I am testing Session manager and I can only get it to work on EC2 instances with public IPs. Those with just private IPs never show in the console. It was my understanding this service doesn’t need internet access? Am I mistaken? Was there additional setup to support private IP only?
2 Answers
took me a bit to figure out but you need THREE VPC endpoints. here is the doc. Probably should be in Security specialization section on Session manager too https://aws.amazon.com/premiumsupport/knowledge-center/ec2-systems-manager-vpc-endpoints/
Please note though the service itself doesn’t require opening RDP or SSH ports to your instance the SSM agent will still need outbound access to the following endpoints as stated here:
The managed instances must also allow HTTPS (port 443) outbound traffic to the following endpoints:
ssm.region.amazonaws.com
ssmmessages.region.amazonaws.com
ec2messages.region.amazonaws.com
SSM Agent initiates all connections to the Systems Manager service in the cloud. For this reason, you don’t need to configure your firewall to allow inbound traffic to your instances for Systems Manager.
Please note if you don’t have a NAT gateway in private RT, you will need to create VPC interface endpoint for ssm, ssmmessages, as well as ec2messages.
Good stuff, this for sure should have been covered in the video as well as how to trouble shoot it.
Same issue me for too. Have a private instance, its own security group; haven’t opened any SSH ports; looked at your comment, created NAT GW, added a route in VPC route table but still couldn’t see private instance inside Systems Manager/ Start session. Please let me know what else is needed to get thsi working