diff --git a/CHANGELOG.md b/CHANGELOG.md
index 1eaa2734d..d10d2485b 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -15,6 +15,8 @@ IMPROVEMENTS:
 
   * builder/amazon/all: `AWS_SECURITY_TOKEN` is read and can also be
       set with the `token` configuration. [GH-1236]
+  * builder/amazon/all: Can force SSH on the private IP address with
+      `ssh_private_ip`. [GH-1229]
   * builder/amazon-instance: EBS AMIs can be used as a source. [GH-1453]
   * builder/digitalocean: Can set API URL endpoint. [GH-1448]
   * builder/digitalocean: Region supports variables. [GH-1452]
diff --git a/builder/amazon/common/run_config.go b/builder/amazon/common/run_config.go
index d7dd6ec99..6a8fc29a9 100644
--- a/builder/amazon/common/run_config.go
+++ b/builder/amazon/common/run_config.go
@@ -20,6 +20,7 @@ type RunConfig struct {
 	RawSSHTimeout            string            `mapstructure:"ssh_timeout"`
 	SSHUsername              string            `mapstructure:"ssh_username"`
 	SSHPrivateKeyFile        string            `mapstructure:"ssh_private_key_file"`
+	SSHPrivateIp             bool              `mapstructure:"ssh_private_ip"`
 	SSHPort                  int               `mapstructure:"ssh_port"`
 	SecurityGroupId          string            `mapstructure:"security_group_id"`
 	SecurityGroupIds         []string          `mapstructure:"security_group_ids"`
diff --git a/builder/amazon/common/ssh.go b/builder/amazon/common/ssh.go
index 88a3dafbd..34fd746cb 100644
--- a/builder/amazon/common/ssh.go
+++ b/builder/amazon/common/ssh.go
@@ -11,7 +11,7 @@ import (
 
 // SSHAddress returns a function that can be given to the SSH communicator
 // for determining the SSH address based on the instance DNS name.
-func SSHAddress(e *ec2.EC2, port int) func(multistep.StateBag) (string, error) {
+func SSHAddress(e *ec2.EC2, port int, private bool) func(multistep.StateBag) (string, error) {
 	return func(state multistep.StateBag) (string, error) {
 		for j := 0; j < 2; j++ {
 			var host string
@@ -19,7 +19,7 @@ func SSHAddress(e *ec2.EC2, port int) func(multistep.StateBag) (string, error) {
 			if i.DNSName != "" {
 				host = i.DNSName
 			} else if i.VpcId != "" {
-				if i.PublicIpAddress != "" {
+				if i.PublicIpAddress != "" && !private {
 					host = i.PublicIpAddress
 				} else {
 					host = i.PrivateIpAddress
diff --git a/builder/amazon/ebs/builder.go b/builder/amazon/ebs/builder.go
index b5d2ce750..feabc1d4c 100644
--- a/builder/amazon/ebs/builder.go
+++ b/builder/amazon/ebs/builder.go
@@ -113,7 +113,8 @@ func (b *Builder) Run(ui packer.Ui, hook packer.Hook, cache packer.Cache) (packe
 			Tags:                     b.config.RunTags,
 		},
 		&common.StepConnectSSH{
-			SSHAddress:     awscommon.SSHAddress(ec2conn, b.config.SSHPort),
+			SSHAddress: awscommon.SSHAddress(
+				ec2conn, b.config.SSHPort, b.config.SSHPrivateIp),
 			SSHConfig:      awscommon.SSHConfig(b.config.SSHUsername),
 			SSHWaitTimeout: b.config.SSHTimeout(),
 		},
diff --git a/builder/amazon/instance/builder.go b/builder/amazon/instance/builder.go
index 6df94bf62..8fea80f6e 100644
--- a/builder/amazon/instance/builder.go
+++ b/builder/amazon/instance/builder.go
@@ -216,7 +216,8 @@ func (b *Builder) Run(ui packer.Ui, hook packer.Hook, cache packer.Cache) (packe
 			Tags:                     b.config.RunTags,
 		},
 		&common.StepConnectSSH{
-			SSHAddress:     awscommon.SSHAddress(ec2conn, b.config.SSHPort),
+			SSHAddress: awscommon.SSHAddress(
+				ec2conn, b.config.SSHPort, b.config.SSHPrivateIp),
 			SSHConfig:      awscommon.SSHConfig(b.config.SSHUsername),
 			SSHWaitTimeout: b.config.SSHTimeout(),
 		},
diff --git a/website/source/docs/builders/amazon-ebs.html.markdown b/website/source/docs/builders/amazon-ebs.html.markdown
index 8c06ac482..602592a2f 100644
--- a/website/source/docs/builders/amazon-ebs.html.markdown
+++ b/website/source/docs/builders/amazon-ebs.html.markdown
@@ -126,6 +126,9 @@ each category, the available configuration keys are alphabetized.
 * `ssh_private_key_file` (string) - Use this ssh private key file instead of
   a generated ssh key pair for connecting to the instance.
 
+* `ssh_private_ip` (bool) - If true, then SSH will always use the private
+  IP if available.
+
 * `ssh_timeout` (string) - The time to wait for SSH to become available
   before timing out. The format of this value is a duration such as "5s"
   or "5m". The default SSH timeout is "5m", or five minutes.
diff --git a/website/source/docs/builders/amazon-instance.html.markdown b/website/source/docs/builders/amazon-instance.html.markdown
index 811d69e80..fc6b48c5b 100644
--- a/website/source/docs/builders/amazon-instance.html.markdown
+++ b/website/source/docs/builders/amazon-instance.html.markdown
@@ -164,6 +164,9 @@ each category, the available configuration keys are alphabetized.
 * `ssh_private_key_file` (string) - Use this ssh private key file instead of
   a generated ssh key pair for connecting to the instance.
 
+* `ssh_private_ip` (bool) - If true, then SSH will always use the private
+  IP if available.
+
 * `ssh_timeout` (string) - The time to wait for SSH to become available
   before timing out. The format of this value is a duration such as "5s"
   or "5m". The default SSH timeout is "5m", or five minutes.