Learning AWS can be a very long and daunting experience. There are dozens of primary services, each with hundreds of features to learn. However, very few things can be more frustrating than having connectivity issue when trying to access a provisioned AWS resource, like an EC2 instance.  After all, you just spent hours learning about AMIs, instance types, IP addresses, user-data, storage volumes, security groups, and key pairs.  Now you just want to actually access the damn instance and have some fun with it. But as you try to access the instance, whether by SSH or HTTP, you get one of these dreaded errors: “access denied,” or “operation timed out,” or some other variation.  Regardless of the error – you can’t log-in.

AAAAARRRGGGGGG!

Ok, so you vent a little bit – perhaps even yell at your computer.  Regardless of your frustration, you still need to figure out what is wrong.  With that in mind, I present some of the common (perhaps even simple) issues that cause many connectivity issues.

Connectivity Path

Understanding the path:

To successfully troubleshoot connectivity issue to an EC2 instance, we first need to fully understand the path that our data takes when traveling from our computer to the EC2 instance.  For the purpose of this blog post, we have to disregard the “open Internet” part of the path as we have no control over that.  What we will focus on is once the data reaches your AWS Virtual Private Cloud (VPC), because that part of the path we do control.  And for this exercise, we will be working our way backward through the VPC infrastructure – meaning we will start with the EC2 instance and work out way out of the VPC to the open Internet.

The EC2 Instance:

1) Does it have a public IP address?

Yes: Move on to next section.

No: Either create an Elastic IP address and attach it to the instance or terminate the instance and create a new one (making sure to “enable” public IP address during the creation process). Check the connection again.  If it worked, great!  You are done!  If it did not work, move onto the next section.

The Security Group:

1) Does the security group have inbound allow rules for HTTPS and/or SSH?

Yes: Yes: Move on to question 2.

No: Add an allow rule for HTTP and/or SHH (depending on which you need). Check the connection again.  If it worked, great!  You are done!  If it did not work, move onto the next section.

2) Does the HTTP and/or SSH all for traffic from all sources (0.0.0.0/0)?

Yes: Move on to the next section.

No: Edit the source to be 0.0.0.0/0 for each protocol. Check the connection again.  If it worked, great!  You are done!  If it did not work, move onto the next section.

Note: This is not best practice for security groups, but we are just trying to troubleshoot the issue here.

The Subnet:

1) Does the subnets route table have a route to the Internet Gateway?

Yes: Move onto question 2.

No: Edit the route table to add a route to the IGW Destination = 0.0.0.0/0 and Target = (the Internet Gateway ID)

Note: If no IGW exist, move to the section on IGW and the return here. Check the connection again.  If it worked, great!  You are done!  If it did not work, move onto the next question.

2) Does the Network Access Control List protecting the subnet have inbound allow rules for HTTPS and/or SSH?

Yes: Move onto question 3.

NO: Add an allow rule for HTTP and/or SHH (depending on which you need). Check the connection again.  If it worked, great!  You are done!  If it did not work, move onto the next question.

3) Does the Network Access Control List protecting the subnet have outbound allow rules set for all traffic?

Yes: Move onto the next section.

No: Edit the outbound rules to allow for all traffic from all sources (0.0.0.0/0). Check the connection again.  If it worked, great!  You are done!  If it did not work, move onto the next section.

Internet Gateway

1) Is there an internet gateway attached to the VPC in which the EC2 instance has been provisioned in?

Yes: Move back to “the subnet” section.

No:  Create and IGW and attached it to the VPC. The move back to “the subnet” section.

Well, there you have it.  Hopefully, by following this guide, you should be connecting to your EC2 instance in no time!

AWS Labs

14 responses to “Troubleshooting EC2 Connectivity Issues”

  1. Pavan says:

    Hi Thomas,

    I followed all the steps exactly to create all the services, install apache and also the troubleshooting steps. But not sure why it still says “timed out” after every attempt to see of apache is installed properly or not.

