Troubleshooting EC2

Troubleshooting EC2 Connectivity Issues

Learning AWS can be a very long and daunting experience. There are dozens of primary services, each with hundreds of features to learn. However, very few things can be more frustrating than having connectivity issue when trying to access a provisioned AWS resource, like an EC2 instance.  After all, you just spent hours learning about AMIs, instance types, IP addresses, user-data, storage volumes, security groups, and key pairs.  Now you just want to actually access the damn instance and have some fun with it. But as you try to access the instance, whether by SSH or HTTP, you get one of these dreaded errors: “access denied,” or “operation timed out,” or some other variation.  Regardless of the error – you can’t log-in.

AAAAARRRGGGGGG!

Ok, so you vent a little bit – perhaps even yell at your computer.  Regardless of your frustration, you still need to figure out what is wrong.  With that in mind, I present some of the common (perhaps even simple) issues that cause many connectivity issues.

Connectivity Path

Understanding the path:

To successfully troubleshoot connectivity issue to an EC2 instance, we first need to fully understand the path that our data takes when traveling from our computer to the EC2 instance.  For the purpose of this blog post, we have to disregard the “open Internet” part of the path as we have no control over that.  What we will focus on is once the data reaches your AWS Virtual Private Cloud (VPC), because that part of the path we do control.  And for this exercise, we will be working our way backward through the VPC infrastructure – meaning we will start with the EC2 instance and work out way out of the VPC to the open Internet.

The EC2 Instance:

1) Does it have a public IP address?

Yes: Move on to next section.

No: Either create an Elastic IP address and attach it to the instance or terminate the instance and create a new one (making sure to “enable” public IP address during the creation process). Check the connection again.  If it worked, great!  You are done!  If it did not work, move onto the next section.

The Security Group:

1) Does the security group have inbound allow rules for HTTPS and/or SSH?

Yes: Yes: Move on to question 2.

No: Add an allow rule for HTTP and/or SHH (depending on which you need). Check the connection again.  If it worked, great!  You are done!  If it did not work, move onto the next section.

2) Does the HTTP and/or SSH all for traffic from all sources (0.0.0.0/0)?

Yes: Move on to the next section.

No: Edit the source to be 0.0.0.0/0 for each protocol. Check the connection again.  If it worked, great!  You are done!  If it did not work, move onto the next section.

Note: This is not best practice for security groups, but we are just trying to troubleshoot the issue here.

The Subnet:

1) Does the subnets route table have a route to the Internet Gateway?

Yes: Move onto question 2.

No: Edit the route table to add a route to the IGW Destination = 0.0.0.0/0 and Target = (the Internet Gateway ID)

Note: If no IGW exist, move to the section on IGW and the return here. Check the connection again.  If it worked, great!  You are done!  If it did not work, move onto the next question.

2) Does the Network Access Control List protecting the subnet have inbound allow rules for HTTPS and/or SSH?

Yes: Move onto question 3.

NO: Add an allow rule for HTTP and/or SHH (depending on which you need). Check the connection again.  If it worked, great!  You are done!  If it did not work, move onto the next question.

3) Does the Network Access Control List protecting the subnet have outbound allow rules set for all traffic?

Yes: Move onto the next section.

No: Edit the outbound rules to allow for all traffic from all sources (0.0.0.0/0). Check the connection again.  If it worked, great!  You are done!  If it did not work, move onto the next section.

Internet Gateway

1) Is there an internet gateway attached to the VPC in which the EC2 instance has been provisioned in?

Yes: Move back to “the subnet” section.

No:  Create and IGW and attached it to the VPC. The move back to “the subnet” section.

Well, there you have it.  Hopefully, by following this guide, you should be connecting to your EC2 instance in no time!

