Session manager is a feature under System Manager service. The main purpose of session manager is to save you trouble maintaining a bastion server where you use it to access servers in private network which are not public accessible. With session manager, you can access your EC2s within private subnet directly from AWS console or CLI.
There are couple prerequisites to compile. To simplify, they are
1. A role with AmazonEC2RoleforSSM privilege attached to the EC2 in private subnet.
2. SSM agent supported OS.
3. An SSM agent must be installed and started on the instance.
In addition, if your private subnet is not constructed with NAT Gateway/Instance, then you need to have VPC endpoints so that EC2 in your private subnet can communicate with System Manager. Therefore, you need in addition
4. Three VPC endpoints for linux EC2, four VPC endpoints for Windows EC2.
5. Security Group for VPC endpoints allowing EC2 to communicate with System Manager.
I will not walk through all the steps mentioned above such as creating role with necessary privilege or create EC2 or VPC etc but focus on the settings of VPC endpoints and other configurations.
Let’s start with making sure you have the S.G needed for VPC endpoints. For the inbound rule, the source is your EC2 subnet and the protocol is 443.
Next, create VPC endpoints. Since I am using Linux server, so only three VPC endpoints are needed which are
1. ec2messages
2. ssm
3. ssmmessages
If you are using Windows, you would need ec2 endpoint too.
For more information, please visit here.
Creating VPC endpoints.
Create three VPC endpoints with the same steps.
Choose your VPC and subnet where the EC2 lies and endpoints will deploy to the same subnet, so EC2 can communicate to System Manger through endpoints.
This is the place where you must select the S.G created in the previous step.
Finished view of all three VPC endpoints.
Now let’s check on the EC2. Assuming an EC2 is already deployed in a private subnet which has no route to internet, with role of AmazonEC2RoleforSSM privilege attach to it.
That’t is! If everything is setup correctly, you should be able to see the EC2 on the list of session manager.
There you go! Now you have login to the EC2 in a private subnet without the need of bastion server!
I encounter quit a few errors while doing this lab. Following are few check points if you run into any problems or you can refer here.
- Make sure correct OS and SSM agent is used, installed and started.
- Assign correct S.G to VPC endpoints.
- Attach role with correct privileges to EC2.
- Make sure vpn endpoints are deployed into the correct subnet where EC2 lies.
Lastly, if your EC2 is in private subnet and is able to access internet with the help of NAT Gateway/Instance, all you need to do is attach a role with appropriate privilege to EC2 and that’s it. EC2 will communicate with System Manager through WAN, so you don’t need to setup VPC endpoints and S.G.
