How do I create VPC endpoints so that I can use Systems Manager to manage private EC2 instances without internet access?

4 minute read
7

My Amazon Elastic Compute Cloud (Amazon EC2) instance doesn't have internet access. I want to use AWS Systems Manager to manage my instance.

Resolution

To use Systems Manager to manage Amazon EC2 instances, you must register Amazon EC2 instances as managed instances.

Note: Virtual private cloud (VPC) endpoints map to a specific subnet. If you select multiple subnets when you create the VPC endpoints, then one endpoint is created for each selected subnet. This increases billing costs because you incur charges for each endpoint.

Create an IAM instance profile for Systems Manager

Complete the following steps:

  1. Verify that SSM Agent is installed on the instance.
  2. Create an AWS Identity and Access Management (IAM) instance profile. You can create a new role, or add the necessary permissions to an existing role.
  3. Attach the IAM role to your instance.
  4. Open the Amazon EC2 console, and then select your instance.
  5. Choose the Description tab, and then note the VPC ID and Subnet ID.

Create or modify a security group

Create a security group, or modify an existing security group. The security group must allow inbound HTTPS (port 443) traffic from the resources in your VPC that communicate with the service.

If you create a new security group, then complete the following steps to configure the security group:

  1. Open the Amazon VPC console.
  2. Choose Security Groups, and then select the new security group.
  3. In the Inbound rules tab, choose Edit inbound rules.
  4. Add a rule with the following details:
    For Type, choose HTTPS.
    For Source, choose your VPC CIDR.
    For Advanced configuration, you can allow the CIDR for specific subnets that your EC2 instances use.
  5. Note the security group ID to use with the other endpoints.
  6. Choose Save rules.

Create and configure a VPC endpoint for Systems Manager

Complete the following steps:

  1. Create a VPC endpoint.
  2. For Service Name, select com.amazonaws.[region].ssm. For example, com.amazonaws.us-east-1.ssm. For a list of AWS Region codes, see Available Regions.
  3. For VPC, choose the VPC ID for your instance.
  4. For Subnets, choose a Subnet ID in your VPC.
  5. For High availability, choose at least two subnets from different Availability Zones within the Region.
    Note: If you have more than one subnet in the same Availability Zone, then you don't need to create VPC endpoints for the extra subnets. Any other subnets within the same Availability Zone can access and use the interface.
  6. For Enable DNS name, choose Enable for this endpoint. For more information, see Access an AWS service using an interface VPC endpoint.
  7. For Security group, select an existing security group, or create a new one. The security group must allow inbound HTTPS (port 443) traffic from the resources in your VPC that communicate with the service.
  8. (Optional) For advanced setup, create an interface VPC endpoint policy for Systems Manager.
    Note: VPC endpoints require an AWS provided DNS (VPC CIDR+2). If you're using a custom DNS, then use Amazon Route 53 Resolver for the correct name resolution. For more information, see the following documentation:
    Access an AWS service using an interfaced VPC endpoint
    Resolving DNS queries between VPCs and your network
  9. Repeat step 2 with the following change:
    For Service Name, select com.amazonaws.[region].ec2messages.

If you create a security group, then complete the steps in the preceding section Create or modify a security group to configure the security group.

After you create the three endpoints, your instance appears in Managed Instances. 

Note: To use Session Manager, create the following VPC endpoints:

  • AWS Systems Manager: com.amazonaws.region.ssm
  • Session Manager: com.amazonaws.region.ssmmessages
  • (Optional) AWS Key Management Service (AWS KMS): com.amazonaws.region.kms
    Note: This endpoint is required only if you use AWS KMS encryption for Session Manager.
  • (Optional) Amazon CloudWatch Logs
    Note: This endpoint is required only if you use Amazon CloudWatch Logs for Session Manager, Run Command.

The EC2 VPC endpoint isn't required to connect the instance to Session Manager. The EC2 VPC endpoint is required to create VSS-activated snapshots of the instance.

For more information, see Creating VPC endpoints for Systems Manager.

Related information

AWS Systems Manager endpoints and quotas

Setting up AWS Systems Manager

Use AWS PrivateLink to set up a VPC endpoint for Session Manager

AWS OFFICIAL
AWS OFFICIALUpdated 8 months ago
12 Comments

Very helpful article, Daniel, thank you. I followed it and now my configuration works.

AWS
replied a year ago

Thanks for sharing and its helpful, Just a note for others that each interface endpoint is chargeable so choose the subnets wisely.

profile picture
replied a year ago

Thank you for your comment. We'll review and update the Knowledge Center article as needed.

profile pictureAWS
MODERATOR
replied a year ago

Very helpful; thanks. 1 question:

  • under step 9 above, it says "Repeat step 5", but step 5 has to do only with high availability. It should say "repeat the whole set of steps with ec2messages and ssmmessages for Service Name", right? The aim is to end up with 3 service endpoints?

Thanks, Skip

Skip
replied 8 months ago

Thank you for your comment. We'll review and update the Knowledge Center article as needed.

profile pictureAWS
MODERATOR
replied 8 months ago

the same question as Skip for step 9. Maybe AWS should use some AI to re-write all the documents in the future to make everything clearer

dia
replied 4 months ago

Another question is about he security group in the article, is that security group in step "Create or modify a security group", it will be used for the three endpoint ,right? Then how about the EC2' s security rule? Any requirements? I want my EC2 inside a private subnet, does not connect to the Internet.

dia
replied 4 months ago

Thank you for your comment. We'll review and update the Knowledge Center article as needed.

profile pictureAWS
MODERATOR
replied 4 months ago

I'm still confused which ingress/egress directions apply on a VPC endpoint. At URL https://docs.aws.amazon.com/systems-manager/latest/userguide/setup-create-vpc.html#sysman-setting-up-vpc-create, I can read:

The security group attached to the VPC endpoint must allow incoming connections on port 443 from the private subnet of the managed instance. If incoming connections aren't allowed, then the managed instance can't connect to the SSM and EC2 endpoints.

...which suggests that the VPC endpoint is seen as the outer container that receives ingress from its private subnets, and egress out to general AWS Services, right?

replied 3 months ago

Arghh, In Session Manager Tab of "Connect to your instance" feature, it says:

Verify that your instance's security group and VPC allow HTTPS (port 443) outbound traffic to the following Systems Manager endpoints: ssm.eu-west-1.amazonaws.com, ec2messages.eu-west-1.amazonaws.com, ssmmessages.eu-west-1.amazonaws.com

What does it mean that a SG allows HTTPS outbound traffic to services? In practice, how do you code that? Destination CIDR=? That documentation is just so confusing.

replied 3 months ago

Thank you for your comment. We'll review and update the Knowledge Center article as needed.

profile pictureAWS
MODERATOR
replied 3 months ago

I have a question related to the subnet and routing of the EC2 instance we are managing using systems manager session manager. In a Custom VPC, there is a private subnet under which we are running the instance. NOTE : Only the private ip address with no "auto assign public ip address", just the private IP address and in route table, the routing is towards firewall endpoint -> Nat Gateway -> Internet Gateway.

Question or Concern : I can't see instance in a fleet manager window even though I am using correct IAM role and attaching to instance.

profile pictureAWS
replied 2 months ago