How do I create Amazon VPC endpoints so that I can use Systems Manager to manage private Amazon EC2 instances without internet access?

5 minute read
7

My Amazon Elastic Compute Cloud (Amazon EC2) instance doesn't have internet access. I want to use AWS Systems Manager to manage my instance.

Resolution

To manage EC2 instances without internet access, configure Systems Manager to use an Amazon Virtual Private Cloud (Amazon VPC) interface endpoint on AWS PrivateLink.

Create an IAM instance profile for Systems Manager

Complete the following steps:

  1. Verify that AWS Systems Manager Agent (SSM Agent) is installed on the instance.
  2. Create an AWS Identity and Access Management (IAM) instance profile. You can create a new role, or add the necessary permissions to an existing role.
  3. Attach the IAM role to your instance.
  4. Open the Amazon EC2 console, and then select your instance.
  5. Choose the Description tab, and then note the VPC ID and Subnet ID.

Note: If you're using Default Host Management Configuration to manage your instances, then you don't need to create an IAM instance profile to manage instances.

Create or modify a security group

Create a security group, or modify an existing security group. Attach the security group to your instance. The security group must allow outbound traffic on port 443 to the VPC endpoints. Also, attach a security group to the VPC endpoint. The security group must allow inbound HTTPS (port 443) traffic from the resources in your VPC that communicate with the service. For more information, see Security group rules for different use cases.

Note: You can create one security group for the inbound and outbound rules and attach it to the instance and the VPC endpoint.

To configure the security group for the VPC endpoint, complete the following steps:

  1. Open the Amazon VPC console.
  2. Choose Security groups, and then select the new security group.
  3. On the Inbound rules tab, choose Edit inbound rules.
  4. Add a rule with the following details:
    For Type, choose HTTPS.
    For Source, select your VPC CIDR.
    For advanced configuration, you can allow the CIDR for specific subnets in the VPC or a security group that your instances use.
  5. Note the security group ID to use with the other endpoints.
  6. Choose Save rules.

Create and configure a VPC endpoint for Systems Manager

Note: VPC endpoints map to a specific subnet. If you select multiple subnets when you create the VPC endpoints, then one endpoint is created for each selected subnet. Your billing costs increase because you incur charges for each endpoint.

Complete the following steps:

  1. Create a VPC endpoint.
  2. For Service name, select com.amazonaws.[region].ssm. For a list of AWS Region codes, see Available Regions.
  3. For VPC, choose the VPC ID for your instance.
  4. For Subnets, choose a Subnet ID in your VPC.
    For High availability, choose at least two subnets from different Availability Zones within the same Region.
    Note: If you have more than one subnet in the same Availability Zone, then you don't need to create VPC endpoints for the extra subnets. Other subnets within the same Availability Zone can access and use the interface.
  5. For Security group, select your security group.
  6. (Optional) For an advanced setup, create an interface VPC endpoint policy for Systems Manager.
    Note: VPC endpoints require an AWS provided DNS (VPC CIDR+2). If you're using a custom DNS, then use Amazon Route 53 Resolver for the correct name resolution.
  7. Repeat steps 2-6 with the following changes:
    For the Session Manager endpoint, select com.amazonaws.[region].ssmmessages for the service name.
    For EC2 Messages endpoint, select com.amazonaws.[region].ec2messages for the service name.
    Note: For SSM Agent versions 3.3.40.0 and later, Systems Manager uses the ssmmessages:* endpoint when available instead of the ec2messages:* endpoint. For more information, see the Endpoint connection precedence section in Agent-related API operations (ssmmessages and ec2messages endpoints).

To verify that your instance is registered as a managed instance, complete the following steps:

  1. Open the Systems Manager console.
  2. In the navigation pane, choose Fleet Manager.
  3. Verify that your instance ID is listed under Node ID and the node is in the Running state.

Note: After you complete the configuration, it might take a few minutes for the instance to register as a managed instance. To have SSM Agent connect immediately, restart SSM Agent in the instance or restart the instance.

