Quickly Connect to an EC2 Instance deployed in a VPC using the AWS Systems Manager Session Manager

This article provides a solution for users who need to connect to an Amazon EC2 instance that has been deployed in a Virtual Private Cloud using the AWS Systems Manager Session Manager (SMSM).

The Problem: Why isn’t Session Manager connecting to my EC2 instance?

The background to this problem is that I deployed an Amazon EC2 instance in an Amazon Virtual Private Cloud (VPC) and was trying to connect to this using the AWS Systems Manager Session Manager and this just wasn’t working.

The information available indicated that a role with the AmazonSSMManagedInstanceCore policy should be enough to connect to the EC2 instance however as is everything with software development or anything around this subject, it wasn’t that simple.

The Solution: We need an Internet Gateway.

Below I’ve attempted to capture the solution in picture form with a brief explanation for each step.

Keep in mind that we have an EC2 instance running in a VPC that has one subnet.

Example AWS EC2 Configuration

An example AWS EC2 configuration.

AWS EC2 Security Group Configuration

An example of the security group configuration for the AWS EC2 instance.

AWS EC2 Security Group: Launch Wizard Inbound Rules Configuration

Example of the Launch Wizard Inbound Rules Configuration.

AWS EC2 Security Group: Launch Wizard Outbound Rules Configuration

AWS EC2 security group launch wizard outbound rules configuration screenshot.

AWS Identity and Access Management (IAM) Configuration

An example AWS Identity and Access Management (IAM) configuration.

AWS VPC Configuration

An example AWS VPC configuration.

AWS VPC Configuration: CIDRs

An example AWS IPv4 VPC CIDRs configuration.

AWS VPC Internet Gateway: Routes Configuration

the Routes Configuration for an example AWS VPC Internet Gateway.

AWS VPC Internet Gateways Configuration

AWS VPC Internet Gateways Configuration

AWS VPC Internet Gateway: Details Configuration

An AWS VPC Internet Gateway: Details example configuration.

AWS VPC Subnet Configuration

An example AWS VPC Subnet configuration.

AWS VPC Subnet Configuration: Details

Example details for an AWS VPC Subnet configuration.

AWS VPC Subnet Route table Configuration

An example AWS VPC Subnet Route table configuration.

AWS VPC Subnet: Network ACL Configuration

An example Network ACL configuration for an AWS VPC Subnet.

Conclusion

If you try this solution and find that it’s incomplete or that something isn’t clear, please add your thoughts in the comments section. I’ve tried to be comprehensive with this example however it’s possible that I’ve missed something.

The next section includes a quiz — feel free to place answers in the comments section.

Quiz

  1. Why do we need an Amazon VPC Internet Gateway for this to work? Do we even need the Internet Gateway? Do not assume the solution provided above includes the minimum configuration required to address the problem.
  2. Assume the EC2 instance will be deployed in the VPC — is there a better way to connect to the instance via Session Manager than that which is described in this article?
  3. If we exposed a public IP address to the EC2 instance, would this solve this problem without the need to use an Internet Gateway? Note that even if this works, it’s an undesirable solution for various reasons, top of the list being that you shouldn’t have to do this if you’re using the SMSM.

References

  1. How to Prepare for the AWS Certified Solutions Architect: Associate Certification Exam‎

This Post Has One Comment