Question: The customer have a private subnet without NAT and want to use ssm vpc endpoint to connected to SSM service.
Following the below link to create the Systems Manager (SSM) VPC endpoint Create a VPC endpoint Use Systems Manager to manage private EC2 instances without internet access
-
For Beijing region, here is 4 endpoint need to be created
- cn.com.amazonaws.cn-north-1.ec2
- com.amazonaws.cn-north-1.ec2messages
- com.amazonaws.cn-north-1.ssm
- com.amazonaws.cn-north-1.ssm
-
Check the Security Group of the vpc endpoint, open required traffic port 443 pass in outbound and inbound
-
Launch a instance in cn-north-1 with Full acess of SSM (IAM role) (I tested the official AMI of Amazon Linux and Windows AMI)
-
Wait 5-10 minutes for EC2 become available and check whether it could be find in the managed console of SSM
-
If Failed to found it. Please attach the volume to another instance and check the log /var/log/amazon/ssm/amazon-ssm-agent.log
-
Verify:
[ec2-user@ip-10-0-7-101 ~]$ curl www.baidu.com -m 5
curl: (28) Connection timed out after 5001 milliseconds
[ec2-user@ip-10-0-7-101 ~]$ aws ssm describe-instance-information --filters "Key=InstanceIds,Values=i-093bd00d9abb8b515" \
> --region cn-north-1 --output table
-----------------------------------------------
| DescribeInstanceInformation |
+---------------------------------------------+
|| InstanceInformationList ||
|+-------------------+-----------------------+|
|| AgentVersion | 2.3.714.0 ||
|| ComputerName | ray-demo-tools ||
|| IPAddress | 10.0.1.91 ||
|| InstanceId | i-093bd00d9abb8b515 ||
|| IsLatestVersion | False ||
|| LastPingDateTime | 1583899140.89 ||
|| PingStatus | Online ||
|| PlatformName | Amazon Linux ||
|| PlatformType | Linux ||
|| PlatformVersion | 2 ||
|| ResourceType | EC2Instance ||
|+-------------------+-----------------------+|