Home › Forums › AWS › AWS Certified Security – Specialty › Need Clarification on VPC Interface endpoint related question › Reply To: Need Clarification on VPC Interface endpoint related question
-
Hello MartyByrde,
Good day!
Thank you for posting here.The option stating: “Configure a security group that allows inbound traffic for VPC’s CIDR range on port 443. Attach the security group to the VPC interface endpoint.” is correct as written.
When an EC2 instance resides in a private subnet with no internet gateway, the communication between the EC2 instance and AWS Systems Manager Session Manager must occur over the AWS network. To facilitate this, a VPC interface endpoint (also known as an AWS PrivateLink) is required for the Systems Manager. The VPC interface endpoint ensures that traffic to the Systems Manager service remains within the AWS network, bypassing the need for public internet access.
A security group must be attached to the VPC interface endpoint to control inbound traffic to the endpoint. The security group must allow inbound traffic from the VPC’s CIDR range on port 443 (HTTPS) to ensure secure communication between the EC2 instance and the Systems Manager service.
Thus, the correct step is configuring the security group for the VPC interface endpoint and not the EC2 instance. The interface endpoint acts as the gateway for the EC2 instance to communicate with the Systems Manager, and the security group rules ensure that the necessary traffic is allowed.
I hope this helps.
Regards,
Neil @ Tutorials Dojo