Troubleshooting EC2 Connectivity Issues
Jun 08, 2023 • 4 Minute Read
Learning AWS can be a very long and daunting experience. There are dozens of primary services, each with hundreds of features to learn. However, very few things can be more frustrating than having connectivity issue when trying to access a provisioned AWS resource, like an EC2 instance. After all, you just spent hours learning about AMIs, instance types, IP addresses, user-data, storage volumes, security groups, and key pairs. Now you just want to actually access the damn instance and have some fun with it. But as you try to access the instance, whether by SSH or HTTP, you get one of these dreaded errors: “access denied,” or “operation timed out,” or some other variation. Regardless of the error - you can’t log-in.
AAAAARRRGGGGGG!
Ok, so you vent a little bit – perhaps even yell at your computer. Regardless of your frustration, you still need to figure out what is wrong. With that in mind, I present some of the common (perhaps even simple) issues that cause many connectivity issues.
Understanding the path:
To successfully troubleshoot connectivity issue to an EC2 instance, we first need to fully understand the path that our data takes when traveling from our computer to the EC2 instance. For the purpose of this blog post, we have to disregard the “open Internet” part of the path as we have no control over that. What we will focus on is once the data reaches your AWS Virtual Private Cloud (VPC), because that part of the path we do control. And for this exercise, we will be working our way backward through the VPC infrastructure – meaning we will start with the EC2 instance and work out way out of the VPC to the open Internet.
The EC2 Instance:
1) Does it have a public IP address?
Yes: Move on to next section.
No: Either create an Elastic IP address and attach it to the instance or terminate the instance and create a new one (making sure to “enable” public IP address during the creation process). Check the connection again. If it worked, great! You are done! If it did not work, move onto the next section.
The Security Group:
1) Does the security group have inbound allow rules for HTTPS and/or SSH?
Yes: Yes: Move on to question 2.
No: Add an allow rule for HTTP and/or SHH (depending on which you need). Check the connection again. If it worked, great! You are done! If it did not work, move onto the next section.
2) Does the HTTP and/or SSH all for traffic from all sources (0.0.0.0/0)?
Yes: Move on to the next section.
No: Edit the source to be 0.0.0.0/0 for each protocol. Check the connection again. If it worked, great! You are done! If it did not work, move onto the next section.
Note: This is not best practice for security groups, but we are just trying to troubleshoot the issue here.
The Subnet:
1) Does the subnets route table have a route to the Internet Gateway?
Yes: Move onto question 2.
No: Edit the route table to add a route to the IGW Destination = 0.0.0.0/0 and Target = (the Internet Gateway ID)
Note: If no IGW exist, move to the section on IGW and the return here. Check the connection again. If it worked, great! You are done! If it did not work, move onto the next question.
2) Does the Network Access Control List protecting the subnet have inbound allow rules for HTTPS and/or SSH?
Yes: Move onto question 3.
NO: Add an allow rule for HTTP and/or SHH (depending on which you need). Check the connection again. If it worked, great! You are done! If it did not work, move onto the next question.
3) Does the Network Access Control List protecting the subnet have outbound allow rules set for all traffic?
Yes: Move onto the next section.
No: Edit the outbound rules to allow for all traffic from all sources (0.0.0.0/0). Check the connection again. If it worked, great! You are done! If it did not work, move onto the next section.
Internet Gateway
1) Is there an internet gateway attached to the VPC in which the EC2 instance has been provisioned in?
Yes: Move back to “the subnet” section.
No: Create and IGW and attached it to the VPC. The move back to “the subnet” section.
Note: Egress only internet gateway only supports IPv6 address and used for outbound only internet access.Well, there you have it. Hopefully, by following this guide, you should be connecting to your EC2 instance in no time!
Other Related Resources: