Session Manager for EC2 without internet access


I just created a EC2 inside a fully private VPC (without IGW, without NAT, no internet access at all), and follow the instructuion to create endpoints. As a test result, what I found is I can't connect to this EC2 using session manager via browser

Here's the link to the instructions I've followed,

To verify and compare, then I just created 2 cloudformationized environment to make sure I am using same EC2 AMI, Same IAM Profile, Same endpoints and endpoint SG policy (allow all traffics), same VPC enableDNS settings, same ACL (allow all traffic). The only difference is one of the EC2 have outbound internet access.

The test result is:

Only EC2 have outbount internet access can be connected using session manager via browser.

Is that correct ?

asked 2 years ago277 views
1 Answer
Accepted Answer

The EC2 Instance doesn't need to have outbound internet access (NAT or IGW).

I've had similar issues in the past, ensure you have all three service endpoints setup (Security Group & Subnet mappings):

  • com.amazonaws.[region].ssm
  • com.amazonaws.[region].ssmmessages
  • com.amazonaws.[region].ec2messages

Security Group for the Endpoints should allow HTTPS access from your VPC range (or narrowed down), and if you've modified the outbound rules on your Instance's Security Group - verify that too.

For completeness: issue was missing of Private DNS for Endpoints.

        PrivateDnsEnabled: True
answered 2 years ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions