By using AWS re:Post, you agree to the Terms of Use
/security group for session manager/

security group for session manager

0

Hi All,

I have an EC2 instance in a private subnet, I connect to it using session manager via AWS console.

actually, the outbound rule of the security Group of the private EC2 instance is : All traffic / all/ 0.0.0.0/0

when I delete that rule I cannot anymore connect to the EC2 instance :

Your session has been terminated for the following reasons:  
----------ERROR------- Setting up data channel with id xxxxxxxxx-04retceff7ddr5 failed: 
failed to create websocket for datachannel with error: CreateDataChannel failed with no output or error: createDataChannel request failed: 
failed to make http client call: Post "https://ssmmessages.region1.amazonaws.com/v1/data-channel/xxxxxxxxx-04fgffgffdgefbdder": 
context deadline exceeded (Client.Timeout exceeded while awaiting headers)

what is the right outbound SG rule that allows me to connect to my instance via AWS console session manager knowing that I don't have a VPC interface for SSM?

1 Answers
0

https://docs.aws.amazon.com/systems-manager/latest/userguide/systems-manager-prereqs.html

(Recommended) Create a VPC endpoint in Amazon Virtual Private Cloud (Amazon VPC) to use with Systems Manager.

If you don't use a VPC endpoint, configure your managed instances to allow HTTPS (port 443) outbound traffic to the Systems Manager endpoints. For information, see (Optional) Create a Virtual Private Cloud endpoint.

answered 2 months ago
  • so I need to white list SSM endpoints with IPs in AWS public services JSON file? wich IP address I need to put as destination on the outbound SG rule

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions