This article provides a solution for users who need to connect to an Amazon EC2 instance which has been deployed in a Virtual Private Cloud using the AWS Systems Manager Session Manager (SMSM).
The Problem: Why isn’t Session Manager connecting to my EC2 instance?
The background to this problem is that I deployed an Amazon EC2 instance in an Amazon Virtual Private Cloud (VPC) and was trying to connect to this using the AWS Systems Manager Session Manager and this just wasn’t working.
The information available indicated that a role with the AmazonSSMManagedInstanceCore policy should be enough to connect to the EC2 instance however as is everything with software development or anything around this subject, it wasn’t that simple.
The Solution: We need an Internet Gateway.
Below I’ve attempted to capture the solution in picture form with a brief explanation for each step.
Keep in mind that we have an EC2 instance running in a VPC which has one subnet.
Example AWS EC2 Configuration
AWS EC2 Security Group Configuration
AWS EC2 Security Group: Launch Wizard Inbound Rules Configuration
AWS EC2 Security Group: Launch Wizard Outbound Rules Configuration
AWS Identity and Access Management (IAM) Configuration
AWS VPC Configuration
AWS VPC Configuration: CIDRs
AWS VPC Internet Gateway: Routes Configuration
AWS VPC Internet Gateways Configuration
AWS VPC Internet Gateway: Details Configuration
AWS VPC Subnet Configuration
AWS VPC Subnet Configuration: Details
AWS VPC SubnetL Route table Configuration
AWS VPC Subnet: Network ACL Configuration
If you try this solution and find that it’s incomplete or that something isn’t clear, please add your thoughts in the comments section. I’ve tried to be comprehensive with this example however it’s possible that I’ve missed something.
The next section includes a quiz — feel free to place answers in the comments section.
- Why do we need an Amazon VPC Internet Gateway for this to work? Do we even need the Internet Gateway? Do not assume the solution provided above includes the minimum configuration required to address the problem.
- Assume the EC2 instance will be deployed in the VPC — is there a better way to connect to the instance via Session Manager than that which is described in this article?
- If we exposed a public IP address to the EC2 instance, would this solve this problem without the need to use an Internet Gateway? Note that even if this works, it’s an undesirable solution for various reasons, top of the list being that you shouldn’t have to do this if you’re using the SMSM.