BastionLess VM , VM is in private Subnet with private IP with access to NAT gateway
NAT Gateway should have a route to Internet G/W
- https://aws.amazon.com/premiumsupport/knowledge-center/ec2-systems-manager-vpc-endpoints/
- https://docs.aws.amazon.com/systems-manager/latest/userguide/systems-manager-setting-up.html
- https://docs.aws.amazon.com/systems-manager/latest/userguide/ssm-agent-status-and-restart.html
- https://stackoverflow.com/questions/66553148/aws-ssm-sessions-manager-doesnt-work-for-private-instances-with-nacl-configured/66764428
- https://repost.aws/questions/QU23KNaILoROOawjDtsvGUwA/unable-to-use-session-manager-on-ec-2-instances-in-a-private-subnet-with-ssm-vpc-endpoint
- Verify that SSM Agent is installed on the instance.
- Create an AWS Identity and Access Management (IAM) instance profile for Systems Manager. You can create a new role, or add the needed permissions to an existing role.
- Attach the IAM role to your private EC2 instance.
- Make sure on respective Bastionless VM, you can reach following VPC Endpoints - curl
Make sure that you have specified all VPC endpoint for SSM:
- com.amazonaws.region.ssm: The endpoint for the Systems Manager service.
- com.amazonaws.region.ec2messages: Systems Manager uses this endpoint to make calls from SSM Agent to the Systems Manager service.
- com.amazonaws.region.ec2: If you're using Systems Manager to create VSS-enabled snapshots, you need to ensure that you have an endpoint to the EC2 service. Without the EC2 endpoint defined, a call to enumerate attached EBS volumes fails, which causes the Systems Manager command to fail. - com.amazonaws.region.ssmmessages: This endpoint is required only if you are connecting to your instances through a secure data channel using Session Manager. For more information, see AWS Systems Manager Session Manager.
No comments:
Post a Comment