security group for session manager

Question

Hi All,

I have an EC2 instance in a private subnet, I connect to it using session manager via AWS console.

actually, the outbound rule of the security Group of the private EC2 instance is : All traffic / all/ 0.0.0.0/0

when I delete that rule I cannot anymore connect to the EC2 instance :

```
Your session has been terminated for the following reasons:  
----------ERROR------- Setting up data channel with id xxxxxxxxx-04retceff7ddr5 failed: 
failed to create websocket for datachannel with error: CreateDataChannel failed with no output or error: createDataChannel request failed: 
failed to make http client call: Post "https://ssmmessages.region1.amazonaws.com/v1/data-channel/xxxxxxxxx-04fgffgffdgefbdder": 
context deadline exceeded (Client.Timeout exceeded while awaiting headers)
```

what is the right outbound SG rule that allows me to connect to my instance via AWS console session manager knowing that I don't have a VPC interface for SSM?

Answer

https://docs.aws.amazon.com/systems-manager/latest/userguide/systems-manager-prereqs.html

(Recommended) Create a VPC endpoint in Amazon Virtual Private Cloud (Amazon VPC) to use with Systems Manager.

If you don't use a VPC endpoint, configure your managed instances to allow HTTPS (port 443) outbound traffic to the Systems Manager endpoints. For information, see (Optional) Create a Virtual Private Cloud endpoint.

Answer

'If you don't use a VPC endpoint, configure your managed instances to allow HTTPS (port 443) outbound traffic to the Systems Manager endpoints.', can you help to share an example security group for this? I am very confusing how to add endpoints as the destination in an security group?

security group for session manager

Contenido relevante