Very helpful article, Daniel, thank you. I followed it and now my configuration works.
Thanks for sharing and its helpful, Just a note for others that each interface endpoint is chargeable so choose the subnets wisely.
Thank you for your comment. We'll review and update the Knowledge Center article as needed.
Very helpful; thanks. 1 question:
- under step 9 above, it says "Repeat step 5", but step 5 has to do only with high availability. It should say "repeat the whole set of steps with ec2messages and ssmmessages for Service Name", right? The aim is to end up with 3 service endpoints?
Thanks, Skip
Thank you for your comment. We'll review and update the Knowledge Center article as needed.
the same question as Skip for step 9. Maybe AWS should use some AI to re-write all the documents in the future to make everything clearer
Another question is about he security group in the article, is that security group in step "Create or modify a security group", it will be used for the three endpoint ,right? Then how about the EC2' s security rule? Any requirements? I want my EC2 inside a private subnet, does not connect to the Internet.
Thank you for your comment. We'll review and update the Knowledge Center article as needed.
I'm still confused which ingress/egress directions apply on a VPC endpoint. At URL https://docs.aws.amazon.com/systems-manager/latest/userguide/setup-create-vpc.html#sysman-setting-up-vpc-create, I can read:
The security group attached to the VPC endpoint must allow incoming connections on port 443 from the private subnet of the managed instance. If incoming connections aren't allowed, then the managed instance can't connect to the SSM and EC2 endpoints.
...which suggests that the VPC endpoint is seen as the outer container that receives ingress from its private subnets, and egress out to general AWS Services, right?
Arghh, In Session Manager Tab of "Connect to your instance" feature, it says:
Verify that your instance's security group and VPC allow HTTPS (port 443) outbound traffic to the following Systems Manager endpoints: ssm.eu-west-1.amazonaws.com, ec2messages.eu-west-1.amazonaws.com, ssmmessages.eu-west-1.amazonaws.com
What does it mean that a SG allows HTTPS outbound traffic to services? In practice, how do you code that? Destination CIDR=? That documentation is just so confusing.
Thank you for your comment. We'll review and update the Knowledge Center article as needed.
Relevant content
- asked 2 years ago
- Accepted Answerasked 5 years ago
- Accepted Answerasked 2 years ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated 8 months ago
- AWS OFFICIALUpdated 17 days ago