1
votes

I am trying to setup AWS Systems manager to use Session manager. In Systems manager setup guide, one of the steps to allow HTTPS traffic to SSM endpoints. Documentation tells 2 ways of doing this, one using VPC end points and other by allowing traffic to ssm endpoints as mentioned here. I don't want to create VPC endpoints, so I am trying to use other option.

Setup guide mentions following:

enter image description here

Security groups don't allow URLs, so how can i allow HTTPS outbound traffic to some URLs as mentioned in screenshot.

1
Your instance is in a private subnet? You just allow port 443 and as destination you can specify Security Group ID associated with your endpoints. - Marcin
No, my instance is not in private subnet. ALso, my endpoint is URL as shown in screenshot above. - Bagira
Then you don't need these VPC endpoints. They are only used for instance in private subnets without internet connection. - Marcin
Security group does not have URL for SSM endpoints. Assuming you are trying to restrict 'outbound' traffic, you should be able to use IP ranges if that helps. docs.aws.amazon.com/general/latest/gr/aws-ip-ranges.html - Ketanbhut
@Ketanbhut Thanks It helped. I filtered the IP for the region in which I am working and able to create security group rules. - Bagira

1 Answers

0
votes

You can't create security group rules for URLs. You need to figure out a reliable way of figuring out the IP address (or range) for your URL and then create security group rules for them.

For AWS services, you can get the IP addresses using the following URL:

https://docs.aws.amazon.com/general/latest/gr/aws-ip-ranges.html

You can also filter the IP address using the APIs. I am sharing one such example for filtering with power shell:

Get-AWSPublicIpAddressRange -ServiceKey AMAZON -Region ap-south-1 | where {$_.IpAddressFormat -eq "Ipv4"} | select IpPrefix

This lists the IPv4 addresses for amazon service name "AMAZON" for ap-south-1 region.

For supported list of services, please refer the ULR above.