I am testing Session manager and I can only get it to work on EC2 instances with public IPs. Those with just private IPs never show in the console. It was my understanding this service doesn’t need internet access? Am I mistaken? Was there additional setup to support private IP only?
took me a bit to figure out but you need THREE VPC endpoints. here is the doc. Probably should be in Security specialization section on Session manager too https://aws.amazon.com/premiumsupport/knowledge-center/ec2-systems-manager-vpc-endpoints/
Please note though the service itself doesn’t require opening RDP or SSH ports to your instance the SSM agent will still need outbound access to the following endpoints as stated here:
The managed instances must also allow HTTPS (port 443) outbound traffic to the following endpoints:
SSM Agent initiates all connections to the Systems Manager service in the cloud. For this reason, you don’t need to configure your firewall to allow inbound traffic to your instances for Systems Manager.
Please note if you don’t have a NAT gateway in private RT, you will need to create VPC interface endpoint for ssm, ssmmessages, as well as ec2messages.