The CodeDeploy agent requires outbound access to the internet for access to 4 different service endpoints. Access to all these endpoints are required in order for the service to work properly.
Outbound access to the internet is needed to access to (1) the CodeDeploy service endpoints, and (2) to access S3 or Github services - this access is required to the agent to download software deployment package for the revision being deployed.
From CodeDeploy FAQs:
...AWS CodeDeploy agent installed on the Amazon EC2 instances must be
able to access the public AWS CodeDeploy and Amazon S3 service
endpoints. For more information, see AWS CodeDeploy Endpoints and
Amazon S3 Endpoints.
(3) The CodeDeploy agent will regularly check for software updates, and automatically update itself within 24 hours of a new release. A properly configured CodeDeploy agent instance will allow IAM S3 access to the AWS CodeDeploy Resource Kit Reference bucket, so that it can access new software when available. Failure to provide update access here could break your implementation when the service is upgraded, or limit access to new features.
(4) Regarding CodeDeploy command and control, the source code for the agent shows a reference to a special command https endpoint, called the AWS_DEPLOY_CONTROL_ENDPOINT:
From aws-codedeploy-agent software repository, the deploy_control_endpoint.rb file has the following:
require 'aws-sdk-core'
module Aws
module Plugins
class DeployControlEndpoint < Seahorse::Client::Plugin
option(:endpoint) do |cfg|
url = ENV['AWS_DEPLOY_CONTROL_ENDPOINT']
if url.nil?
url = "https://codedeploy-commands.#{cfg.region}.amazonaws.com"
if "cn" == cfg.region.split("-")[0]
url.concat(".cn")
end
end
url
end
end
end
end
While apparently not documented, access to this endpoint is also required.
