security group for session manager

Question

Hi All,

I have an EC2 instance in a private subnet, I connect to it using session manager via AWS console.

actually, the outbound rule of the security Group of the private EC2 instance is : All traffic / all/ 0.0.0.0/0

when I delete that rule I cannot anymore connect to the EC2 instance :

```
Your session has been terminated for the following reasons:  
----------ERROR------- Setting up data channel with id xxxxxxxxx-04retceff7ddr5 failed: 
failed to create websocket for datachannel with error: CreateDataChannel failed with no output or error: createDataChannel request failed: 
failed to make http client call: Post "https://ssmmessages.region1.amazonaws.com/v1/data-channel/xxxxxxxxx-04fgffgffdgefbdder": 
context deadline exceeded (Client.Timeout exceeded while awaiting headers)
```

what is the right outbound SG rule that allows me to connect to my instance via AWS console session manager knowing that I don't have a VPC interface for SSM?

Answer

https://docs.aws.amazon.com/systems-manager/latest/userguide/systems-manager-prereqs.html

(Recommended) Create a VPC endpoint in Amazon Virtual Private Cloud (Amazon VPC) to use with Systems Manager.

If you don't use a VPC endpoint, configure your managed instances to allow HTTPS (port 443) outbound traffic to the Systems Manager endpoints. For information, see (Optional) Create a Virtual Private Cloud endpoint.

security group for session manager

Relevant questions

inbound rule of security group for EC2 Instance in private subnet

Session Manager to connect ec2 instance cannot be enabled

Session Manager unable to connect to instance in public subnet

What is the difference between EC2 Instance Connect and Session Manager SSH connections?

With a Security group I can't connect to EC2 instance

From docker container need to connect RDS - Using Session Manager

Session Manager for EC2 without internet access

Unable to use Session Manager on EC2 instances in a private subnet with SSM VPC endpoint