Problem scenario
You try to run an aws ssm command. But you get an error about a connection timing out. What should you do?
Solution
Find the EC-2 server's VPC and subnet. Go to VPC in the AWS console. Go to the Subnet section. Find the Route Table associated with the subnet for the EC-2 server. Make sure that the "Destination" field accommodates the IP address of the ssm.us-west1.amazonaws.com hostname. To find what IP addresses the ssm.us-west1.amazonaws.com resolve to, ping the hostname several different times manually. If you find the first octet is 43, then create a rule like this: 43.0.0.0/8 as the destination and have that traffic go to a NAT gateway. Now the EC-2 server should be able to route traffic to the ssm.us-west1.amazonaws.com URL. In our experience sending all traffic outward via 0.0.0.0/32 does not work very well.
This may not be a best practice as any traffic bound for an IP address that starts with the given octet will be sent outward through the NAT gateway. If you can do special configuration (e.g., forwarding) to limit the IP address resolution of the ssm.us-west1.amazonaws.com, that would be advisable.