group.

Sadly, the Amazon Linux 2 ECS Optimized ABI does NOT come with the ec2-instance-connect service pre-installed. You must carefully read the EC2 Instance Connect installation instructions to figure out that the normal Amazon Linux 2 ABI includes the ec2-instance-connect daemon, but the Amazon Linux 2 ECS Optimized ABI image does NOT include it.

To fix this, I had to add this command to the AutoScaling Group EC2 user data:

sudo yum install -y ec2-instance-connect

Notice the -y option there. If you leave that out, then yum will ignore the installation request because the user data is run in non-interactive mode.

I originally omitted the -y flag because the AWS documentation (as of October, 2024) leaves it out!

It took me a while to figure this out, but once I added the -y flag, everything worked great.

Regardless of the missing -y flag, the rest of the EC2 Instance Connect setup instructions are great. Just make sure that the EC2 instances you want to connect to have security group ingress rules that allow for traffic from the EC2 Instance Connect Endpoint.