Pardeep Singh:
Hi Team, I am trying to access ec2 instance (Private Subnet) through Session Manager but unable to connect…Even IAM role has SSM admin permissions.
Deepak Kumar:
Do your private instance have a public IP ?
Pardeep Singh:
@Deepak Kumar Nope, I created instance with Private subnet and assigned NAT gateway with them.
Deepak Kumar:
Then you have to create interface endpoints for ssm in your VPC .
Pardeep Singh:
I would appreciate if you can share any reference doc which I can follow?
Deepak Kumar:
I can’t find such documents, if you are aware of Aws VPC endpoints then you would be able to create it,
- Go in VPC >> Endpoints >> Create Endpoints.
- search for SSM then and select ssm interface as per your regions something like com.amazon.us-east###.ssm
- select VPC and your public subnet and security group to allow http and https and ssh ports.
- repeat the same and create one more for ssm messages.
- and then repeat one more time and create for s3 gateway.
Pardeep Singh:
I used NAT gateway and after that it works fine.
Pardeep Singh:
it means SSM need public access,
Deepak Kumar:
no it doesn’t need public access, it just requires the agent connectivity to the aws.
Farman Ali:
AFAIK, There is no network connectivity required to login via ssm. Your attached IAM role should have ssm permissions and a ssm agent should installed in your ec2. choose appropriate AMI (that have ssm-agent installed in it).
Deepak Kumar:
@Farman Ali Its not true.
Farman Ali:
It’s true. I mean (Network connectivity = no public ip/ different connectivity required.) If your basic networking is fine, you can login via ssm. There are only two conditions:
- ssm agent should be installed
- ssm permission should be given to role assigned to the ec2.
Deepak Kumar:
These two conditions are not enough. Do one thing create a private instance in a private subnet and do not assign any public IP, choose the AMI that have ssm agent installed and give the the instance ssm roles required and then try to connect using SSM, you will find your answers.
Deepak Kumar:
One more logic that I can give you is that SSM also works on VM’s and on premises server, how do they will connect incase if they don’t require any network connectivity.
Farman Ali:
Assigning public ip to a private instance doesn’t make sense. In fact, I am using private instances with ssm. and private means private. They don’t have public ips.
Alistair Mackay:
The connectivity requirement for SSM are stated as
> The managed nodes you connect to must also allow HTTPS (port 443) outbound traffic to the following endpoints:
> • ec2messages.region.http://amazonaws.com|amazonaws.com
> • ssm.region.http://amazonaws.com|amazonaws.com
> • ssmmessages.region.http://amazonaws.com|amazonaws.com
> Alternatively, you can connect to the required endpoints by using interface endpoints.
These three services must be accessible from the instance you want to control, therefore there are the following options
• Instance has a public IP
• Instance can reach the internet via a NAT gateway
• You deploy interface endpoints for the above services into the VPC.
In addition to these connectivity requirements, ensure that an instance profile is attached that includes a role with this policy arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore
Deepak Kumar:
Exactly, what I was talking about was this only.