Quickly Connect to an EC2 Instance deployed in a VPC using the AWS Systems Manager Session Manager

This article provides a solution for users who need to connect to an Amazon EC2 instance that has been deployed in a Virtual Private Cloud using the AWS Systems Manager Session Manager (SMSM).

The Problem: Why isn’t Session Manager connecting to my EC2 instance?

The background to this problem is that I deployed an Amazon EC2 instance in an Amazon Virtual Private Cloud (VPC) and was trying to connect to this using the AWS Systems Manager Session Manager and this just wasn’t working.

The information available indicated that a role with the AmazonSSMManagedInstanceCore policy should be enough to connect to the EC2 instance however as is everything with software development or anything around this subject, it wasn’t that simple.

The Solution: We need an Internet Gateway.

Below I’ve attempted to capture the solution in picture form with a brief explanation for each step.

Keep in mind that we have an EC2 instance running in a VPC that has one subnet.

Example AWS EC2 Configuration

An example AWS EC2 configuration with pointers to the public IP address, the IAM Role, the VPC ID, and the subnet ID.
An example AWS EC2 configuration.

AWS EC2 Security Group Configuration

An example of the security group configuration for the AWS EC2 instance with pointers to the security groups and inbound rules.
An example of the security group configuration for the AWS EC2 instance.

AWS EC2 Security Group: Launch Wizard Inbound Rules Configuration

The inbound rules configuration for the AWS EC2 security group -- in this case we allow ssh on port 22 for my IP address only.
Example of the Launch Wizard Inbound Rules Configuration.

AWS EC2 Security Group: Launch Wizard Outbound Rules Configuration

An example of the security group: launch wizard outbound rules configuration, which allows for all outgoing traffic to all destinations.
AWS EC2 security group launch wizard outbound rules configuration screenshot.

AWS Identity and Access Management (IAM) Configuration

An example of the AWS Identity and Access Management (IAM) configuration with a pointer to the permissions policy.
An example AWS Identity and Access Management (IAM) configuration.

AWS VPC Configuration

An example AWS VPC configuration with name ssm-vpc, redacted VPC ID, available state, and for the IPv4 CIDR 10.0.0.0/28.
An example AWS VPC configuration.

AWS VPC Configuration: CIDRs

An example AWS IPv4 VPC CIDRs configuration which has been set to 10.0.0.0/28.
An example AWS IPv4 VPC CIDRs configuration.

AWS VPC Internet Gateway: Routes Configuration

An example AWS VPC Internet Gateway Route Table Routes configuration with a pointer to the Internet Gateway destination, which has been set to 0.0.0.0/0 destination with target igw-0.
the Routes Configuration for an example AWS VPC Internet Gateway.

AWS VPC Internet Gateways Configuration

An example AWS VPC Internet Gateways configuration with name ec2-ssm-igw, Internet gateway ID igw-0, attached state, VPC ID set to vpc-0, and the owner set to ssm-vpc.
AWS VPC Internet Gateways Configuration

AWS VPC Internet Gateway: Details Configuration

An example Details configuration for an AWS VPC Internet Gateway (IG) with the IG ID set to igw-0, attached state, vpc-0 VPC ID, and ssm-vpc owner.
An AWS VPC Internet Gateway: Details example configuration.

AWS VPC Subnet Configuration

An example AWS VPC Subnet configuration with the ssm-subnet-us-east name, subnet-0 subnet ID, available state, vpc-0 VPC, and 10.0.0.0/28 set to the IPv4 CIDR.
An example AWS VPC Subnet configuration.

AWS VPC Subnet Configuration: Details

Example details for an AWS VPC Subnet configuration with many settings.
Example details for an AWS VPC Subnet configuration.

AWS VPC Subnet Route table Configuration

An example Route table configuration for an AWS VPC Subnet with a 0.0.0.0/0 destination and an igw-redacted target.
An example AWS VPC Subnet Route table configuration.

AWS VPC Subnet: Network ACL Configuration

An example Network ACL configuration for an AWS VPC Subnet with pointers to the inbound and outbound rules, which are set to default values.
An example Network ACL configuration for an AWS VPC Subnet.

Conclusion

If you try this solution and find that it’s incomplete or that something isn’t clear, please add your thoughts in the comments section. I’ve tried to be comprehensive with this example however it’s possible that I’ve missed something.

The next section includes a quiz — feel free to place answers in the comments section.

Quiz

  1. Why do we need an Amazon VPC Internet Gateway for this to work? Do we even need the Internet Gateway? Do not assume the solution provided above includes the minimum configuration required to address the problem.
  2. Assume the EC2 instance will be deployed in the VPC — is there a better way to connect to the instance via Session Manager than that which is described in this article?
  3. If we exposed a public IP address to the EC2 instance, would this solve this problem without the need to use an Internet Gateway? Note that even if this works, it’s an undesirable solution for various reasons, top of the list being that you shouldn’t have to do this if you’re using the SMSM.

References

  1. How to Prepare for the AWS Certified Solutions Architect: Associate Certification Exam‎

This Post Has One Comment