diff --git a/devops/cloudformation.json b/devops/cloudformation.json
index e64ec4e..fa69496 100644
--- a/devops/cloudformation.json
+++ b/devops/cloudformation.json
@@ -147,16 +147,5 @@
         ]
       }
     }
-  },
-  "Outputs": {
-    "InstanceHostname": {
-      "Description": "RRE's public hostname",
-      "Value": {
-        "Fn::GetAtt": [
-          "RREInstance",
-          "PublicDnsName"
-        ]
-      }
-    }
   }
 }
\ No newline at end of file
diff --git a/devops/deploy.sh b/devops/deploy.sh
index 23e146f..3a89aa7 100755
--- a/devops/deploy.sh
+++ b/devops/deploy.sh
@@ -41,11 +41,12 @@ aws cloudformation deploy --stack-name $STACK_NAME \
     RREDomain=$DOMAIN \
     RRECertArn=$CERT_ARN
 
-INSTANCE_HOSTNAME=$(aws cloudformation describe-stacks --stack-name $STACK_NAME --query "Stacks[0].Outputs[?OutputKey=='InstanceHostname'].OutputValue" --output text)
+INSTANCE_PHYSICAL_ID=$(aws cloudformation list-stack-resources --stack-name $STACK_NAME --query "StackResourceSummaries[?LogicalResourceId=='RREInstance'].PhysicalResourceId" --output text)
 
 # Run the playbook! :-)
 export ANSIBLE_HOST_KEY_CHECKING=False # If it's a new host, ssh known_hosts not having the key fingerprint will cause an error. Silence it
-ansible-playbook -v -i $INSTANCE_HOSTNAME, -u ubuntu --private-key ~/.ssh/transitmatters-rre.pem playbook.yml
+SSH_PROXY_ARGS="-o ProxyCommand='aws ec2-instance-connect open-tunnel --instance-id $INSTANCE_PHYSICAL_ID'"
+ansible-playbook -v --ssh-extra-args $SSH_PROXY_ARGS -i $INSTANCE_PHYSICAL_ID, -u ubuntu --private-key ~/.ssh/transitmatters-rre.pem playbook.yml
 
 # Grab the cloudfront ID and invalidate its cache
 CLOUDFRONT_ID=$(aws cloudfront list-distributions --query "DistributionList.Items[?Aliases.Items!=null] | [?contains(Aliases.Items, '$HOSTNAME')].Id | [0]" --output text)