AWS Windows EC2 unable to join to AWS Managed AD using SSM

Question

I have a windows server that sits in a VPC with no internet access. But it has VPC endpoints to SSM,ec2messages,ssmmessages and ec2 api.

When I try to join this to a domain by using the ssm api,

aws ssm create-association --instance-id <id> --name <ssm document>

it times out with the following error.

1 out of 1 plugin processed, 0 success, 1 failed, 0 timedout, 0 skipped. The operation aws:domainJoin failed because Failed to create domain computer account 'Servername', Message=A WebException with status ConnectFailure was thrown.,ErrorCode=,ErrorType=Sender,StatusCode=0 Amazon.Runtime.AmazonServiceException: A WebException with status ConnectFailure was thrown. ---> System.Net.WebException: Unable to connect to the remote server ---> System.Net.Sockets.SocketException: A connect--output truncated--

This server has connectivity to the AD. In fact, if I try to join the domain manually, it works too.

On the other hand, i have another server which is able to join to the same domain. Only difference is, it has internet connectivity. But since the new one also has SSM endpoint, i dont understand why this happens. The IAM roles are exactly the same too. Any help would be appreciated.

Answer 1

Posting the answer here in case anyone else face this issue. The domain join requires a connectivity to the directory service endpoint (ds..amazonaws.com) too, and as of now, there is no VPC endpoint for this service. This means, if a server do not have outbound internet access, it is not possible to join the domain using SSM.