For the most recent update on ongoing service disruptions affecting the AWS Middle East (UAE) Region (ME-CENTRAL-1), refer to the AWS Health Dashboard. For information on AWS Service migration, see How do I migrate my services to another region?
How do I create Amazon VPC endpoints so that I can use Systems Manager to manage private Amazon EC2 instances without internet access?
My Amazon Elastic Compute Cloud (Amazon EC2) instance doesn't have internet access. I want to create Amazon Virtual Private Cloud (Amazon VPC) endpoints so that I can use AWS Systems Manager to manage my instance.
Resolution
To manage EC2 instances without internet access, configure Systems Manager to use a VPC interface endpoint on AWS PrivateLink.
Create an IAM instance profile for Systems Manager
Note: If you're using Default Host Management Configuration to manage your instances, then you don't need to create an IAM instance profile to manage instances.
Complete the following steps:
- Verify that you installed AWS Systems Manager Agent (SSM Agent) on the instance.
- Create an AWS Identity and Access Management (IAM) instance profile, and add the required permissions.
Note: You can create a new role or add the permissions to an existing role. - Attach the IAM role to your instance.
- Open the Amazon EC2 console.
- In the navigation pane, choose Instances, and then select your instance.
- Choose the Description tab, and then note the VPC ID and subnet ID to use in a later step.
Create or modify a security group
Create one security group, or modify an existing security group for the inbound and outbound rules. The security group must allow outbound traffic on port 443 to the VPC endpoints. The security group must also allow inbound HTTPS (port 443) traffic from the resources in your VPC that communicate with the service. For the Inbound rules, choose HTTPS for type. For Source, select your VPC's CIDR block. For an advanced configuration, allow the CIDR block for specific subnets in the VPC or a security group that your instances use.
Add the security group to your instance. Then, associate the security group with the VPC endpoint. For more information, see Security group rules for different use cases.
Create and configure a VPC endpoint for Systems Manager
Note: VPC endpoints map to a specific subnet. If you select multiple subnets when you create the VPC endpoints, then Amazon VPC creates one endpoint for each selected subnet. You incur charges for each endpoint.
Complete the following steps:
- Create a VPC endpoint.
- For Service name, select com.amazonaws.[region].ssm.Note: For a list of AWS Region codes, see Available AWS Regions.
- For VPC, select the VPC for your instance.
Note: For Additional settings, keep the default option, Enable DNS name. - For Subnets, select at least two subnets in your VPC from different Availability Zones within the same Region.
Note: If you have more than one subnet in the same Availability Zone, then you don't need to create VPC endpoints for the extra subnets. Other subnets within the same Availability Zone can access and use the interface endpoint. - For Security group, select your security group.
- (Optional) For an advanced setup, create an interface VPC endpoint policy for Systems Manager.
Note: VPC endpoints require an AWS provided DNS (VPC CIDR+2). If you're using a custom DNS, then use Amazon Route 53 Resolver for the correct name resolution. - Choose Create endpoint.
Repeat the steps to create endpoints for com.amazonaws.[region].ssmmessages and com.amazonaws.[region].ec2messages.
For SSM Agent versions 3.3.40.0 and later, Systems Manager uses the ssmmessages:* endpoint when available instead of the ec2messages:* endpoint. For more information, see the Endpoint connection precedence section in Agent-related API operations (ssmmessages and ec2messages endpoints).
Note: After you complete the configuration, it might take a few minutes for the instance to register as a managed instance. To immediately connect SSM Agent, restart SSM Agent in the instance or restart the instance.
To verify that your instance is a managed instance, complete the following steps:
- Open the Systems Manager console.
- In the navigation pane, choose Fleet Manager.
- Verify that your instance ID is listed under Node ID and the node is in the Running state.
If you experience an issue, then see Why isn't Systems Manager showing my Amazon EC2 instance as a managed instance?
If you don't use the default session preferences, then create the following VPC endpoints to use Session Manager, a capability of AWS Systems Manager:
- If you use Amazon Simple Storage Service (Amazon S3) logging for Run Command, a capability of Systems Manager, then create the com.amazonaws.region.s3 gateway endpoint.
- If you use AWS Key Management Service (AWS KMS) encryption for Session Manager, then create the com.amazonaws.region.kms endpoint.
- If you use Amazon CloudWatch Logs for Run Command, then create a service endpoint for your Region.
The VPC endpoint isn't required to connect the instance to Session Manager. However, the VPC endpoint is required to create Windows Volume Shadow Copy Service (VSS)-based snapshots of the instance.
Related information
- Topics
- Management & Governance
- Language
- English
Very helpful article, Daniel, thank you. I followed it and now my configuration works.
Thanks for sharing and its helpful, Just a note for others that each interface endpoint is chargeable so choose the subnets wisely.
Thank you for your comment. We'll review and update the Knowledge Center article as needed.
Very helpful; thanks. 1 question:
- under step 9 above, it says "Repeat step 5", but step 5 has to do only with high availability. It should say "repeat the whole set of steps with ec2messages and ssmmessages for Service Name", right? The aim is to end up with 3 service endpoints?
Thanks, Skip
Thank you for your comment. We'll review and update the Knowledge Center article as needed.
the same question as Skip for step 9. Maybe AWS should use some AI to re-write all the documents in the future to make everything clearer
Another question is about he security group in the article, is that security group in step "Create or modify a security group", it will be used for the three endpoint ,right? Then how about the EC2' s security rule? Any requirements? I want my EC2 inside a private subnet, does not connect to the Internet.
Thank you for your comment. We'll review and update the Knowledge Center article as needed.
I'm still confused which ingress/egress directions apply on a VPC endpoint. At URL https://docs.aws.amazon.com/systems-manager/latest/userguide/setup-create-vpc.html#sysman-setting-up-vpc-create, I can read:
The security group attached to the VPC endpoint must allow incoming connections on port 443 from the private subnet of the managed instance. If incoming connections aren't allowed, then the managed instance can't connect to the SSM and EC2 endpoints.
...which suggests that the VPC endpoint is seen as the outer container that receives ingress from its private subnets, and egress out to general AWS Services, right?
Arghh, In Session Manager Tab of "Connect to your instance" feature, it says:
Verify that your instance's security group and VPC allow HTTPS (port 443) outbound traffic to the following Systems Manager endpoints: ssm.eu-west-1.amazonaws.com, ec2messages.eu-west-1.amazonaws.com, ssmmessages.eu-west-1.amazonaws.com
What does it mean that a SG allows HTTPS outbound traffic to services? In practice, how do you code that? Destination CIDR=? That documentation is just so confusing.
Thank you for your comment. We'll review and update the Knowledge Center article as needed.
I have a question related to the subnet and routing of the EC2 instance we are managing using systems manager session manager. In a Custom VPC, there is a private subnet under which we are running the instance. NOTE : Only the private ip address with no "auto assign public ip address", just the private IP address and in route table, the routing is towards firewall endpoint -> Nat Gateway -> Internet Gateway.
Question or Concern : I can't see instance in a fleet manager window even though I am using correct IAM role and attaching to instance.
Seems like we can use EC2 Instance Connect Endpoint - https://aws.amazon.com/about-aws/whats-new/2023/06/amazon-ec2-instance-connect-ssh-rdp-public-ip-address/. Is there any difference between those two approaches?
Relevant content
- asked 5 years ago
- asked 3 years ago
