AWS SSM VPC Endpoints Explained


AWS SSM VPC Endpoints — Detailed Overview

1. Required Interface Endpoints (Per VPC)

To run SSM/Session Manager in a private VPC (no Internet or NAT), you must create the following
interface endpoints in each VPC (and in the subnets/AZs where your instances reside):

  • com.amazonaws.<region>.ssm
  • com.amazonaws.<region>.ssmmessages
  • com.amazonaws.<region>.ec2messages

These cover SSM control-plane APIs, the WebSocket data channel (Session Manager), and the EC2 message channel
used by the SSM agent.

Tip: Each endpoint creates an ENI per subnet/AZ and is billed per-hour plus data processing
(see AWS PrivateLink pricing).

2. Recommended/Optional Endpoints

  • S3 Gateway Endpoint: Required for Patch Manager, Distributor, and document/binary downloads. The SSM Agent uses S3 to fetch artifacts.
  • Ensure the S3 VPC endpoint/bucket policy allows AWS-managed SSM buckets in your region.
  • Optional: CloudWatch Logs, CloudWatch, and KMS interface endpoints if you use private log streaming or decryption.

3. Security Groups for Endpoints

Attach a security group to each interface endpoint that allows inbound TCP 443 from your instance subnets or security groups.

Direction Protocol Source/Destination Purpose
Inbound TCP 443 Instance SG or VPC CIDR Allow instance to connect to endpoint
Outbound TCP 443 Anywhere Allow response traffic

4. Private DNS Configuration

Enable Private DNS on each endpoint so SSM hostnames resolve to private endpoint IPs.
Also ensure your VPC has DNS hostnames and DNS resolution enabled.

5. Endpoint Policies

You can apply endpoint policies to restrict which SSM actions, accounts, or resources are accessible via that endpoint.
For S3 endpoints, explicitly allow AWS-managed SSM buckets when tightening the policy.

6. Costs and Consolidation Notes

Interface endpoints are billed per AZ per hour and per GB processed.
For example, deploying the three SSM endpoints across two AZs results in six total endpoints for that VPC.

Many organizations create endpoints in every workload VPC for isolation, while others centralize them.
Note that SSM endpoints are per VPC (not shareable via Transit Gateway).

7. Instance-Side Prerequisites

  • SSM Agent installed and running.
  • IAM Role attached with AmazonSSMManagedInstanceCore permissions.
  • Instance can resolve and reach the endpoints on port 443.
  • S3 access configured for patching/distribution use cases.

8. Testing & Troubleshooting

  • From instance: curl https://ssm.<region>.amazonaws.com (expect 403 or TLS success — confirms DNS & connectivity).
  • In AWS Console: Instance shows as Managed and Online under Systems Manager.
  • If it flips offline, verify endpoint SG inbound rules for port 443.

9. Quick Build Checklist (Per VPC)

  1. Create interface endpoints:

    • com.amazonaws.<region>.ssm
    • com.amazonaws.<region>.ssmmessages
    • com.amazonaws.<region>.ec2messages

    Enable Private DNS and attach SGs allowing inbound 443 from instances.

  2. Add an S3 Gateway Endpoint and update its policy to allow required SSM buckets.
  3. Confirm instance IAM role, SSM Agent status, and network reachability.

Need region-specific endpoint ARNs, bucket names, or S3 policy templates? Provide your AWS region(s) and I can generate them.