I'm really struggling with this setup for connecting to my EC2 instance through Session Manager. The instance is running Amazon Linux, has the SSM agent pre-installed, and I've applied a custom role that includes AmazonS3FullAccess and AmazonSSMManagedInstanceCore policies. Both the Network ACL and Security Group are configured to allow outbound HTTPS requests to 0.0.0.0/0.
To use Session Manager, I understand that my EC2 instance needs to have either a public IP or connect to the internet through a NAT gateway. I'm trying to clarify whether I'm correct in saying that the EC2 instance must be able to make HTTPS requests to some AWS public IPs. Is it true that, unlike SSH, the main advantage of using Session Manager is that I can apply custom Security Groups without needing to set up any inbound rules or SSH keys? And is there really no way to use Session Manager if my instance doesn't have a public IP and isn't behind a NAT Gateway?
5 Answers
It's important to note that connecting isn’t just about the public internet; there are a few specific endpoints for the SSM service that your EC2 needs to access. The best practice is to use VPC interface endpoints instead of making your instances publicly accessible.
To clarify, if you want to use Session Manager without EC2 Instance Connect, you absolutely need to establish either a direct connection to the internet or set up those VPC endpoints for the services required by Session Manager. The documentation can be confusing, but you're correct in thinking these are the main options available.
Thank you, that really helps clear things up!
If you're using SSH, you'd still need a way for network traffic to get in and out of your EC2 instance. In a private subnet, a VPN might be your best bet. But with SSM, your traffic has to reach AWS’s SSM service, so you’ll need either outbound internet access or VPC endpoints.
You should definitely consider setting up VPC Endpoints for SSM. This allows your EC2 instances to connect to the SSM service without needing internet access. Just check out the AWS documentation on creating VPC endpoints for more details.
Exactly, that’s the way to go!
You're kind of mixing two issues here. Using SSM Session Manager does require some way to reach the SSM APIs, which are outside of your VPC by default. If your instance must use private addressing, just add a VPC endpoint for SSM. Remember, with SSM you really only need outbound connectivity, unlike SSH which requires inbound rules too.
I completely agree! Securing your instances is crucial.