Amazon EC2 Instance Connect enables secure SSH access to EC2 instances without requiring a traditional SSH key pair. However, although authentication is handled through IAM and the Instance Connect endpoint, the underlying network requirements for SSH still apply.

For EC2 Instance Connect to function, the EC2 instance’s security group must allow inbound traffic on TCP port 22 from the network where the Instance Connect endpoint resides. In this case, both the endpoint and the EC2 instance are in the private subnet, so the security group must explicitly allow SSH traffic from that subnet or from the security group associated with the endpoint.

Allowing HTTPS traffic on port 443 does not enable SSH access. Systems Manager Session Manager is a separate access mechanism and does not resolve an EC2 Instance Connect failure. Recreating the instance with an SSH key pair is unnecessary because EC2 Instance Connect does not rely on key pairs.

Therefore, enabling inbound SSH traffic on port 22 from the private subnet resolves the connection issue.