If you don't use the default session preferences, then create the following VPC endpoints to use Session Manager, a capability of AWS Systems Manager:

  • If you use Amazon Simple Storage Service (Amazon S3) logging for Run Command, a capability of Systems Manager, then create the com.amazonaws.region.s3 gateway endpoint.
  • If you use AWS Key Management Service (AWS KMS) encryption for Session Manager, then create the com.amazonaws.region.kms endpoint.
  • If you use Amazon CloudWatch Logs for Run Command, then create a service endpoint for your Region.

The VPC endpoint isn't required to connect the instance to Session Manager. The VPC endpoint is required to create Windows Volume Shadow Copy Service (VSS)-based snapshots of the instance.

Related information

AWS Systems Manager endpoints and quotas

Setting up AWS Systems Manager

13 Comments

Very helpful article, Daniel, thank you. I followed it and now my configuration works.

AWS
replied 2 years ago

Thanks for sharing and its helpful, Just a note for others that each interface endpoint is chargeable so choose the subnets wisely.

profile picture
replied 2 years ago

Thank you for your comment. We'll review and update the Knowledge Center article as needed.

profile pictureAWS
MODERATOR
replied 2 years ago

Very helpful; thanks. 1 question:

  • under step 9 above, it says "Repeat step 5", but step 5 has to do only with high availability. It should say "repeat the whole set of steps with ec2messages and ssmmessages for Service Name", right? The aim is to end up with 3 service endpoints?

Thanks, Skip

replied a year ago

Thank you for your comment. We'll review and update the Knowledge Center article as needed.

profile pictureAWS
MODERATOR
replied a year ago

the same question as Skip for step 9. Maybe AWS should use some AI to re-write all the documents in the future to make everything clearer

replied a year ago

Another question is about he security group in the article, is that security group in step "Create or modify a security group", it will be used for the three endpoint ,right? Then how about the EC2' s security rule? Any requirements? I want my EC2 inside a private subnet, does not connect to the Internet.

replied a year ago

Thank you for your comment. We'll review and update the Knowledge Center article as needed.

profile pictureAWS
EXPERT
replied a year ago

I'm still confused which ingress/egress directions apply on a VPC endpoint. At URL https://docs.aws.amazon.com/systems-manager/latest/userguide/setup-create-vpc.html#sysman-setting-up-vpc-create, I can read:

The security group attached to the VPC endpoint must allow incoming connections on port 443 from the private subnet of the managed instance. If incoming connections aren't allowed, then the managed instance can't connect to the SSM and EC2 endpoints.

...which suggests that the VPC endpoint is seen as the outer container that receives ingress from its private subnets, and egress out to general AWS Services, right?

profile picture
replied a year ago

Arghh, In Session Manager Tab of "Connect to your instance" feature, it says:

Verify that your instance's security group and VPC allow HTTPS (port 443) outbound traffic to the following Systems Manager endpoints: ssm.eu-west-1.amazonaws.com, ec2messages.eu-west-1.amazonaws.com, ssmmessages.eu-west-1.amazonaws.com

What does it mean that a SG allows HTTPS outbound traffic to services? In practice, how do you code that? Destination CIDR=? That documentation is just so confusing.

profile picture
replied a year ago

Thank you for your comment. We'll review and update the Knowledge Center article as needed.

profile pictureAWS
MODERATOR
replied a year ago

I have a question related to the subnet and routing of the EC2 instance we are managing using systems manager session manager. In a Custom VPC, there is a private subnet under which we are running the instance. NOTE : Only the private ip address with no "auto assign public ip address", just the private IP address and in route table, the routing is towards firewall endpoint -> Nat Gateway -> Internet Gateway.

Question or Concern : I can't see instance in a fleet manager window even though I am using correct IAM role and attaching to instance.

profile pictureAWS
replied a year ago

Seems like we can use EC2 Instance Connect Endpoint - https://aws.amazon.com/about-aws/whats-new/2023/06/amazon-ec2-instance-connect-ssh-rdp-public-ip-address/. Is there any difference between those two approaches?

profile picture
replied 6 months ago