Manage instances with SSM in private subnet, multiple accounts in Organization

0

I have my organization with multiple accounts (Networking, Production1, Production2...). Each account have some EC2 instance running in few private subnets. I have installed SSM agent on all of them.

I found some article about SSM Fleet Manager with private subnet but that was just single account. Now I want to apply to my organization.I have tried to manage instances in private subnet using VPC endpoints for these 3 endpoint:

  • com.amazonaws.<region>.ssm
  • com.amazonaws.<region>.ssmmessages
  • com.amazonaws.<region>.ec2messages My org not allow cross-account access also.

Can I somehow share the network interface to other accounts (I have tried AWS RAM but there is no option), so that the instances in that account can connect to Fleet Manager in Management account?

2 Answers
1

Hello.

It is possible to aggregate VPC endpoints into one VPC by performing VPC peering and creating a private hosted zone for service endpoints as described in the following document.
If you have a large number of VPCs, I think you can use something like TransitGateway.
https://repost.aws/knowledge-center/vpc-peering-troubleshoot-dns-resolution

profile picture
EXPERT
answered 2 months ago
  • My system only have one VPC, which have some private subnets, and EC2 instances in those subnets.

    Enter image description here

    I want all the EC2 instances to go to Fleet Manager in Management account, without having to set up System Manager in the account that the instance belongs to.

    Document I've read: https://docs.aws.amazon.com/systems-manager/latest/userguide/setup-create-vpc.html It is possible? So far, I researched that I need to set up in every account so that Management account can access them all. But then I have to create 3 VPC endpoint for each account, that's expensive.

  • I want all the EC2 instances to go to Fleet Manager in Management account, without having to set up System Manager in the account that the instance belongs to.

    If you use hybrid activation and set the activation of the managed account to EC2, it is possible to manage it with Fleet Manager of the managed account. However, even in this case, it is necessary to be able to communicate with the Systems Manager service endpoint, so a VPC endpoint or NAT Gateway will be required. Therefore, I think that I could solve the problem by creating a private hosted zone by creating a private hosted zone as commented above by performing VPC peering with the management account's VPC, and by creating the VPC endpoint in one VPC. https://docs.aws.amazon.com/systems-manager/latest/userguide/systems-manager-hybrid-multicloud.html

  • I am considering the following configuration. With this configuration, I think you only need to create VPC endpoints in the VPC of the management account. a

  • That's was cool, I will keep it for the future. But right now I only have 1 VPC which was created in my Networking account. After that I shared private subnets to other accounts in my organizations so that developer can deploy EC2 in that subnet. EC2 belongs to different acsounts but they still in the same those private subnets in the exact same one VPC.

    Enter image description here

    Right now my Fleet Manager can only recognize EC2 instances created by Management account. How can I get all others from all account to my only Fleet Manager in Management account?

    I've read this one https://repost.aws/questions/QUi4lAgKKuRAi-KwLdc3ZG4A/how-to-use-systems-manager-fleet-manager-across-an-aws-organization. Does this mean that I can't do that?

0

For now, my solution is:

  1. Create 3 VPC Endpoint which is necessary for SSM in Networking account
  2. Share a private subnet to other account with AWS RAM
  3. Go to Production accounts and create EC2 instances in the shared subnet.
  4. Now those instances can connect to Fleet Manager

And I think we can not share Fleet Manager like I asked above, It's against the principal.

profile picture
Hung
answered 2 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions