AutoPatcher
Logout
What is AutoPatcherQuickstartSetting up permissionsSetting up SSM agentAdding a machine to AutoPatcherScheduling a patching planBaseline patchingPatching eventsNotificationsPre & Post patching actions - HooksReportsPatching logsFirewall configurationList of endpoints SSM agent usesAutoPatcher Installer API URLProxy settingsRequired non-blocked URLs to work with the UICommand line interfaceManaging permissionsManaging API keysBootcamp videosAPI Usage

Firewall configuration

In order for the SSM agent and optionally the AutoPatcher Installer tool to be able to work properly on the target machines, outbound connections to the HTTPS endpoints listed in the following section on port 443 should be allowed by the firewall. If those connections can not be made directly due to security restrictions applied on the machine the appropriate proxy settings should be applied: read more

List of endpoints SSM agent uses

SSM endpoints used by SSM agents

  • ssm.<region>.amazonaws.com

Related AWS documentation: https://docs.aws.amazon.com/general/latest/gr/rande.html#ssm_region

S3 endpoints

SSM agent uses S3 to store logs generated by running the update and to download some packages and artifacts needed to perform the patching. Therefore the following addresses should be white-listed.

  • s3.amazonaws.com
  • s3.<region>.amazonaws.com
  • s3-<region>.amazonaws.com
  • s3.dualstack.<region>.amazonaws.com
  • *.s3.amazonaws.com
  • *.s3.<region>.amazonaws.com
  • *.s3-<region>.amazonaws.com
  • *.s3.dualstack.<region>.amazonaws.com

Related AWS documentation: https://docs.aws.amazon.com/general/latest/gr/rande.html#s3_region

Other endpoints used by SSM agents

  • ssm.<region>.amazonaws.com: The endpoint for the Systems Manager service.
  • ec2messages.<region>.amazonaws.com: Systems Manager uses this endpoint to make calls from SSM Agent to the Systems Manager service.
  • ec2.<region>.amazonaws.com: If you're using VSS-enabled snapshots.
  • ssmmessages.<region>.amazonaws.com: If you're connecting to instances through Session Manager.

NOTE

AutoPatcher is currently deployed in the eu-central-1 region (Frankfurt). However if a machine is registered in the region other than eu-central-1 (e.g. eu-west-1) it needs to have the corresponding endpoints whitelisted as well.

AutoPatcher Installer API URL

If you're using the AutoPatcher Installer tool the target machine's firewall should be able to make calls to https://vv78e7dv4f.execute-api.eu-central-1.amazonaws.com/prod URL. This is an API used to register external machines in AutoPatcher.

Proxy settings

The instructions in the following subsections use the <proxy_address> placeholder in different places. Be careful and replace it in the provided scripts with the appropriate value for your environment.

Proxy settings on Linux machines

Using ap-installer behind proxy

This section is for non-AWS machines only.

The script below shows an example of how to download and run the ap-installer on a Linux machine behind a proxy:

# Setting the appropriate environment variables
export http_proxy=<proxy_address>
export https_proxy=<proxy_address>


# Downloading the binary
wget https://auto-patcher-core-prod-integratorcliuploadbucket-x9ofi9eidydb.s3.amazonaws.com/ap-installer-linux -O ap-installer


# Making the binary executable
chmod +x ap-installer


# Running the tool to register the machine in AutoPatcher
./ap-installer INSTALLER_KEY

More detailed information about ap-installer is provided in this section: Setting up SSM agent -> Automatic installation.

Configuring the installed SSM Agent to use proxy

This section is for all machines, AWS or hybrid.

All the details about setting up proxy for SSM Agent on various Linux machines are provided in the official AWS documentation: Configure SSM Agent to use a proxy (Linux)

Proxy settings on Windows machines

Using ap-installer.exe behind proxy

This section is for non-AWS machines only.

The following PowerShell script shows how to download and run the ap-installer.exe executable on a Windows machine behind a proxy:

# Downloading the executable. Note the -Proxy flag.
Invoke-WebRequest -Uri https://auto-patcher-core-prod-integratorcliuploadbucket-x9ofi9eidydb.s3.amazonaws.com/ap-installer-windows.exe -Proxy <proxy_address> -OutFile ap-installer.exe


# Setting the appropriate environment variables
$env:http_proxy = '<proxy_address>'
$env:https_proxy = '<proxy_address>'


# Running the executable hence registering the machine in AutoPatcher.
.\ap-installer.exe INSTALLER_KEY

More detailed information about ap-installer is provided in this section: Setting up SSM agent -> Automatic installation.

Proxy setting for the SSM agent

This section is for all machines, AWS or hybrid.

The following PowerShell code snippet should be used for configuring egress Internet access for the SSM agent through proxy:

$serviceKey = "HKLM:\SYSTEM\CurrentControlSet\Services\AmazonSSMAgent"
$keyInfo = (Get-Item -Path $serviceKey).GetValue("Environment")
$proxyVariables = @("http_proxy=<proxy_address>", "https_proxy=<proxy_address>", "no_proxy=169.254.169.254")


If($keyInfo -eq $null) {
    New-ItemProperty -Path $serviceKey -Name Environment -Value $proxyVariables -PropertyType MultiString -Force
} else {
    Set-ItemProperty -Path $serviceKey -Name Environment -Value $proxyVariables
}
Restart-Service AmazonSSMAgent

More information can be found under in the official AWS documentation: Configure SSM Agent to use a proxy for Windows Server instances.

Proxy setting for the Windows Update Agent

To setup a proxy for Windows Update Agent run the following PowerShell script:

netsh winhttp set proxy proxy-server="http=<proxy_address>;https=<proxy_address>" bypass-list=169.254.169.254

If the Windows Update Agent still has issues after this, try the following command:

bitsadmin.exe /Util /SetIEProxy LocalSystem Manual_proxy <proxy_address> ";"

Required non-blocked URLs to work with the UI

Some local firewall configuration may prevent accessing below links. Those links are required to work with AutoPatcher UI.