AWS Labs

Thomas Haslett

Thomas Haslett is a enthusiast of cutting edge technology. Cloud computing, virtual/augmented reality, and the Internet of Things (IoT) are what he considers "fun & cool". Tom's background includes years of experience creating and designing proprietary business applications, virtual reality game development, and android app development. Tom currently holds three AWS certifications: AWS Solutions Architect (associate), AWS SysOps Admin (associate), & AWS Developer (associate).

13 thoughts on “Troubleshooting EC2 Connectivity Issues

  1. Hi Thomas,

    I followed all the steps exactly to create all the services, install apache and also the troubleshooting steps. But not sure why it still says “timed out” after every attempt to see of apache is installed properly or not.

    Is there anything that i need to do to check if something went wrong. i am using my own AWS Free-tire account to create project omega.

    IPv4 Public IP
    54.84.3.221

    Appreciate all your help here.

    Thanks,
    Pavan

    1. Hi, Paven. Can you SSH into the instance? Once logged in – run the command “service httpd status” and see if apache is installed and running.

  2. Hi Thomas,
    I’ve been following the “Setting up an ELB and Auto Scaling Group” Lab. All went well but at the end I could not ssh into my instances as well as no http traffic was available. After a bunch of brainstorming & after playing with NACLs I had to allow all traffic on both NACLs for inbound & outbound, then only I was able to ssh & also could browse the page through ELB dns record.
    My question is why am I unable to access my instances if I explicitly mention the ssh & http services only. After reproducing the issue I made sure that it was due to NACLs.

    Please help.

    1. Hi, Naeem. This short answer is that I can’t say for sure. Without knowing your entire setup – it can be difficult to diagnose. With SSH, outbound traffic generally does not travel on port 22. So if you lock down outbound rules to just 22, then it can cause issues. Generally I find it best to lock down inbound rules to just the ports you need, but have the NACL outbound rules set to all TCP. See if that works for you.

    1. Yashawsini. There is no PDF that I can send you. It is all managed in Project Omega – which is an online tool.

  3. Hi Thomas,

    I followed all the steps mentioned on a brand new AWS account.
    I have an EC2 instance running. It’s accessible via SSH and port 80 is alright.

    However, when I create an Inbound Rule for, let’s say, port 3000, I can’t access it through my browser.
    The way I am testing is running a SimpleHTTPServer on that port 300 and trying to reach to :3000 via Chrome.

    $ sudo python -m SimpleHTTPServer 3000

    If I do the same for port 80, it works alright.
    http://ec2-34-253-88-135.eu-west-1.compute.amazonaws.com:3000/

    Any thought on what might be the problem?

    Thanks,
    Vinnie

  4. Hi Thomas,
    Was facing a issue on yum update of Ec2 instances.
    My observation in both cases.
    Case 1:
    NACL->Inbound: SSH and HTTP allow. Outbound : All Allow
    Security group->Inbound: SSH and HTTP allow. Outbound : All Allow
    yum doesn’t update.
    Case 2:
    NACL->Inbound: SSH and HTTP allow + All TCP allow. Outbound : All Allow
    Security group->Inbound: SSH and HTTP allow. Outbound : All Allow
    yum updates.

    Can you please explain why?

    1. Hi, Mukesh. In your two Cases – it appears that the only difference is the addition of All TCP rules in the Inbound NACL. Yum should update under the first Case. Without knowing your full network setup, I really can’t say for sure why this is occurring. You can try just adding HTTPS to Case 1 inbound NACL and give that a try – but I have been successful with Case 1 as is.

  5. Hey Thomas,

    When I am troubleshooting Security Group settings and NACLS, do we need to do anything with the EC2 instance on its own? How long would it take for the changes to take effect?

    Thanks,
    Leo

  6. Hi Thomas,
    I am trying to open apache test page using public IP but I am getting “can’t connect to the server error”. I double checked my script was entered correctly.
    I checked all connection listed above but its still not working.
    Please help.

    Thanks
    Dimple

Leave a Reply

Your email address will not be published. Required fields are marked *