If you are reading this blog then you are interested to know how the SSM agent running on the EC2 instance is communicating with the AWS System Manager Service.
Basically the SSM agent needs internet access to reach to the System Manager Service but what if your instances are in a restricted environment where they are not allowed to access the internet then how can you use AWS System Manager for managing your instances.
Curious to know how you can use all the features of AWS System Manager inspite of running your instances on a restricted environment. Watch this video
SSM on EC2 with No Internet? Here's How!
Below is how the communication happens from SSM agent running on EC2 to AWS System Manager.
1๏ธโฃ ๐๐๐ฅ๐ฅ๐ฌ ๐๐ง๐ฌ๐ญ๐๐ง๐๐ ๐๐๐ญ๐๐๐๐ญ๐ ๐๐๐ซ๐ฏ๐ข๐๐: The SSM agent gets the instance metadata for example AWS region.
2๏ธโฃ ๐๐๐ ๐๐จ๐จ๐ค๐ฎ๐ฉ ๐๐จ๐ซ ๐๐๐ ๐๐ง๐๐ฉ๐จ๐ข๐ง๐ญ: The SSM agent attempts to resolve the API endpoint (e.g., ssm..amazonaws.com) via the private DNS.
3๏ธโฃ ๐๐ซ๐ข๐ฏ๐๐ญ๐ ๐๐๐ ๐๐๐ฌ๐จ๐ฅ๐ฏ๐๐ฌ ๐ญ๐จ ๐๐๐ ๐๐ง๐๐ฉ๐จ๐ข๐ง๐ญ: The private DNS resolves the SSM API domain to the private IP address of the VPC interface endpointโs ENI.
4๏ธโฃ ๐๐ซ๐๐๐๐ข๐ ๐๐จ๐ฎ๐ญ๐๐ ๐ญ๐จ ๐๐ง๐๐ฉ๐จ๐ข๐ง๐ญ ๐๐๐: The EC2 instance sends the API request to the private IP address of the VPC interface endpoint's ENI.
5๏ธโฃ ๐๐ซ๐ข๐ฏ๐๐ญ๐๐๐ข๐ง๐ค ๐๐จ๐ฆ๐ฆ๐ฎ๐ง๐ข๐๐๐ญ๐ข๐จ๐ง: The VPC interface endpoint forwards the request over AWS PrivateLink to the AWS SSM service.
6๏ธโฃ ๐๐๐ ๐๐๐ซ๐ฏ๐ข๐๐ ๐๐ซ๐จ๐๐๐ฌ๐ฌ๐๐ฌ ๐๐๐ช๐ฎ๐๐ฌ๐ญ: AWS Systems Manager processes the API request and Response Sent via PrivateLink to the VPC interface endpoint
7๏ธโฃ ๐๐๐ฌ๐ฉ๐จ๐ง๐ฌ๐ ๐๐๐ฅ๐ข๐ฏ๐๐ซ๐๐ ๐ญ๐จ ๐๐๐ ๐๐ ๐๐ง๐ญ: The VPC interface endpoint forwards the response to the EC2 instance, where the SSM agent receives and processes it.
For more Tech Bytes on Cloud and Devops you can view the below playlist or follow my channel NandiTechBytes.
๐ฝ Devops Projects & Tasks
Cheers
Keep Learning!