How do I create VPC endpoints so that I can use Systems Manager to manage private EC2 instances without internet access?

4 minute read
7

My Amazon Elastic Compute Cloud (Amazon EC2) instance doesn't have internet access. I want to use AWS Systems Manager to manage my instance.

Resolution

To use Systems Manager to manage Amazon EC2 instances, you must register Amazon EC2 instances as managed instances.

Note: Virtual private cloud (VPC) endpoints map to a specific subnet. If you select multiple subnets when you create the VPC endpoints, then one endpoint is created for each selected subnet. This increases billing costs because you incur charges for each endpoint.

Create an IAM instance profile for Systems Manager

Complete the following steps:

  1. Verify that SSM Agent is installed on the instance.
  2. Create an AWS Identity and Access Management (IAM) instance profile. You can create a new role, or add the necessary permissions to an existing role.
  3. Attach the IAM role to your instance.
  4. Open the Amazon EC2 console, and then select your instance.
  5. Choose the Description tab, and then note the VPC ID and Subnet ID.

Create or modify a security group

Create a security group, or modify an existing security group. The security group must allow inbound HTTPS (port 443) traffic from the resources in your VPC that communicate with the service.

If you create a new security group, then complete the following steps to configure the security group:

  1. Open the Amazon VPC console.
  2. Choose Security Groups, and then select the new security group.
  3. In the Inbound rules tab, choose Edit inbound rules.
  4. Add a rule with the following details:
    For Type, choose HTTPS.
    For Source, choose your VPC CIDR.
    For Advanced configuration, you can allow the CIDR for specific subnets that your EC2 instances use.
  5. Note the security group ID to use with the other endpoints.
  6. Choose Save rules.

Create and configure a VPC endpoint for Systems Manager

Complete the following steps:

  1. Create a VPC endpoint.
  2. For Service Name, select com.amazonaws.[region].ssm. For example, com.amazonaws.us-east-1.ssm. For a list of AWS Region codes, see Available Regions.
  3. For VPC, choose the VPC ID for your instance.
  4. For Subnets, choose a Subnet ID in your VPC.
  5. For High availability, choose at least two subnets from different Availability Zones within the Region.
    Note: If you have more than one subnet in the same Availability Zone, then you don't need to create VPC endpoints for the extra subnets. Any other subnets within the same Availability Zone can access and use the interface.
  6. For Enable DNS name, choose Enable for this endpoint. For more information, see Access an AWS service using an interface VPC endpoint.
  7. For Security group, select an existing security group, or create a new one. The security group must allow inbound HTTPS (port 443) traffic from the resources in your VPC that communicate with the service.
  8. (Optional) For advanced setup, create an interface VPC endpoint policy for Systems Manager.
    Note: VPC endpoints require an AWS provided DNS (VPC CIDR+2). If you're using a custom DNS, then use Amazon Route 53 Resolver for the correct name resolution. For more information, see the following documentation:
    Access an AWS service using an interfaced VPC endpoint
    Resolving DNS queries between VPCs and your network
  9. Repeat step 5 with the following change:
    For Service Name, select com.amazonaws.[region].ec2messages.

If you create a security group, then complete the steps in the preceding section Create or modify a security group to configure the security group.

After you create the three endpoints, your instance appears in Managed Instances. 

Note: To use Session Manager, create the following VPC endpoints:

  • AWS Systems Manager: com.amazonaws.region.ssm
  • Session Manager: com.amazonaws.region.ssmmessages
  • (Optional) AWS Key Management Service (AWS KMS): com.amazonaws.region.kms
    Note: This endpoint is required only if you use AWS KMS encryption for Session Manager.
  • (Optional) Amazon CloudWatch Logs
    Note: This endpoint is required only if you use Amazon CloudWatch Logs for Session Manager, Run Command.

The EC2 VPC endpoint isn't required to connect the instance to Session Manager. The EC2 VPC endpoint is required to create VSS-activated snapshots of the instance.

For more information, see Creating VPC endpoints for Systems Manager.

Related information

AWS Systems Manager endpoints and quotas

Setting up AWS Systems Manager

Use AWS PrivateLink to set up a VPC endpoint for Session Manager

AWS OFFICIAL
AWS OFFICIALUpdated 4 months ago
8 Comments

Very helpful article, Daniel, thank you. I followed it and now my configuration works.

AWS
replied a year ago

Thanks for sharing and its helpful, Just a note for others that each interface endpoint is chargeable so choose the subnets wisely.

profile picture
replied 7 months ago

Thank you for your comment. We'll review and update the Knowledge Center article as needed.

profile pictureAWS
MODERATOR
replied 7 months ago

Very helpful; thanks. 1 question:

  • under step 9 above, it says "Repeat step 5", but step 5 has to do only with high availability. It should say "repeat the whole set of steps with ec2messages and ssmmessages for Service Name", right? The aim is to end up with 3 service endpoints?

Thanks, Skip

Skip
replied 4 months ago

Thank you for your comment. We'll review and update the Knowledge Center article as needed.

profile pictureAWS
MODERATOR
replied 4 months ago

the same question as Skip for step 9. Maybe AWS should use some AI to re-write all the documents in the future to make everything clearer

dia
replied 2 days ago

Another question is about he security group in the article, is that security group in step "Create or modify a security group", it will be used for the three endpoint ,right? Then how about the EC2' s security rule? Any requirements? I want my EC2 inside a private subnet, does not connect to the Internet.

dia
replied 2 days ago

Thank you for your comment. We'll review and update the Knowledge Center article as needed.

profile pictureAWS
MODERATOR
replied a day ago