    Is there anything that i need to do to check if something went wrong. i am using my own AWS Free-tire account to create project omega.

    IPv4 Public IP
    54.84.3.221

    Appreciate all your help here.

    Thanks,
    Pavan

    • Thomas Haslett says:

      Hi, Paven. Can you SSH into the instance? Once logged in – run the command “service httpd status” and see if apache is installed and running.

  2. Naeem says:

    Hi Thomas,
    I’ve been following the “Setting up an ELB and Auto Scaling Group” Lab. All went well but at the end I could not ssh into my instances as well as no http traffic was available. After a bunch of brainstorming & after playing with NACLs I had to allow all traffic on both NACLs for inbound & outbound, then only I was able to ssh & also could browse the page through ELB dns record.
    My question is why am I unable to access my instances if I explicitly mention the ssh & http services only. After reproducing the issue I made sure that it was due to NACLs.

    Please help.

    • Thomas Haslett says:

      Hi, Naeem. This short answer is that I can’t say for sure. Without knowing your entire setup – it can be difficult to diagnose. With SSH, outbound traffic generally does not travel on port 22. So if you lock down outbound rules to just 22, then it can cause issues. Generally I find it best to lock down inbound rules to just the ports you need, but have the NACL outbound rules set to all TCP. See if that works for you.

  3. Yashaswini says:

    Hi Thomas,

    I am enrolled in your linux academy AWS Essentials course. I was wondering if I can get the course pdf for further reference. If possible, can you please email me at yashaswini.vf474@gmail.com

    • Thomas Haslett says:

      Yashawsini. There is no PDF that I can send you. It is all managed in Project Omega – which is an online tool.

  4. Vinnie Abdala says:

    Hi Thomas,

    I followed all the steps mentioned on a brand new AWS account.
    I have an EC2 instance running. It’s accessible via SSH and port 80 is alright.

    However, when I create an Inbound Rule for, let’s say, port 3000, I can’t access it through my browser.
    The way I am testing is running a SimpleHTTPServer on that port 300 and trying to reach to :3000 via Chrome.

    $ sudo python -m SimpleHTTPServer 3000

    If I do the same for port 80, it works alright.
    http://ec2-34-253-88-135.eu-west-1.compute.amazonaws.com:3000/

    Any thought on what might be the problem?

    Thanks,
    Vinnie

  5. Mukesh Panigrahi says:

    Hi Thomas,
    Was facing a issue on yum update of Ec2 instances.
    My observation in both cases.
    Case 1:
    NACL->Inbound: SSH and HTTP allow. Outbound : All Allow
    Security group->Inbound: SSH and HTTP allow. Outbound : All Allow
    yum doesn’t update.
    Case 2:
    NACL->Inbound: SSH and HTTP allow + All TCP allow. Outbound : All Allow
    Security group->Inbound: SSH and HTTP allow. Outbound : All Allow
    yum updates.

    Can you please explain why?

    • Thomas Haslett says:

      Hi, Mukesh. In your two Cases – it appears that the only difference is the addition of All TCP rules in the Inbound NACL. Yum should update under the first Case. Without knowing your full network setup, I really can’t say for sure why this is occurring. You can try just adding HTTPS to Case 1 inbound NACL and give that a try – but I have been successful with Case 1 as is.

  6. Leo says:

    Hey Thomas,

    When I am troubleshooting Security Group settings and NACLS, do we need to do anything with the EC2 instance on its own? How long would it take for the changes to take effect?

    Thanks,
    Leo

  7. Dimple Patel says:

    Hi Thomas,
    I am trying to open apache test page using public IP but I am getting “can’t connect to the server error”. I double checked my script was entered correctly.
    I checked all connection listed above but its still not working.
    Please help.

    Thanks
    Dimple

  8. Bookmarked for life. The outbound on the ACL rules is what got me. Strange thing i have been running just fine w/o setting these up for a while now. So strange that this just all of sudden kicked in.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Get actionable training and tech advice

We'll email you our latest articles up to once per week.