In AWS, how do I configure SSM for an instance joined to an AWS AD Domain in a Private Subnet?

1k views Asked by At

I am trying to set up SSM on Windows. I have an ASG in a private subnet (absolutely 0 internet access). I can not use NAT, only VPC endpoints. In the instance launch configuration, I have a PowerShell script that uses Set-DnsClientServerAddress so that the instance can find and join an AWS Managed MS AD service. I would also like to set up the instance so it can be fully managed with SSM.

The problem comes with the DNS Client Server Address. When I set it to match the address of the AD service SSM will not work. When I leave the DNS Client Server Address default, SSM works but I can not join the AD.

I tried forcing the SSM Agent to use the endpoints by creating a amazon-ssm-agent.json file and setting all three endpoints in there. This allowed the instance to show on the Managed Instance list, but its status never changed from pending and requests from within the instance still timed out.

Does anyone know the magic sauce to get these things all working at the same time?

EDIT 1:

I also tried adding a forward as described in this thread, however I'm either missing somethign or it is not working for my case: https://forums.aws.amazon.com/thread.jspa?messageID=919331&#919331

1

There are 1 answers

0
Justin Waulters On BEST ANSWER

It turns out that adding the forwarder as described in the link above worked. The part I was missing was joedaws comment, "I would also remove the existing 169.254.169.253 entry so that only the 10.201.0.2 ip address is in the list".

Of course, my IPs are different, but once I removed the preexisting forward so that my x.x.x.2 IP was the only one in the list (I did this for both of the AD DNS servers) the instance was discoverable by SSM.

So, I would make a minor change to the list that saugy wrote:

  1. On a domain joined windows instance, log in with AD domain Admin user
  2. Open DNS manager
  3. Connect to one of the DNS IP addresses for the AWS AD
  4. Select forwarders
  5. Add the VPC's DNS IP (x.x.x.2 from you VPC's CIDR range)
  6. Remove the existing IP (so you VPCs IP is the only one)
  7. Click Apply
  8. Repeat from step 3 with the other DNS IP address for the AWS AD (not 1

Also, as mentioned in the other post. This only has to be done once and the settings persist in the AD DNS.