I have an instance in a private subnet and a security group that allows any inbound access. I can connect to it with Session Manager.
If I restrict inbound access to port 22 only I can no longer connect to it.
The documentation says "You can use this functionality to connect to managed nodes without opening inbound ports" and "You can close inbound ports on the node" but this doesn't seem to be true when I try it.
I'd like to restrict inbound traffic to a minimum but I can only connect if I leave it wide open. What inbound rules are needed to allow Session Manager connections?
Session Manager is a bit fiddly. Setup instructions are here.
The key connectivity is the instance needs to be able to connect to a few AWS endpoints on TCP:443. There's also a particular set of permissions it needs.
Inbound access should make no difference. It should work fine with no inbound access. The way session manager works is the agent on the instance connects out to the AWS endpoints, when you want a session it uses the connections the instance has already established. In your place I'd be looking to see if anything else changed when you modified the inbound access.
From the docs:
The managed nodes you connect to must also allow HTTPS (port 443) outbound traffic to the following endpoints: