I cannot get my on-prem linux VMs to patch using VPC endpoints. How can I configure them to use the S3 VPC gateway/endpoint in our VPC? The documentation is severely lacking in this configuration mode.
I have Mds and SSM configured in the amazon-ssm-agent.json using VPC endpoints (also not documented by Amazon) but how do I configure the VM to use our VPC to access S3 to download patch payloads? They still attempt to connect to public S3 buckets to get patches, but we do not allow these servers to be on the open internet. We use DirectConnect for a site-to-site from our colo to VPCs.
No matter what I try, the VM will keep attempting to use public S3 and fails. Patch error output:
10/19/2022 10:01:13 root [INFO]: Downloading payload from https://s3.dualstack.us-east-1.amazonaws.com/aws-ssm-us-east-1/patchbaselineoperations/linux/payloads/patch-baseline-operations-1.96.tar.gz
10/19/2022 10:03:23 root [ERROR]: Error code returned from curl is 7
AWS 官方已更新 2 年前
Following that guide I have created an inbound resolver and alias to my S3 endpoint for the s3.dualstack.us-east-1.amazonaws.com domain, but the payload is still failing to download.
When I test with wget it fails with a certificate error:
root@xxxx:/tmp# wget https://s3.dualstack.us-east-1.amazonaws.com/aws-ssm-us-east-1/patchbaselineoperations/linux/payloads/patch-baseline-operations-1.96.tar.gz --2022-10-19 14:41:48-- https://s3.dualstack.us-east-1.amazonaws.com/aws-ssm-us-east-1/patchbaselineoperations/linux/payloads/patch-baseline-operations-1.96.tar.gz Resolving s3.dualstack.us-east-1.amazonaws.com (s3.dualstack.us-east-1.amazonaws.com)... 10.x.x.x, 10.x.x.x Connecting to s3.dualstack.us-east-1.amazonaws.com (s3.dualstack.us-east-1.amazonaws.com)|10.x.x.x|:443... connected. ERROR: no certificate subject alternative name matches requested host name ‘s3.dualstack.us-east-1.amazonaws.com’. To connect to s3.dualstack.us-east-1.amazonaws.com insecurely, use `--no-check-certificate'.
Is there a way to bypass within the agent json config file?