I can't seem to get an instance in a public subnet to connect via session manager. The subnet that the instance ends up deploying to has 0.0.0.0/0
set to an internet gateway. The security group has no inbound rules and an outbound rule of Allow
0.0.0.0/0
.
The instance profile has the AmazonSSMManagedInstanceCore
managed policy, the instance is on a public subnet with an internet gateway and a security group that allows all outbound requests, and it’s running AmazonLinux 2, so the SSM agent should be installed. I even added a userData command to install the latest again, but that didn’t change anything.
From the console, I see the following error message:
We weren't able to connect to your instance. Common reasons for this include:
Here's a sample of CDK code that replicates the problem:
const region = 'us-east-2'
const myInstanceRole = new Role(this, 'MyRole', {
assumedBy: new ServicePrincipal('ec2.amazonaws.com'),
})
myInstanceRole.addManagedPolicy(
ManagedPolicy.fromAwsManagedPolicyName('AmazonSSMManagedInstanceCore')
)
const myUserData = UserData.forLinux()
myUserData.addCommands(
`sudo yum install -y https://s3.${region}.amazonaws.com/amazon-ssm-${region}/latest/linux_amd64/amazon-ssm-agent.rpm`,
'sudo systemctl restart amazon-ssm-agent',
)
const myInstance = new Instance(this, 'MyInstance', {
instanceType: InstanceType.of(InstanceClass.C6I, InstanceSize.LARGE),
machineImage: MachineImage.latestAmazonLinux({
generation: AmazonLinuxGeneration.AMAZON_LINUX_2,
cpuType: AmazonLinuxCpuType.X86_64,
}),
vpc: Vpc.fromLookup(this, 'ControlTowerVPC', {
vpcName: 'aws-controltower-VPC',
}),
vpcSubnets: {
subnetType: SubnetType.PUBLIC,
},
blockDevices: [
{
deviceName: '/dev/xvda',
volume: BlockDeviceVolume.ebs(30, {
volumeType: EbsDeviceVolumeType.GP2,
encrypted: true,
}),
},
],
userData: myUserData,
role: myInstanceRole,
detailedMonitoring: true,
})