2 Respuestas
- Más nuevo
- Más votos
- Más comentarios
1
Make sure that you have specified all VPC endpoint for SSM:
- com.amazonaws.region.ssm: The endpoint for the Systems Manager service.
- com.amazonaws.region.ec2messages: Systems Manager uses this endpoint to make calls from SSM Agent to the Systems Manager service.
- com.amazonaws.region.ec2: If you're using Systems Manager to create VSS-enabled snapshots, you need to ensure that you have an endpoint to the EC2 service. Without the EC2 endpoint defined, a call to enumerate attached EBS volumes fails, which causes the Systems Manager command to fail. - com.amazonaws.region.ssmmessages: This endpoint is required only if you are connecting to your instances through a secure data channel using Session Manager. For more information, see AWS Systems Manager Session Manager.
respondido hace 5 años
0
I followed all docos available under the sun: all possible SG to protect instance and/or VPC endpoint. It only worked once (Connect button was available, and I could open a session onto instance). Then I followed the advice to restrict the Source CIDR of VPC endpoint Inbound SG to priv subnet, (instead of entire VPC), and it failed with error: "SSM Agent is offline". When I rolled back SG to entire VPC, it never worked again...
The only way I could make it work is by adding a NAT Gwy. I anyway like NAT Gwy to keep my EC2 up to date in terms of patching level.
Conclusion : Total fiasco, and 6 hours wasted. NAT Gwy fixed it and allows decent security level of instance.
respondido hace 4 meses
Contenido relevante
- OFICIAL DE AWSActualizada hace un año
- OFICIAL DE AWSActualizada hace 3 años
- OFICIAL DE AWSActualizada hace 2 años
Also, I'm still confused if a VPC endpoint is just like a wormhole between the VPC and AWS Services, which will avoid packets to and from the instance to travel over the Internet?
The documentation referenced is not clear enough. I still don't know which type of endpoint I need, in the 1st page of the creation wizard, among: AWS Services, EC2 Instance Connect Endpint, PrivateLink, and possibly others. Also, you'll note the black magic that consists in inverting the Service Name into a namespace to be "verified" with some types, not others. The comment above uses the namespace notation, which, in particular, is valid for PrivateLink type, but not only.