amazon-web-servicesssmaws-nat-gateway

AWS SSM Session Manager and Nat Gatway


I have created an EC2 instance in a private subnet (i.e. the route table has no Internet Gateway attached).

The route table attached to the private subnet routes 0.0.0.0/0 to a NAT Gateway.

The EC2 instance has the correct SSM Role and appears in the SSM Managed Instance list.

I can initiate a session onto the instance via Session Manager.

However when I remove the NAT Gateway mapping from the route table the session connection does not connect.

My understanding was that the NAT is only for outgoing traffic. So I assume the Session Manager connection is routed via the internal AWS network not the public internet because the instance is not reachable. However I don't understand why the instance is trying to route traffic via the public internet. I would have expected maybe that to register itself as a managed instance with SSM the SSM agent on the instance would need internet access. But I do not understand why Session Manager would require the instance to have internet access?

Thanks.


Solution

  • But I do not understand why Session Manager would require the instance to have internet access?

    The SSM uses public endpoints to connect to the SSM service. The endpoints are used to " connect programmatically to an AWS service". The only way to access them (without VPC interface endpoints) is using the Internet.

    Also SSM agent can be used with on-premise instances or VMs. Thus it also requires Internet access to communicate with SSM service.

    SSM has to be in constant contact with SSM service. Otherwise it wouldn't be very useful. Without Internet you wouldn't be able, e.g. to execute Run Commands, keep your instances in a per-defined state by means of State Manager or gather various instance tele-metrics and inventories. Thus once you disconnect NAT gateway, internet connection is lost and SSM agent can't do its job.

    If you are not comfortable with using Internet though NAT gateway for SSM, you can setup SSM VPC network interface. This way your instances in private subnets will be able to communicate with SSM service without requiring the Internet access. All traffic will be based on internal AWS network.