โ–ˆโ–ˆFRโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆ โ–ˆINTELLโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆโ–ˆ

How AWS SSM agent communicates with ๐’๐ฒ๐ฌ๐ญ๐ž๐ฆ ๐Œ๐š๐ง๐š๐ ๐ž๐ซ ๐’๐ž๐ซ๐ฏ๐ข๐œ๐ž using ๐•๐๐‚ ๐ˆ๐ง๐ญ๐ž๐ซ๐Ÿ๐š๐œ๐ž ๐ž๐ง๐๐ฉ๐จ๐ข๐ง๐ญ๐ฌ.


This content originally appeared on DEV Community and was authored by Raju Nandi

If you are reading this blog then you are interested to know how the SSM agent running on the EC2 instance is communicating with the AWS System Manager Service.

Basically the SSM agent needs internet access to reach to the System Manager Service but what if your instances are in a restricted environment where they are not allowed to access the internet then how can you use AWS System Manager for managing your instances.

Curious to know how you can use all the features of AWS System Manager inspite of running your instances on a restricted environment. Watch this video
SSM on EC2 with No Internet? Here’s How!

Below is how the communication happens from SSM agent running on EC2 to AWS System Manager.

Image description

1⃣ ๐‚๐š๐ฅ๐ฅ๐ฌ ๐ˆ๐ง๐ฌ๐ญ๐š๐ง๐œ๐ž ๐Œ๐ž๐ญ๐š๐๐š๐ญ๐š ๐’๐ž๐ซ๐ฏ๐ข๐œ๐ž: The SSM agent gets the instance metadata for example AWS region.
2⃣ ๐ƒ๐๐’ ๐‹๐จ๐จ๐ค๐ฎ๐ฉ ๐Ÿ๐จ๐ซ ๐€๐๐ˆ ๐„๐ง๐๐ฉ๐จ๐ข๐ง๐ญ: The SSM agent attempts to resolve the API endpoint (e.g., ssm..amazonaws.com) via the private DNS.
3⃣ ๐๐ซ๐ข๐ฏ๐š๐ญ๐ž ๐ƒ๐๐’ ๐‘๐ž๐ฌ๐จ๐ฅ๐ฏ๐ž๐ฌ ๐ญ๐จ ๐•๐๐‚ ๐„๐ง๐๐ฉ๐จ๐ข๐ง๐ญ: The private DNS resolves the SSM API domain to the private IP address of the VPC interface endpointโ€™s ENI.
4⃣ ๐“๐ซ๐š๐Ÿ๐Ÿ๐ข๐œ ๐‘๐จ๐ฎ๐ญ๐ž๐ ๐ญ๐จ ๐„๐ง๐๐ฉ๐จ๐ข๐ง๐ญ ๐„๐๐ˆ: The EC2 instance sends the API request to the private IP address of the VPC interface endpoint’s ENI.
5⃣ ๐๐ซ๐ข๐ฏ๐š๐ญ๐ž๐‹๐ข๐ง๐ค ๐‚๐จ๐ฆ๐ฆ๐ฎ๐ง๐ข๐œ๐š๐ญ๐ข๐จ๐ง: The VPC interface endpoint forwards the request over AWS PrivateLink to the AWS SSM service.
6⃣ ๐’๐’๐Œ ๐’๐ž๐ซ๐ฏ๐ข๐œ๐ž ๐๐ซ๐จ๐œ๐ž๐ฌ๐ฌ๐ž๐ฌ ๐‘๐ž๐ช๐ฎ๐ž๐ฌ๐ญ: AWS Systems Manager processes the API request and Response Sent via PrivateLink to the VPC interface endpoint
7⃣ ๐‘๐ž๐ฌ๐ฉ๐จ๐ง๐ฌ๐ž ๐ƒ๐ž๐ฅ๐ข๐ฏ๐ž๐ซ๐ž๐ ๐ญ๐จ ๐’๐’๐Œ ๐€๐ ๐ž๐ง๐ญ: The VPC interface endpoint forwards the response to the EC2 instance, where the SSM agent receives and processes it.

For more Tech Bytes on Cloud and Devops you can view the below playlist or follow my channel NandiTechBytes.
๐Ÿ“ฝ Devops Projects & Tasks

Cheers
Keep Learning!


This content originally appeared on DEV Community and was authored by Raju Nandi