VPC Endpoints (SSM) cross account?

Question

I have an instance in us-west-2, account B (user). Account A (service) has a shared VPC with account B. I'm trying to use SSM to access the instance in the user account (B). I wasn't able to add a VPC endpoint in (B) since the VPC is shared from (A). When I create the SSM endpoints in the service account I can't share them with AWS RAM to the user account. Am I missing something, do I not have to share the endpoint resource with the user account?

We already have network traffic traversing the shared VPC so connectivity isn't an issue. I got stuck when the instance itself's Ping status was "Connection lost" so I'm not sure if the issue lies with the SSM VPCE or SSM internally on the user account.

Answer

Hi, if you create a VPC Interface Endpoint in Account A you can use it from other accounts sharing that VPC, without having to do anything else.  Just so long as your NACLs allow connectivity with the endpoint.

To get Systems Manager to recognise an EC2 instance as a Managed Node without "Connection lost", the instance needs to have access to not only the ssm service but also ssmmessages and ec2messages (either via endpoints or over the internet).

VPC Endpoints (SSM) cross account?

相關內容