How AWS SSM agent communicates with ๐’๐ฒ๐ฌ๐ญ๐ž๐ฆ ๐Œ๐š๐ง๐š๐ ๐ž๐ซ ๐’๐ž๐ซ๐ฏ๐ข๐œ๐ž using ๐•๐๐‚ ๐ˆ๐ง๐ญ๐ž๐ซ๐Ÿ๐š๐œ๐ž ๐ž๐ง๐๐ฉ๐จ๐ข๐ง๐ญ๐ฌ.

Raju Nandi - Oct 23 - - Dev Community

If you are reading this blog then you are interested to know how the SSM agent running on the EC2 instance is communicating with the AWS System Manager Service.

Basically the SSM agent needs internet access to reach to the System Manager Service but what if your instances are in a restricted environment where they are not allowed to access the internet then how can you use AWS System Manager for managing your instances.

Curious to know how you can use all the features of AWS System Manager inspite of running your instances on a restricted environment. Watch this video
SSM on EC2 with No Internet? Here's How!

Below is how the communication happens from SSM agent running on EC2 to AWS System Manager.

Image description

1๏ธโƒฃ ๐‚๐š๐ฅ๐ฅ๐ฌ ๐ˆ๐ง๐ฌ๐ญ๐š๐ง๐œ๐ž ๐Œ๐ž๐ญ๐š๐๐š๐ญ๐š ๐’๐ž๐ซ๐ฏ๐ข๐œ๐ž: The SSM agent gets the instance metadata for example AWS region.
2๏ธโƒฃ ๐ƒ๐๐’ ๐‹๐จ๐จ๐ค๐ฎ๐ฉ ๐Ÿ๐จ๐ซ ๐€๐๐ˆ ๐„๐ง๐๐ฉ๐จ๐ข๐ง๐ญ: The SSM agent attempts to resolve the API endpoint (e.g., ssm..amazonaws.com) via the private DNS.
3๏ธโƒฃ ๐๐ซ๐ข๐ฏ๐š๐ญ๐ž ๐ƒ๐๐’ ๐‘๐ž๐ฌ๐จ๐ฅ๐ฏ๐ž๐ฌ ๐ญ๐จ ๐•๐๐‚ ๐„๐ง๐๐ฉ๐จ๐ข๐ง๐ญ: The private DNS resolves the SSM API domain to the private IP address of the VPC interface endpointโ€™s ENI.
4๏ธโƒฃ ๐“๐ซ๐š๐Ÿ๐Ÿ๐ข๐œ ๐‘๐จ๐ฎ๐ญ๐ž๐ ๐ญ๐จ ๐„๐ง๐๐ฉ๐จ๐ข๐ง๐ญ ๐„๐๐ˆ: The EC2 instance sends the API request to the private IP address of the VPC interface endpoint's ENI.
5๏ธโƒฃ ๐๐ซ๐ข๐ฏ๐š๐ญ๐ž๐‹๐ข๐ง๐ค ๐‚๐จ๐ฆ๐ฆ๐ฎ๐ง๐ข๐œ๐š๐ญ๐ข๐จ๐ง: The VPC interface endpoint forwards the request over AWS PrivateLink to the AWS SSM service.
6๏ธโƒฃ ๐’๐’๐Œ ๐’๐ž๐ซ๐ฏ๐ข๐œ๐ž ๐๐ซ๐จ๐œ๐ž๐ฌ๐ฌ๐ž๐ฌ ๐‘๐ž๐ช๐ฎ๐ž๐ฌ๐ญ: AWS Systems Manager processes the API request and Response Sent via PrivateLink to the VPC interface endpoint
7๏ธโƒฃ ๐‘๐ž๐ฌ๐ฉ๐จ๐ง๐ฌ๐ž ๐ƒ๐ž๐ฅ๐ข๐ฏ๐ž๐ซ๐ž๐ ๐ญ๐จ ๐’๐’๐Œ ๐€๐ ๐ž๐ง๐ญ: The VPC interface endpoint forwards the response to the EC2 instance, where the SSM agent receives and processes it.

For more Tech Bytes on Cloud and Devops you can view the below playlist or follow my channel NandiTechBytes.
๐Ÿ“ฝ Devops Projects & Tasks

Cheers
Keep Learning!

. . . . .
Terabox Video Player