Not able to Discover Amazon EC2 instances via VSA Proxy for snapshot backups

As soon as INTERNET(HTTPS-443) is enabled on my access node/media agent Browse is working but i cant enable HTTPS - 443 INTERNET on my access nodes/media agents due to security concerns and they are in PRIVATE SUBNETS.

Any suggestions how does access node discover AWS Regions/EC2 instances without internet access on MA/AN ?

@Mike Struening Thank you for response . This is a POC Lab Environment with temp license , i don't think i will be able to raise support case for this .

I need to understand if Iam missing anything here . 

Do we really need internet access on Private Subnet VSA proxy for Browse & Discovery to work ?

Do we need to create any type of VPC Endpoint for Access node present in Private Subnet to perform Browse and Discovery ?

Regards, Mohit

This doc says that --

https://documentation.commvault.com/11.23/expert/30944_getting_started_with_virtual_server_agent_for_amazon.html

The access node must have access to the regional and global STS endpoints. For more information about AWS service endpoints, see AWS service endpoints on the AWS documentation site.

• Global STS endpoints: The service endpoint is https://sts.amazonaws.com.

• Regional STS endpoints: For example, https://sts.us-east-1.amazonaws.com, to back up instances on us-east-1.

If my access node is in Private Subnet and doesn't have internet configured how can it access these endpoints without internet connectivity . 

Also , what are the CIDR range for these endpoints if i have to allow them in security group ?