We can't directly connect to the private EC2 from outside of VPC. We need a public EC2 instance to connect to the private EC2 instance.

These public EC2 instance is called Bastion or jump server