Open in app

Sign in

Write

Sign in

Implementing AWS SSM VPC Endpoints: A Step-by-Step Guide

Carlos Bertin Cano
3 min readSep 8, 2023

--

In the world of cloud computing, it’s really important to make sure that the way different parts of your cloud system talk to each other is both safe and smooth.

AWS Systems Manager (SSM) gives you a bunch of useful tools to control and automate tasks in your AWS setup. To make things safer and make sure everything connects well, AWS gives you these special connections called VPC Endpoints.

In this article, we’re going to look into why using these SSM VPC endpoints is helpful, especially when your VPC doesn’t have internet access.

Benefits of SSM VPC Endpoints

Enhanced Security and Isolation

One of the primary benefits of using SSM VPC endpoints is enhanced security. By creating VPC endpoints for SSM services, you can establish private communication channels between your VPC and the SSM service endpoints, eliminating the need for public internet access. This isolation ensures that sensitive data and commands remain within your private network, reducing exposure to potential security threats.

Improved Network Performance

SSM VPC endpoints offer better network performance compared to accessing services over the public internet. Communication between your VPC and SSM services takes place within the AWS network, resulting in lower latency and improved response times.

Simplified Access Control

Implementing SSM VPC endpoints allows you to control access to SSM services more effectively. By leveraging VPC security groups and network access control lists (ACLs), you can define fine-grained access policies for resources accessing SSM services. This granularity ensures that only authorized instances can interact with the services.

VPCs Without Internet Access

In scenarios where VPCs are intentionally isolated from the public internet, SSM VPC endpoints become indispensable.

These endpoints offer a safe and organized method to reach instances, even in situations where network access is limited.

However, remember that just having the SSM endpoint won’t be enough. To connect to instances using SSM, we need the SSM, SSMMessages, and EC2Messages endpoints.

The communication with these endpoints happens using port 443.

In VPCs that have internet access, adding SSM endpoints might not be necessary. But in VPCs without internet access (no NAT Gateway or Internet Gateway), these VPC endpoints are a must.

Understanding SSM, SSMMessages, and EC2Messages

SSM Service (com.amazonaws.<region>.ssm)

AWS Systems Manager allows you to manage instances at scale, automate operational tasks, and maintain consistent configurations. The SSM service endpoint enables secure communication between instances and SSM, facilitating features like Run Command, State Manager, and Patch Manager.

SSMMessages Service (com.amazonaws.<region>.ssmmessages)

The SSMMessages service plays a vital role in enabling instance communication with the SSM service. It handles the transport of messages between instances and the SSM service endpoint, ensuring that commands, status updates, and responses are securely delivered.

EC2Messages Service (com.amazonaws.<region>.ec2messages)

The EC2Messages service allows instances to communicate with the AWS messaging service. It facilitates interactions related to instance lifecycle events, such as system reboot or termination. Enabling the EC2Messages service endpoint ensures that your instances can reliably communicate their status and events to AWS.

Implement SSM Endpoints using CloudFormation

Here is a CloudFormation template that implements VPC endpoints for SSM, SSMMessages, and EC2Messages services in the us-east-1 region.
The template includes a parameter for the VPC CIDR range and another parameter for the VPC ID. Additionally, it creates a security group that allows inbound access on port 443 from the specified VPC CIDR range.

AWSTemplateFormatVersion: "2010-09-09"
Description: "Create VPC Endpoints for SSM services"

Parameters:
  VpcId:
    Type: AWS::EC2::VPC::Id
    Description: "Select the VPC ID for the VPC endpoint."
  
  SubnetsId:
    Type: List<AWS::EC2::Subnet::Id>
    Description: "Select the VPC ID for the VPC endpoint."

  VpcCidr:
    Description: Enter the CIDR block for the VPC (e.g., 10.0.0.0/16)
    Type: String
    AllowedPattern: "(\\d{1,3})\\.(\\d{1,3})\\.(\\d{1,3})\\.(\\d{1,3})/(\\d{1,2})"
    ConstraintDescription: CIDR block must be in the format of x.x.x.x/x, where x is a number (e.g., 10.0.0.0/16)



Resources:
  SsmSecurityGroup:
    Type: AWS::EC2::SecurityGroup
    Properties:
      GroupDescription: "Security group for SSM VPC endpoints"
      VpcId: !Ref VpcId
      SecurityGroupIngress:
        - CidrIp: !Ref VpcCidr
          FromPort: 443
          ToPort: 443
          IpProtocol: tcp

  SSMEndpoint:
    Type: AWS::EC2::VPCEndpoint
    Properties:
      PrivateDnsEnabled: true
      SecurityGroupIds: 
        - !Ref SsmSecurityGroup
      ServiceName: !Sub "com.amazonaws.${AWS::Region}.ssm"
      SubnetIds: !Ref SubnetsId
      VpcEndpointType: 'Interface'
      VpcId: !Ref VpcId

  SSMMessagesEndpoint:
    Type: AWS::EC2::VPCEndpoint
    Properties:
      PrivateDnsEnabled: true
      SecurityGroupIds: 
        - !Ref SsmSecurityGroup
      ServiceName: !Sub "com.amazonaws.${AWS::Region}.ssmmessages"
      SubnetIds: !Ref SubnetsId
      VpcEndpointType: 'Interface'
      VpcId: !Ref VpcId

  EC2MessagesEndpoint:
    Type: AWS::EC2::VPCEndpoint
    Properties:
      PrivateDnsEnabled: true
      SecurityGroupIds: 
        - !Ref SsmSecurityGroup
      ServiceName: !Sub "com.amazonaws.${AWS::Region}.ec2messages"
      SubnetIds: !Ref SubnetsId
      VpcEndpointType: 'Interface'
      VpcId: !Ref VpcId
AWS
Aws Vpc Endpoints
Cloud Computing
Networking

--

--

Carlos Bertin Cano

Written by Carlos Bertin Cano

63 Followers

🚀 Solutions Architect @ AWS | Crafting digital dreams in the realm of cloud computing | Turning complexity into elegance ☁️🏗️🌌

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams