The Systems Manager and the CloudWatch cannot access the Instance in a private subnet directly. So, one of the following methods can be used for connecting Systems Manager with the Instance in a Private Subnet.
- Using VPC Endpoints (or)
- Using NAT Gateway or NAT Instance (or)
- By configuring Proxy Server.
In this article, we are configuring SSM Agent and CloudWatch Agent to use the Proxy server for connecting with the Private Instance (Amazon Linux2).
Launch a Linux Instance in a Private Subnet and a Bastion Server in a Public Subnet for SSH. Create the Linux Instance with the following configuration:
- AMI : Amazon Linux 2 AMI
- Subnet : Private Subnet
- Attach IAM Role containing the following permissions:
- Security Group Inbounds : Add Inbound of type SSH with source as Bastion Server Security Group.
Connect to the Linux Server through Bastion Server by using the SSH command. The below SSH command can be used for connecting to the Linux server in a private subnet.
ssh -o ProxyCommand='ssh -i ~/path/key-pair.pem -W %h:%p ec2-user@bastion-server-IP' -i ~/path/key-pair.pem ec2-user@private-linux-server-IP
Configuring SSM Agent to use a Proxy for Linux Server
- Connect to the Linux Server by using the above SSH command.
- Run the following command for Linux OS :
sudo systemctl edit amazon-ssm-agent
- Executing this command opens a text editor. Add the following configuration in the editor. Enter the Proxy Server IP and port for HTTP Proxy Server. Specify 169.254.169.254 as no-proxy. It’s the instance metadata endpoint for Systems Manager. If this IP is not specified, then the calls to the Systems Manager fails.
[Service] Environment="http_proxy=http://proxy-server-IP:Port" Environment="https_proxy=http://proxy-server-IP:Port" Environment="no_proxy=169.254.169.254"
- Save the file as below:
- Restart the SSM Agent using the following commands for Linux Server.
sudo systemctl stop amazon-ssm-agent sudo systemctl daemon-reload sudo systemctl start amazon-ssm-agent OR sudo systemctl daemon-reload && sudo systemctl restart amazon-ssm-agent
- Adding the above configuration registers the Instance as a Managed Instance. This Instance can now be used as the target Instance for any Run Commands in Systems Manager.
Configuring CloudWatch Agent to use a Proxy for Linux Server
- Connect to the Instance using the SSH command.
- Open common-config.toml file using the editor.
sudo vi /opt/aws/amazon-cloudwatch-agent/etc/common-config.toml
- Add the following configuration into the file. Specify the Proxy Server IP and port for the HTTP Proxy Server. Specify 169.254.169.254 as no-proxy
[proxy] http_proxy = "http://proxy-server-IP:Port" https_proxy = "http://proxy-server-IP:Port" no_proxy = "169.254.169.254"
- Restart the Instance. By adding this configuration, CloudWatch Agent will be able to collect the metrics from the Private Linux Server.
We have successfully configured SSM Agent and CloudWatch Agent to use Proxy Server for connecting with the Private Linux Instance . In situations where VPC Endpoints and NAT Gateway or NAT Instance are not possible, use proxy server for connecting with Private Instances.