Not able to Discover Amazon EC2 instances via VSA Proxy for snapshot backups

What are the Ports which would require to be opened in order to discover AWS regions in backup sub client .

When i enable All traffic ( 0.0.0.0/0 ) both inbound and outbound then my discovery works just fine .

As soon as INTERNET(HTTPS-443) is enabled on my access node/media agent Browse is working but i cant enable HTTPS - 443 INTERNET on my access nodes/media agents due to security concerns and they are in PRIVATE SUBNETS.

Any suggestions how does access node discover AWS Regions/EC2 instances without internet access on MA/AN ?

@Mohit Chordia , can you open a support case for this?  I see a case we have with this same exact issue that is live NOW and they provided a special update (UpdateBundle_Build1108136_Form2486) though we should have support look and determine if this is right for you first.

Share the case number with me so I can track it as well.

@Mike Struening Thank you for response . This is a POC Lab Environment with temp license , i don't think i will be able to raise support case for this .

I need to understand if Iam missing anything here . 

Do we really need internet access on Private Subnet VSA proxy for Browse & Discovery to work ?

Do we need to create any type of VPC Endpoint for Access node present in Private Subnet to perform Browse and Discovery ?

Regards, Mohit

Some Logs from VSA Proxy  :

vsbkp--

660  8c0   02/23 13:46:15 3117 AmazonCompute::GetAccountId() - Exception - Amazon.Runtime.AmazonServiceException: A WebException with status ConnectFailure was thrown. ---> System.Net.WebException: Unable to connect to the remote server ---> System.Net.Sockets.SocketException: A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond.

This doc says that --

https://documentation.commvault.com/11.23/expert/30944_getting_started_with_virtual_server_agent_for_amazon.html

The access node must have access to the regional and global STS endpoints. For more information about AWS service endpoints, see AWS service endpoints on the AWS documentation site.

• Global STS endpoints: The service endpoint is https://sts.amazonaws.com.

• Regional STS endpoints: For example, https://sts.us-east-1.amazonaws.com, to back up instances on us-east-1.

If my access node is in Private Subnet and doesn't have internet configured how can it access these endpoints without internet connectivity . 

Also , what are the CIDR range for these endpoints if i have to allow them in security group ?

@Mohit Chordia , following up on some open threads.

Were you able to get an answer for this?  Based on what you shared, your issue is due to lack of internet access.

Thanks for sharing, as always!!