Ends in
00
days
00
hrs
00
mins
00
secs
SHOP NOW

Azure Sale - Get Up to 25% OFF All Azure Reviewers

Find answers, ask questions, and connect with our
community around the world.

Home Forums AWS AWS Certified Security – Specialty Need Clarification on VPC Interface endpoint related question Reply To: Need Clarification on VPC Interface endpoint related question

  • Neil-TutorialsDojo

    Member
    August 21, 2024 at 9:46 am

    Hello MartyByrde,

    Good day!
    Thank you for posting here.

    The option stating: “Configure a security group that allows inbound traffic for VPC’s CIDR range on port 443. Attach the security group to the VPC interface endpoint.” is correct as written.

    When an EC2 instance resides in a private subnet with no internet gateway, the communication between the EC2 instance and AWS Systems Manager Session Manager must occur over the AWS network. To facilitate this, a VPC interface endpoint (also known as an AWS PrivateLink) is required for the Systems Manager. The VPC interface endpoint ensures that traffic to the Systems Manager service remains within the AWS network, bypassing the need for public internet access.

    A security group must be attached to the VPC interface endpoint to control inbound traffic to the endpoint. The security group must allow inbound traffic from the VPC’s CIDR range on port 443 (HTTPS) to ensure secure communication between the EC2 instance and the Systems Manager service.

    Thus, the correct step is configuring the security group for the VPC interface endpoint and not the EC2 instance. The interface endpoint acts as the gateway for the EC2 instance to communicate with the Systems Manager, and the security group rules ensure that the necessary traffic is allowed.

    I hope this helps.

    Regards,
    Neil @ Tutorials Dojo