- Newest
- Most votes
- Most comments
Hi,
The SSM agent doesn't require any inbound ports to be opened, all communication from the agent is outbound HTTPS to the SSM and EC2 Messages endpoints in the region where your instances are registered:
https://docs.aws.amazon.com/systems-manager/latest/userguide/ssm-agent.html
Hope that helps.
/Mats
Session Manager does not require any inbound ports to support any of the features it supports. Even if you make use of the SSH tunneling feature of Session Manager (https://docs.aws.amazon.com/systems-manager/latest/userguide/session-manager-getting-started-enable-ssh-connections.html), there's no need for any inbound ports to be open.
/Mats
An inbound port is required to create a Systems Manager Session Manager session.
The minimum requirement seems to be port 22 inbound from the security group itself - port 22 can be happily blocked in the VPC NACL and just allowed on the Security Group from the security group to itself.
Relevant content
- asked 10 months ago
- asked 2 years ago
AWS OFFICIALUpdated 6 months ago- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated 3 years ago
It's kind of implied but you must allow inbound traffic to port 443. I was having trouble with session manager not working unless I exposed port 22. However once I blocked 22 and opened 443 it worked.