I'm trying to register my Amazon Elastic Compute Cloud (Amazon EC2) instance as a managed instance with AWS Systems Manager. However, the instance fails to register and I receive a TCP timeout error message similar to the following:
"RequestError: send request failed caused by: Post https://ssm.RegionId.amazonaws.com/: dial tcp IP:443: i/o timeout"
Why does registration fail, and how do I troubleshoot this error?
The TCP timeout error indicates that one of the following issues is preventing the instance from registering:
- The instance is in a private subnet and uses the Systems Manager virtual private cloud (VPC) endpoint and a custom DNS server.
- The instance is in a private subnet and doesn't have access to the internet or to the Systems Manager endpoints.
- The instance is in a public subnet. The VPC security groups and network access control lists (network ACLs) aren't configured to allow outbound connections to the Systems Manager endpoints on port 443.
- The instance is behind a proxy, but SSM Agent isn't configured to communicate through an HTTP proxy and can't connect to the instance metadata server.
You can view the TCP timeout error in the SSM Agent log on your instance located at the following paths:
Linux and macOS
Instance in private subnet using Systems Manager endpoint and a custom DNS
VPC endpoints only support Amazon-provided DNS through Amazon Route 53. To use your own DNS server, try one of the following:
Instance can't connect to the Systems Manager endpoints
VPC security groups and network ACL aren't configured to allow outbound connections on port 443
The instance is behind a proxy and can't connect to the instance metadata service
For troubleshooting steps, see Why is my EC2 instance not appearing under Managed Instances in the Systems Manager console?
Create a Virtual Private Cloud endpoint