I'm facing a persistent challenge with AWS EC2 and Palo Alto GlobalProtect VPN, and I'm hoping to find a solid solution. Here's my situation:
I have users logging into the AWS Management Console and then using AWS Systems Manager (SSM Agent / Session Manager) to access EC2 instances—no RDP or SSH involved. Everything functions well until they connect to GlobalProtect VPN.
Once users connect, all outbound traffic from the EC2 instance goes through the VPN tunnel, and I immediately lose SSM connectivity. The instance vanishes from SSM, and the 'Connect' button in the AWS Console is greyed out.
I suspected that routing was the issue, so I checked the split-tunnel configuration in Prisma Access. I added exclusions for the necessary endpoints and my VPC subnet, but the connection remains unstable. Even testing with a new EC2 Windows instance yielded the same connectivity loss upon connecting to GlobalProtect.
Has anyone successfully maintained AWS SSM connectivity while connected to GlobalProtect VPN? If so, what were your split tunneling or routing configurations on the Prisma Access side? Did you whitelist specific AWS endpoints or IPs for your region?
2 Answers
How is your EC2 accessing the SSM endpoint? That could be a factor in the connectivity issue.
You might want to try using VPC endpoints for the SSM services. That could potentially solve the connectivity issue. Just a thought!
I actually gave that a shot by creating the three VPC Interface Endpoints for the SSM services—`com.amazonaws.
The EC2 instances already have the SSM Agent installed and the required IAM role attached, which includes the `AmazonSSMManagedInstanceCore` permissions.