SSM Endpoints per VPC

anuj varma — Fri, 24 Oct 2025 15:31:52 +0000

AWS SSM VPC Endpoints Explained

AWS SSM VPC Endpoints — Detailed Overview

1. Required Interface Endpoints (Per VPC)

To run SSM/Session Manager in a private VPC (no Internet or NAT), you must create the following
interface endpoints in each VPC (and in the subnets/AZs where your instances reside):

com.amazonaws..ssm
com.amazonaws..ssmmessages
com.amazonaws..ec2messages

These cover SSM control-plane APIs, the WebSocket data channel (Session Manager), and the EC2 message channel
used by the SSM agent.

Tip: Each endpoint creates an ENI per subnet/AZ and is billed per-hour plus data processing
(see AWS PrivateLink pricing).

2. Recommended/Optional Endpoints

S3 Gateway Endpoint: Required for Patch Manager, Distributor, and document/binary downloads. The SSM Agent uses S3 to fetch artifacts.
Ensure the S3 VPC endpoint/bucket policy allows AWS-managed SSM buckets in your region.
Optional: CloudWatch Logs, CloudWatch, and KMS interface endpoints if you use private log streaming or decryption.

3. Security Groups for Endpoints

Attach a security group to each interface endpoint that allows inbound TCP 443 from your instance subnets or security groups.

Direction	Protocol	Source/Destination	Purpose
Inbound	TCP 443	Instance SG or VPC CIDR	Allow instance to connect to endpoint
Outbound	TCP 443	Anywhere	Allow response traffic

4. Private DNS Configuration

Enable Private DNS on each endpoint so SSM hostnames resolve to private endpoint IPs.
Also ensure your VPC has DNS hostnames and DNS resolution enabled.

5. Endpoint Policies

You can apply endpoint policies to restrict which SSM actions, accounts, or resources are accessible via that endpoint.
For S3 endpoints, explicitly allow AWS-managed SSM buckets when tightening the policy.

6. Costs and Consolidation Notes

Interface endpoints are billed per AZ per hour and per GB processed.
For example, deploying the three SSM endpoints across two AZs results in six total endpoints for that VPC.

Many organizations create endpoints in every workload VPC for isolation, while others centralize them.
Note that SSM endpoints are per VPC (not shareable via Transit Gateway).

7. Instance-Side Prerequisites

SSM Agent installed and running.
IAM Role attached with AmazonSSMManagedInstanceCore permissions.
Instance can resolve and reach the endpoints on port 443.
S3 access configured for patching/distribution use cases.

8. Testing & Troubleshooting

From instance: curl https://ssm..amazonaws.com (expect 403 or TLS success — confirms DNS & connectivity).
In AWS Console: Instance shows as Managed and Online under Systems Manager.
If it flips offline, verify endpoint SG inbound rules for port 443.

9. Quick Build Checklist (Per VPC)

Create interface endpoints:
- com.amazonaws..ssm
- com.amazonaws..ssmmessages
- com.amazonaws..ec2messages
Enable Private DNS and attach SGs allowing inbound 443 from instances.
Add an S3 Gateway Endpoint and update its policy to allow required SSM buckets.
Confirm instance IAM role, SSM Agent status, and network reachability.

Need region-specific endpoint ARNs, bucket names, or S3 policy templates? Provide your AWS region(s) and I can generate them.

The post SSM Endpoints per VPC appeared first on AWS Security Architect.

AWS EC2 Patching Archives - AWS Security Architect