By using AWS re:Post, you agree to the AWS re:Post Terms of Use

EC2 instances not able to communicate with Systems Manager when no public IP is automatically assigned

0

Hi,

As I understand it, Session Manager can be used to connect to an EC2 instance that does not have a public IP address [1]. Further, one of the options available to manage sessions is assignment of a suitable instance profile. I can confirm that I have this working when the instance has a public IP, however it does not work when the instance does not have a public IP. With exception of the public IP, the instances are otherwise identical.

As I am still learning AWS, and this includes considerations around AWS networking, and I have done a little digging, it appears that the instances still need Internet access. Can I confirm that traffic initiated from the SSM Agent goes out to the Internet, and back into AWS, or is it is case that it goes 'out' from perspective of my VPC, but stays in AWS networks?

Further - as I have both instances in my default VPC, and there is a default VPC setup, although I have an IGW attached, this only enables Internet access to instances that have public IPs. I would need a NAT gateway - so hourly charge plus per GB charges.

Is there any option through which I would be able to access my instances (presently looking at SSH), without a need for a public IP to be assigned, either directly to the instance or via a NAT? Cloud Shell connects over the Internet (and I understand why). I understand there needs to be some point where there is Internet traffic, however I am trying to minimize costs and exposure where possible.

I am looking at VPC endpoints and PrivateLink - "AWS PrivateLink restricts all network traffic between your managed instances, Systems Manager, and Amazon EC2 to the Amazon network. This means that your managed instances don't have access to the Internet. If you use AWS PrivateLink, you don't need an internet gateway, a NAT device, or a virtual private gateway." - We appear to be billed per endpoint per hour per AZ [2] , and per GB processed - at time of writing, current roughly $0.01 and $0.01.

Or any other thoughts for a newbie?

[1] https://docs.aws.amazon.com/systems-manager/latest/userguide/session-manager.html (Who should use Session Manager) [2] https://aws.amazon.com/privatelink/pricing/

2 Answers
0
Accepted Answer

Hello.

As re:Post Agent answered, if you create a VPC endpoint for Systems Manager and can connect to the VPC endpoint from EC2 using HTTPS, you can connect using Session Manager.
https://docs.aws.amazon.com/systems-manager/latest/userguide/setup-create-vpc.html

Another method is SSH connection using EC2 Instance Connect Endpoint.
With EC2 Instance Connect Endpoint, EC2 does not require a public IP address.
EC2 Instance Connect Endpoint itself is free to use.
https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/connect-with-ec2-instance-connect-endpoint.html

I think the following blog will be helpful for setting up EC2 Instance Connect Endpoint.
https://nipulpatel1908.medium.com/how-to-setup-aws-ec2-instance-connect-endpoint-f73e4db9d7fc

profile picture
EXPERT
answered a month ago
profile picture
EXPERT
reviewed a month ago
0

You're correct that Session Manager can be used to connect to EC2 instances without public IP addresses. However, the instances still need a way to communicate with the Systems Manager service. Let's clarify a few points:

  1. SSM Agent Communication: The SSM Agent on your EC2 instances communicates with the Systems Manager service within the AWS network. It doesn't go out to the public internet and back into AWS. However, it does need a way to reach the Systems Manager endpoints.

  2. Internet Gateway (IGW) and Public IPs: As you've observed, an IGW only enables internet access for instances with public IPs. Instances without public IPs in a private subnet can't use the IGW directly.

  3. Options for Private Instances: a. NAT Gateway: This is one option, but as you mentioned, it incurs hourly and data transfer costs. b. VPC Endpoints: This is the recommended solution for your scenario. By using VPC endpoints for Systems Manager, you can enable private communication between your instances and the Systems Manager service without requiring public IPs or internet access.

  4. VPC Endpoints and AWS PrivateLink: You're on the right track with this. Using VPC endpoints allows your instances to communicate with Systems Manager securely within the AWS network. This eliminates the need for public IPs, internet gateways, or NAT devices. While there is a cost associated with VPC endpoints, it's often more cost-effective and secure than using NAT gateways, especially for larger deployments.

To set up VPC endpoints for Systems Manager:

  1. Create endpoints for ssm, ssmmessages, and ec2messages.
  2. Ensure your VPC's DNS settings are enabled.
  3. Configure your security groups to allow traffic to these endpoints.

This setup will allow your private instances to communicate with Systems Manager without public IPs or internet access, providing a secure and cost-effective solution for managing your EC2 instances.

For a newbie, focusing on VPC endpoints is a good approach. It balances security, cost, and functionality while giving you valuable experience with AWS networking concepts. As you grow more comfortable, you can explore other advanced networking features to further optimize your setup.
Sources
AWS Systems Manager Session Manager - AWS Systems Manager
Learn technical details about the SSM Agent - AWS Systems Manager
Working with SSM Agent - AWS Systems Manager

profile picture
answered a month ago
profile picture
EXPERT
reviewed a month ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions