I'm facing a recurring issue with AWS EC2 instances and Palo Alto's GlobalProtect VPN. The setup involves users logging into the AWS Management Console and connecting to EC2 instances via AWS Systems Manager (SSM) without using RDP or SSH. This method works flawlessly until a user establishes a connection to the GlobalProtect VPN. Once connected, all outbound traffic from the EC2 instance gets routed through the VPN, which leads to losing SSM connectivity altogether. The instances are completely disconnected from SSM, and the 'Connect' button in the AWS Console becomes unresponsive.
I went through the split-tunnel settings in Prisma Access and added specific exclusions, including addresses like 169.254.169.254/32 and various AWS endpoints, but the connection instability remains. I even tested it on a fresh EC2 Windows instance, and the issue repeated. Has anyone managed to keep AWS SSM working while connected to GlobalProtect VPN? If so, what configuration have you used for split tunneling or routing? Did you need to whitelist particular AWS endpoints or IPs?
3 Answers
What method does your EC2 instance use to access the SSM endpoint? Ensure that the SSM Agent is installed on your Windows instances and that the IAM role attached includes 'AmazonSSMManagedInstanceCore' permission.
I tried creating VPC Interface Endpoints for the SSM services like com.amazonaws..ssm and others, attached them to the relevant subnets, and allowed TCP 443 in the security groups. However, the problem persists even after DNS propagation—GlobalProtect still disconnects the SSM connection. Any additional configuration advice would be appreciated!
Have you considered setting up VPC endpoints for the SSM services? That could potentially fix the connectivity issues you're experiencing when using the VPN.
Related Questions
Can't Load PhpMyadmin On After Server Update
Redirect www to non-www in Apache Conf
How To Check If Your SSL Cert Is SHA 1
Windows TrackPad Gestures