security group for session manager

Question

Hi All,

I have an EC2 instance in a private subnet, I connect to it using session manager via AWS console.

actually, the outbound rule of the security Group of the private EC2 instance is : All traffic / all/ 0.0.0.0/0

when I delete that rule I cannot anymore connect to the EC2 instance :

```
Your session has been terminated for the following reasons:  
----------ERROR------- Setting up data channel with id xxxxxxxxx-04retceff7ddr5 failed: 
failed to create websocket for datachannel with error: CreateDataChannel failed with no output or error: createDataChannel request failed: 
failed to make http client call: Post "https://ssmmessages.region1.amazonaws.com/v1/data-channel/xxxxxxxxx-04fgffgffdgefbdder": 
context deadline exceeded (Client.Timeout exceeded while awaiting headers)
```

what is the right outbound SG rule that allows me to connect to my instance via AWS console session manager knowing that I don't have a VPC interface for SSM?

Answer

https://docs.aws.amazon.com/systems-manager/latest/userguide/systems-manager-prereqs.html

(Recommended) Create a VPC endpoint in Amazon Virtual Private Cloud (Amazon VPC) to use with Systems Manager.

If you don't use a VPC endpoint, configure your managed instances to allow HTTPS (port 443) outbound traffic to the Systems Manager endpoints. For information, see (Optional) Create a Virtual Private Cloud endpoint.

security group for session manager

Relevant questions

This instance type is not supported for the EC2 serial console

AWS SSO Access for Linux?

security group for session manager

What protocol and port # does SSM agent run on?

Session Manager for EC2 without internet access

Connect to RDS using SSM

Can't connect to RDS database from remote

What is the difference between EC2 Instance Connect and Session Manager SSH connections?

Unable to use Session Manager on EC2 instances in a private subnet with SSM VPC endpoint

Rotation lambda timing out but using Secrets Manager VPC Endpoint