AWSにおいて、インターネットとの通信を許可していないプライベートサブネットでは、AWSサービスとの通信に各種エンドポイントが必要です。今回はパブリックサブネット同様にAWSサービスと通信するため、プライベートサブネットにどのエンドポイントが必要かを接続チェックで調べてみました。
エンドポイントへの接続チェック
エンドポイントへの接続チェックは、ssm-cliで確認することができます。
ssm-cliとは SSM Agentのインストールに含まれるスタンドアロンのコマンドラインツールです。
SSM Agent 3.1.501.0 以降をマシンにインストールすると、そのマシンで ssm-cli コマンドを実行できます。これらのコマンドの出力は、マシンが Amazon EC2 インスタンスまたは AWS Systems Manager で管理される (したがって Systems Manager のマネージドノードのリストに追加される) EC2 以外のマシンの最小要件を満たすかどうかを判断するのに役立ちます。 AWS公式ドキュメント
■比較してみる
●パブリックサブネットにあるEC2インスタンスの場合
インターネットとの通信可能なサブネットにEC2インスタンスを起動し、ssm-cliコマンドを実行してみました。
[ec2-user@ip-10-0-1-208 ~]$ sudo ssm-cli get-diagnostics
{
"DiagnosticsOutput": [
{
"Check": "EC2 IMDS",
"Status": "Success",
"Note": "IMDS is accessible and has instance id i-0397d9b39b2dd7551 in region ap-southeast-1"
},
{
"Check": "Hybrid instance registration",
"Status": "Skipped",
"Note": "Instance does not have hybrid registration"
},
{
"Check": "Connectivity to ssm endpoint",
"Status": "Success",
"Note": "ssm.ap-southeast-1.amazonaws.com is reachable"
},
{
"Check": "Connectivity to ec2messages endpoint",
"Status": "Success",
"Note": "ec2messages.ap-southeast-1.amazonaws.com is reachable"
},
{
"Check": "Connectivity to ssmmessages endpoint",
"Status": "Success",
"Note": "ssmmessages.ap-southeast-1.amazonaws.com is reachable"
},
{
"Check": "Connectivity to s3 endpoint",
"Status": "Success",
"Note": "s3.ap-southeast-1.amazonaws.com is reachable"
},
{
"Check": "Connectivity to kms endpoint",
"Status": "Success",
"Note": "kms.ap-southeast-1.amazonaws.com is reachable"
},
{
"Check": "Connectivity to logs endpoint",
"Status": "Success",
"Note": "logs.ap-southeast-1.amazonaws.com is reachable"
},
{
"Check": "Connectivity to monitoring endpoint",
"Status": "Success",
"Note": "monitoring.ap-southeast-1.amazonaws.com is reachable"
},
{
"Check": "AWS Credentials",
"Status": "Success",
"Note": "Credentials are for arn:aws:sts::538815528650:assumed-role/saitotest-iamrole/i-0397d9b39b2dd7551 and will expire at 2024-09-23 08:59:40.92974649 +0000 UTC"
},
{
"Check": "Agent service",
"Status": "Success",
"Note": "Agent service is running and is running as expected user"
},
{
"Check": "Proxy configuration",
"Status": "Skipped",
"Note": "No proxy configuration detected"
},
{
"Check": "SSM Agent version",
"Status": "Success",
"Note": "SSM Agent version is 3.3.859.0 which is the latest version"
}
]
}
●プライベートサブネットにあるEC2インスタンスの場合
インターネットとの通信ができないサブネットにEC2インスタンスを起動し、ssm-cliコマンドを実行してみました。
[ec2-user@ip-10-0-2-238 ~]$ sudo ssm-cli get-diagnostics
{
"DiagnosticsOutput": [
{
"Check": "EC2 IMDS",
"Status": "Success",
"Note": "IMDS is accessible and has instance id i-0a3c8e190a0152091 in region ap-southeast-1"
},
{
"Check": "Hybrid instance registration",
"Status": "Skipped",
"Note": "Instance does not have hybrid registration"
},
{
"Check": "Connectivity to ssm endpoint",
"Status": "Failed",
"Note": "ssm.ap-southeast-1.amazonaws.com is not reachable: dial tcp 52.119.186.234:443: i/o timeout"
},
{
"Check": "Connectivity to ec2messages endpoint",
"Status": "Failed",
"Note": "ec2messages.ap-southeast-1.amazonaws.com is not reachable: dial tcp 15.221.12.185:443: i/o timeout"
},
{
"Check": "Connectivity to ssmmessages endpoint",
"Status": "Failed",
"Note": "ssmmessages.ap-southeast-1.amazonaws.com is not reachable: dial tcp 15.221.12.222:443: i/o timeout"
},
{
"Check": "Connectivity to s3 endpoint",
"Status": "Failed",
"Note": "s3.ap-southeast-1.amazonaws.com is not reachable: dial tcp 52.219.133.30:443: i/o timeout"
},
{
"Check": "Connectivity to kms endpoint",
"Status": "Failed",
"Note": "kms.ap-southeast-1.amazonaws.com is not reachable: dial tcp 54.240.226.28:443: i/o timeout"
},
{
"Check": "Connectivity to logs endpoint",
"Status": "Failed",
"Note": "logs.ap-southeast-1.amazonaws.com is not reachable: dial tcp 13.212.3.111:443: i/o timeout"
},
{
"Check": "Connectivity to monitoring endpoint",
"Status": "Failed",
"Note": "monitoring.ap-southeast-1.amazonaws.com is not reachable: dial tcp 52.119.186.220:443: i/o timeout"
},
{
"Check": "AWS Credentials",
"Status": "Failed",
"Note": "STS call timed out"
},
{
"Check": "Agent service",
"Status": "Success",
"Note": "Agent service is running and is running as expected user"
},
{
"Check": "Proxy configuration",
"Status": "Skipped",
"Note": "No proxy configuration detected"
},
{
"Check": "SSM Agent version",
"Status": "Success",
"Note": "SSM Agent version is 3.3.380.0"
}
]
}
両方の結果を比較してみると、プライベートサブネットにあるEc2インスタンスでは、つぎのエンドポイント接続チェックで"Failed"となっていました。
- ssm endpoint
- ec2messages endpoint
- ssmmessages endpoint
- s3 endpoint
- kms endpoint
- logs endpoint
- monitoring endpoint
- sts endpoint
■各エンドポイントを作成
Failedとなっているエンドポイントを作成し、サブネットとセキュリティグループに関連付け、ssm-cliコマンドで結果を見ていきます。
●ssm endpoint
com.amazonaws.<リージョン名>.ssmを追加してみると、
[ec2-user@ip-10-0-2-238 ~]$ sudo ssm-cli get-diagnostics
{
"DiagnosticsOutput": [
{
"Check": "EC2 IMDS",
"Status": "Success",
"Note": "IMDS is accessible and has instance id i-0a3c8e190a0152091 in region ap-southeast-1"
},
{
"Check": "Hybrid instance registration",
"Status": "Skipped",
"Note": "Instance does not have hybrid registration"
},
{
"Check": "Connectivity to ssm endpoint",
"Status": "Success",
"Note": "ssm.ap-southeast-1.amazonaws.com is reachable"
},
{
"Check": "Connectivity to ec2messages endpoint",
"Status": "Failed",
"Note": "ec2messages.ap-southeast-1.amazonaws.com is not reachable: dial tcp 15.221.12.186:443: i/o timeout"
},
{
"Check": "Connectivity to ssmmessages endpoint",
"Status": "Failed",
"Note": "ssmmessages.ap-southeast-1.amazonaws.com is not reachable: dial tcp 15.221.9.18:443: i/o timeout"
},
{
"Check": "Connectivity to s3 endpoint",
"Status": "Failed",
"Note": "s3.ap-southeast-1.amazonaws.com is not reachable: dial tcp 52.219.184.36:443: i/o timeout"
},
{
"Check": "Connectivity to kms endpoint",
"Status": "Failed",
"Note": "kms.ap-southeast-1.amazonaws.com is not reachable: dial tcp 54.240.226.89:443: i/o timeout"
},
{
"Check": "Connectivity to logs endpoint",
"Status": "Failed",
"Note": "logs.ap-southeast-1.amazonaws.com is not reachable: dial tcp 13.212.3.116:443: i/o timeout"
},
{
"Check": "Connectivity to monitoring endpoint",
"Status": "Failed",
"Note": "monitoring.ap-southeast-1.amazonaws.com is not reachable: dial tcp 13.212.3.90:443: i/o timeout"
},
{
"Check": "AWS Credentials",
"Status": "Failed",
"Note": "STS call timed out"
},
{
"Check": "Agent service",
"Status": "Success",
"Note": "Agent service is running and is running as expected user"
},
{
"Check": "Proxy configuration",
"Status": "Skipped",
"Note": "No proxy configuration detected"
},
{
"Check": "SSM Agent version",
"Status": "Success",
"Note": "SSM Agent version is 3.3.380.0"
}
]
}
●ec2messages endpoint
com.amazonaws.<リージョン名>.ssmを追加してみると、
[ec2-user@ip-10-0-2-238 ~]$ sudo ssm-cli get-diagnostics
{
"DiagnosticsOutput": [
{
"Check": "EC2 IMDS",
"Status": "Success",
"Note": "IMDS is accessible and has instance id i-0a3c8e190a0152091 in region ap-southeast-1"
},
{
"Check": "Hybrid instance registration",
"Status": "Skipped",
"Note": "Instance does not have hybrid registration"
},
{
"Check": "Connectivity to ssm endpoint",
"Status": "Failed",
"Note": "ssm.ap-southeast-1.amazonaws.com is not reachable: dial tcp 52.119.187.83:443: i/o timeout"
},
{
"Check": "Connectivity to ec2messages endpoint",
"Status": "Success",
"Note": "ec2messages.ap-southeast-1.amazonaws.com is reachable"
},
{
"Check": "Connectivity to ssmmessages endpoint",
"Status": "Failed",
"Note": "ssmmessages.ap-southeast-1.amazonaws.com is not reachable: dial tcp 52.119.186.59:443: i/o timeout"
},
{
"Check": "Connectivity to s3 endpoint",
"Status": "Failed",
"Note": "s3.ap-southeast-1.amazonaws.com is not reachable: dial tcp 52.219.129.124:443: i/o timeout"
},
{
"Check": "Connectivity to kms endpoint",
"Status": "Failed",
"Note": "kms.ap-southeast-1.amazonaws.com is not reachable: dial tcp 54.240.226.89:443: i/o timeout"
},
{
"Check": "Connectivity to logs endpoint",
"Status": "Failed",
"Note": "logs.ap-southeast-1.amazonaws.com is not reachable: dial tcp 13.212.3.113:443: i/o timeout"
},
{
"Check": "Connectivity to monitoring endpoint",
"Status": "Failed",
"Note": "monitoring.ap-southeast-1.amazonaws.com is not reachable: dial tcp 13.212.3.91:443: i/o timeout"
},
{
"Check": "AWS Credentials",
"Status": "Failed",
"Note": "STS call timed out"
},
{
"Check": "Agent service",
"Status": "Success",
"Note": "Agent service is running and is running as expected user"
},
{
"Check": "Proxy configuration",
"Status": "Skipped",
"Note": "No proxy configuration detected"
},
{
"Check": "SSM Agent version",
"Status": "Success",
"Note": "SSM Agent version is 3.3.380.0"
}
]
}
●ssmmessages endpoint
com.amazonaws.<リージョン名>.ec2messagesを追加してみると、
[ec2-user@ip-10-0-2-238 ~]$ sudo ssm-cli get-diagnostics
{
"DiagnosticsOutput": [
{
"Check": "EC2 IMDS",
"Status": "Success",
"Note": "IMDS is accessible and has instance id i-0a3c8e190a0152091 in region ap-southeast-1"
},
{
"Check": "Hybrid instance registration",
"Status": "Skipped",
"Note": "Instance does not have hybrid registration"
},
{
"Check": "Connectivity to ssm endpoint",
"Status": "Failed",
"Note": "ssm.ap-southeast-1.amazonaws.com is not reachable: dial tcp 15.221.13.13:443: i/o timeout"
},
{
"Check": "Connectivity to ec2messages endpoint",
"Status": "Failed",
"Note": "ec2messages.ap-southeast-1.amazonaws.com is not reachable: dial tcp 15.221.9.76:443: i/o timeout"
},
{
"Check": "Connectivity to ssmmessages endpoint",
"Status": "Success",
"Note": "ssmmessages.ap-southeast-1.amazonaws.com is reachable"
},
{
"Check": "Connectivity to s3 endpoint",
"Status": "Failed",
"Note": "s3.ap-southeast-1.amazonaws.com is not reachable: dial tcp 52.219.164.54:443: i/o timeout"
},
{
"Check": "Connectivity to kms endpoint",
"Status": "Failed",
"Note": "kms.ap-southeast-1.amazonaws.com is not reachable: dial tcp 52.119.187.128:443: i/o timeout"
},
{
"Check": "Connectivity to logs endpoint",
"Status": "Failed",
"Note": "logs.ap-southeast-1.amazonaws.com is not reachable: dial tcp 13.212.3.113:443: i/o timeout"
},
{
"Check": "Connectivity to monitoring endpoint",
"Status": "Failed",
"Note": "monitoring.ap-southeast-1.amazonaws.com is not reachable: dial tcp 52.119.186.220:443: i/o timeout"
},
{
"Check": "AWS Credentials",
"Status": "Failed",
"Note": "STS call timed out"
},
{
"Check": "Agent service",
"Status": "Success",
"Note": "Agent service is running and is running as expected user"
},
{
"Check": "Proxy configuration",
"Status": "Skipped",
"Note": "No proxy configuration detected"
},
{
"Check": "SSM Agent version",
"Status": "Success",
"Note": "SSM Agent version is 3.3.380.0"
}
]
}
●s3 endpoint
com.amazonaws.<リージョン名>.s3を追加してみると、
{
"DiagnosticsOutput": [
{
"Check": "EC2 IMDS",
"Status": "Success",
"Note": "IMDS is accessible and has instance id i-0a3c8e190a0152091 in region ap-southeast-1"
},
{
"Check": "Hybrid instance registration",
"Status": "Skipped",
"Note": "Instance does not have hybrid registration"
},
{
"Check": "Connectivity to ssm endpoint",
"Status": "Failed",
"Note": "ssm.ap-southeast-1.amazonaws.com is not reachable: dial tcp 52.119.187.17:443: i/o timeout"
},
{
"Check": "Connectivity to ec2messages endpoint",
"Status": "Failed",
"Note": "ec2messages.ap-southeast-1.amazonaws.com is not reachable: dial tcp 15.221.8.248:443: i/o timeout"
},
{
"Check": "Connectivity to ssmmessages endpoint",
"Status": "Failed",
"Note": "ssmmessages.ap-southeast-1.amazonaws.com is not reachable: dial tcp 15.221.9.18:443: i/o timeout"
},
{
"Check": "Connectivity to s3 endpoint",
"Status": "Success",
"Note": "s3.ap-southeast-1.amazonaws.com is reachable"
},
{
"Check": "Connectivity to kms endpoint",
"Status": "Failed",
"Note": "kms.ap-southeast-1.amazonaws.com is not reachable: dial tcp 54.240.226.89:443: i/o timeout"
},
{
"Check": "Connectivity to logs endpoint",
"Status": "Failed",
"Note": "logs.ap-southeast-1.amazonaws.com is not reachable: dial tcp 13.212.3.115:443: i/o timeout"
},
{
"Check": "Connectivity to monitoring endpoint",
"Status": "Failed",
"Note": "monitoring.ap-southeast-1.amazonaws.com is not reachable: dial tcp 13.212.3.90:443: i/o timeout"
},
{
"Check": "AWS Credentials",
"Status": "Failed",
"Note": "STS call timed out"
},
{
"Check": "Agent service",
"Status": "Success",
"Note": "Agent service is running and is running as expected user"
},
{
"Check": "Proxy configuration",
"Status": "Skipped",
"Note": "No proxy configuration detected"
},
{
"Check": "SSM Agent version",
"Status": "Success",
"Note": "SSM Agent version is 3.3.380.0, latest agent version in ap-southeast-1 is 3.3.859.0"
}
]
}●
●kms endpoint
com.amazonaws.<リージョン名>.kmsを追加してみると、
[ec2-user@ip-10-0-2-238 ~]$ sudo ssm-cli get-diagnostics
{
"DiagnosticsOutput": [
{
"Check": "EC2 IMDS",
"Status": "Success",
"Note": "IMDS is accessible and has instance id i-0a3c8e190a0152091 in region ap-southeast-1"
},
{
"Check": "Hybrid instance registration",
"Status": "Skipped",
"Note": "Instance does not have hybrid registration"
},
{
"Check": "Connectivity to ssm endpoint",
"Status": "Failed",
"Note": "ssm.ap-southeast-1.amazonaws.com is not reachable: dial tcp 15.221.13.13:443: i/o timeout"
},
{
"Check": "Connectivity to ec2messages endpoint",
"Status": "Failed",
"Note": "ec2messages.ap-southeast-1.amazonaws.com is not reachable: dial tcp 54.240.227.126:443: i/o timeout"
},
{
"Check": "Connectivity to ssmmessages endpoint",
"Status": "Failed",
"Note": "ssmmessages.ap-southeast-1.amazonaws.com is not reachable: dial tcp 52.119.186.59:443: i/o timeout"
},
{
"Check": "Connectivity to s3 endpoint",
"Status": "Failed",
"Note": "s3.ap-southeast-1.amazonaws.com is not reachable: dial tcp 3.5.150.178:443: i/o timeout"
},
{
"Check": "Connectivity to kms endpoint",
"Status": "Success",
"Note": "kms.ap-southeast-1.amazonaws.com is reachable"
},
{
"Check": "Connectivity to logs endpoint",
"Status": "Failed",
"Note": "logs.ap-southeast-1.amazonaws.com is not reachable: dial tcp 13.212.3.119:443: i/o timeout"
},
{
"Check": "Connectivity to monitoring endpoint",
"Status": "Failed",
"Note": "monitoring.ap-southeast-1.amazonaws.com is not reachable: dial tcp 13.212.3.89:443: i/o timeout"
},
{
"Check": "AWS Credentials",
"Status": "Failed",
"Note": "STS call timed out"
},
{
"Check": "Agent service",
"Status": "Success",
"Note": "Agent service is running and is running as expected user"
},
{
"Check": "Proxy configuration",
"Status": "Skipped",
"Note": "No proxy configuration detected"
},
{
"Check": "SSM Agent version",
"Status": "Success",
"Note": "SSM Agent version is 3.3.380.0"
}
]
}
●logs endpoint
com.amazonaws.<リージョン名>.logsを追加してみると、
[ec2-user@ip-10-0-2-238 ~]$ sudo ssm-cli get-diagnostics
{
"DiagnosticsOutput": [
{
"Check": "EC2 IMDS",
"Status": "Success",
"Note": "IMDS is accessible and has instance id i-0a3c8e190a0152091 in region ap-southeast-1"
},
{
"Check": "Hybrid instance registration",
"Status": "Skipped",
"Note": "Instance does not have hybrid registration"
},
{
"Check": "Connectivity to ssm endpoint",
"Status": "Failed",
"Note": "ssm.ap-southeast-1.amazonaws.com is not reachable: dial tcp 52.119.187.17:443: i/o timeout"
},
{
"Check": "Connectivity to ec2messages endpoint",
"Status": "Failed",
"Note": "ec2messages.ap-southeast-1.amazonaws.com is not reachable: dial tcp 54.240.227.126:443: i/o timeout"
},
{
"Check": "Connectivity to ssmmessages endpoint",
"Status": "Failed",
"Note": "ssmmessages.ap-southeast-1.amazonaws.com is not reachable: dial tcp 52.119.184.81:443: i/o timeout"
},
{
"Check": "Connectivity to s3 endpoint",
"Status": "Failed",
"Note": "s3.ap-southeast-1.amazonaws.com is not reachable: dial tcp 52.219.133.42:443: i/o timeout"
},
{
"Check": "Connectivity to kms endpoint",
"Status": "Failed",
"Note": "kms.ap-southeast-1.amazonaws.com is not reachable: dial tcp 54.240.226.89:443: i/o timeout"
},
{
"Check": "Connectivity to logs endpoint",
"Status": "Success",
"Note": "logs.ap-southeast-1.amazonaws.com is reachable"
},
{
"Check": "Connectivity to monitoring endpoint",
"Status": "Failed",
"Note": "monitoring.ap-southeast-1.amazonaws.com is not reachable: dial tcp 15.221.8.52:443: i/o timeout"
},
{
"Check": "AWS Credentials",
"Status": "Failed",
"Note": "STS call timed out"
},
{
"Check": "Agent service",
"Status": "Success",
"Note": "Agent service is running and is running as expected user"
},
{
"Check": "Proxy configuration",
"Status": "Skipped",
"Note": "No proxy configuration detected"
},
{
"Check": "SSM Agent version",
"Status": "Success",
"Note": "SSM Agent version is 3.3.380.0"
}
]
}
●monitoring endpoint
com.amazonaws.<リージョン名>.monitoringを追加してみると、
[ec2-user@ip-10-0-2-238 ~]$ sudo ssm-cli get-diagnostics
{
"DiagnosticsOutput": [
{
"Check": "EC2 IMDS",
"Status": "Success",
"Note": "IMDS is accessible and has instance id i-0a3c8e190a0152091 in region ap-southeast-1"
},
{
"Check": "Hybrid instance registration",
"Status": "Skipped",
"Note": "Instance does not have hybrid registration"
},
{
"Check": "Connectivity to ssm endpoint",
"Status": "Failed",
"Note": "ssm.ap-southeast-1.amazonaws.com is not reachable: dial tcp 15.221.13.13:443: i/o timeout"
},
{
"Check": "Connectivity to ec2messages endpoint",
"Status": "Failed",
"Note": "ec2messages.ap-southeast-1.amazonaws.com is not reachable: dial tcp 15.221.8.182:443: i/o timeout"
},
{
"Check": "Connectivity to ssmmessages endpoint",
"Status": "Failed",
"Note": "ssmmessages.ap-southeast-1.amazonaws.com is not reachable: dial tcp 52.119.186.59:443: i/o timeout"
},
{
"Check": "Connectivity to s3 endpoint",
"Status": "Failed",
"Note": "s3.ap-southeast-1.amazonaws.com is not reachable: dial tcp 52.219.128.230:443: i/o timeout"
},
{
"Check": "Connectivity to kms endpoint",
"Status": "Failed",
"Note": "kms.ap-southeast-1.amazonaws.com is not reachable: dial tcp 54.240.226.89:443: i/o timeout"
},
{
"Check": "Connectivity to logs endpoint",
"Status": "Failed",
"Note": "logs.ap-southeast-1.amazonaws.com is not reachable: dial tcp 13.212.3.112:443: i/o timeout"
},
{
"Check": "Connectivity to monitoring endpoint",
"Status": "Success",
"Note": "monitoring.ap-southeast-1.amazonaws.com is reachable"
},
{
"Check": "AWS Credentials",
"Status": "Failed",
"Note": "STS call timed out"
},
{
"Check": "Agent service",
"Status": "Success",
"Note": "Agent service is running and is running as expected user"
},
{
"Check": "Proxy configuration",
"Status": "Skipped",
"Note": "No proxy configuration detected"
},
{
"Check": "SSM Agent version",
"Status": "Success",
"Note": "SSM Agent version is 3.3.380.0"
}
]
}
●sts endpoint
com.amazonaws.<リージョン名>.stsを追加してみると、
[ec2-user@ip-10-0-2-238 ~]$ sudo ssm-cli get-diagnostics
{
"DiagnosticsOutput": [
{
"Check": "EC2 IMDS",
"Status": "Success",
"Note": "IMDS is accessible and has instance id i-0a3c8e190a0152091 in region ap-southeast-1"
},
{
"Check": "Hybrid instance registration",
"Status": "Skipped",
"Note": "Instance does not have hybrid registration"
},
{
"Check": "Connectivity to ssm endpoint",
"Status": "Failed",
"Note": "ssm.ap-southeast-1.amazonaws.com is not reachable: dial tcp 15.221.11.44:443: i/o timeout"
},
{
"Check": "Connectivity to ec2messages endpoint",
"Status": "Failed",
"Note": "ec2messages.ap-southeast-1.amazonaws.com is not reachable: dial tcp 15.221.12.185:443: i/o timeout"
},
{
"Check": "Connectivity to ssmmessages endpoint",
"Status": "Failed",
"Note": "ssmmessages.ap-southeast-1.amazonaws.com is not reachable: dial tcp 52.119.185.94:443: i/o timeout"
},
{
"Check": "Connectivity to s3 endpoint",
"Status": "Failed",
"Note": "s3.ap-southeast-1.amazonaws.com is not reachable: dial tcp 52.219.164.50:443: i/o timeout"
},
{
"Check": "Connectivity to kms endpoint",
"Status": "Failed",
"Note": "kms.ap-southeast-1.amazonaws.com is not reachable: dial tcp 52.119.187.128:443: i/o timeout"
},
{
"Check": "Connectivity to logs endpoint",
"Status": "Failed",
"Note": "logs.ap-southeast-1.amazonaws.com is not reachable: dial tcp 13.212.3.115:443: i/o timeout"
},
{
"Check": "Connectivity to monitoring endpoint",
"Status": "Failed",
"Note": "monitoring.ap-southeast-1.amazonaws.com is not reachable: dial tcp 52.119.186.154:443: i/o timeout"
},
{
"Check": "AWS Credentials",
"Status": "Success",
"Note": "Credentials are for arn:aws:sts::538815528650:assumed-role/saitotest-iamrole/i-0a3c8e190a0152091 and will expire at 2024-09-23 09:48:11.60203432 +0000 UTC"
},
{
"Check": "Agent service",
"Status": "Success",
"Note": "Agent service is running and is running as expected user"
},
{
"Check": "Proxy configuration",
"Status": "Skipped",
"Note": "No proxy configuration detected"
},
{
"Check": "SSM Agent version",
"Status": "Success",
"Note": "SSM Agent version is 3.3.380.0"
}
]
}
■8つのエンドポイント作成
さいごに、8つのエンドポイントをすべて追加し、コマンドを実行してみました。
[ec2-user@ip-10-0-2-238 ~]$ sudo ssm-cli get-diagnostics
{
"DiagnosticsOutput": [
{
"Check": "EC2 IMDS",
"Status": "Success",
"Note": "IMDS is accessible and has instance id i-0a3c8e190a0152091 in region ap-southeast-1"
},
{
"Check": "Hybrid instance registration",
"Status": "Skipped",
"Note": "Instance does not have hybrid registration"
},
{
"Check": "Connectivity to ssm endpoint",
"Status": "Success",
"Note": "ssm.ap-southeast-1.amazonaws.com is reachable"
},
{
"Check": "Connectivity to ec2messages endpoint",
"Status": "Success",
"Note": "ec2messages.ap-southeast-1.amazonaws.com is reachable"
},
{
"Check": "Connectivity to ssmmessages endpoint",
"Status": "Success",
"Note": "ssmmessages.ap-southeast-1.amazonaws.com is reachable"
},
{
"Check": "Connectivity to s3 endpoint",
"Status": "Success",
"Note": "s3.ap-southeast-1.amazonaws.com is reachable"
},
{
"Check": "Connectivity to kms endpoint",
"Status": "Success",
"Note": "kms.ap-southeast-1.amazonaws.com is reachable"
},
{
"Check": "Connectivity to logs endpoint",
"Status": "Success",
"Note": "logs.ap-southeast-1.amazonaws.com is reachable"
},
{
"Check": "Connectivity to monitoring endpoint",
"Status": "Success",
"Note": "monitoring.ap-southeast-1.amazonaws.com is reachable"
},
{
"Check": "AWS Credentials",
"Status": "Success",
"Note": "Credentials are for arn:aws:sts::538815528650:assumed-role/saitotest-iamrole/i-0a3c8e190a0152091 and will expire at 2024-09-23 09:55:40.531797644 +0000 UTC"
},
{
"Check": "Agent service",
"Status": "Success",
"Note": "Agent service is running and is running as expected user"
},
{
"Check": "Proxy configuration",
"Status": "Skipped",
"Note": "No proxy configuration detected"
},
{
"Check": "SSM Agent version",
"Status": "Success",
"Note": "SSM Agent version is 3.3.380.0, latest agent version in ap-southeast-1 is 3.3.859.0"
}
]
}
すべてSuccessとなり、パブリックサブネットと同様の状態になりました。
まとめ
ssm-cliコマンドを利用して、エンドポイントとの接続チェックをしてみました。構築時のテストや、トラブルシューティングにもってこいのコマンドだと感じます。
ネットワーク内から各AWSサービスへの操作でうまくいかない場合、権限確認同様、接続チェックも確認してみてください。
参考サイト:AWS公式ドキュメント