Thursday, March 17, 2022

[SOLVED] Why does accessing private EC2 instance via Session Manager need NAT Gateway?

Issue

I create two VPCs, one private subnet for each VPC and one EC2 instance (that has a role with the IAM policy "AmazonSSMManagedInstanceCore") for each private subnet. The only difference of these two environments is with/without NAT Gateway.

I tried to connect these two EC2 instances via Session Manager. The EC2 instance in the VPC with NAT Gateway is accessible, but the other EC2 instance wasn't accessible.

Questions

  1. I suppose Session Manager requires NAT Gateway. Is this correct?
  2. If 1 is correct, why is NAT Gateway needed?

Solution

The SSM agent-enabled EC2 instance needs access to various AWS service endpoints, notably HTTPS outbound (port 443) to:

  • ec2messages.region.amazonaws.com
  • ssm.region.amazonaws.com
  • ssmmessages.region.amazonaws.com

You can provide that access from EC2 instances in a private subnet via NAT, or you can configure a VPC Endpoint.

Also, be aware of the EC2 Instance Connect feature which is another way to connect to EC2 instances, though it requires EC2 instances to be reachable from your client by public IP or private IP (e.g. via VPN connection).



Answered By - jarmod
Answer Checked By - Mary Flores (WPSolving Volunteer)