By using AWS re:Post, you agree to the Terms of Use

security group for session manager


Hi All,

I have an EC2 instance in a private subnet, I connect to it using session manager via AWS console.

actually, the outbound rule of the security Group of the private EC2 instance is : All traffic / all/

when I delete that rule I cannot anymore connect to the EC2 instance :

Your session has been terminated for the following reasons:  
----------ERROR------- Setting up data channel with id xxxxxxxxx-04retceff7ddr5 failed: 
failed to create websocket for datachannel with error: CreateDataChannel failed with no output or error: createDataChannel request failed: 
failed to make http client call: Post "": 
context deadline exceeded (Client.Timeout exceeded while awaiting headers)

what is the right outbound SG rule that allows me to connect to my instance via AWS console session manager knowing that I don't have a VPC interface for SSM?

1 Answer

(Recommended) Create a VPC endpoint in Amazon Virtual Private Cloud (Amazon VPC) to use with Systems Manager.

If you don't use a VPC endpoint, configure your managed instances to allow HTTPS (port 443) outbound traffic to the Systems Manager endpoints. For information, see (Optional) Create a Virtual Private Cloud endpoint.

answered 7 months ago
  • so I need to white list SSM endpoints with IPs in AWS public services JSON file? wich IP address I need to put as destination on the outbound SG rule

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions