Skip to main content

AWS EC2 Connectivity Troubleshooting Scenario

Hands-On Lab

 

Photo of Thomas Haslett

Thomas Haslett

Vice President of Product

Length

00:30:00

Difficulty

Intermediate

Welcome to this hands-on AWS Learning Activity for troubleshooting EC2 connectivity issues. The goal of this activity is to fix the broken environment and achieve the goal as outlined below. The first video in this activity presents the scenario and the goal, while the second video provides the solution (if needed). Do your best to solve the connectivity issue without viewing the solution video. Goal: Fix the connectivity issue in the AWS environment so that you can update the YUM package installer (from the command line) on the provided EC2 instance (name "web server"). This environment has been created with security in mind, so the "web server" EC2 instance has been provisioned in a private subnet, and placed behind a bastion host and NAT gateway The proper Linux command to update the YUM package installer is "sudo yum update". To log into either of the provided EC2 instances, use the command: ssh linuxacademy@PUBLIC-IP-ADDRESS or ssh linuxacademy@PRIVATE-IP-ADDRESS

What are Hands-On Labs?

Hands-On Labs are scenario-based learning environments where learners can practice without consequences. Don't compromise a system or waste money on expensive downloads. Practice real-world skills without the real-world risk, no assembly required.

AWS EC2 Connectivity Troubleshooting Scenario

The goal of this activity is to fix the connectivity issue in the AWS environment so that you can update the YUM package installer (from the command line) on the provided EC2 instance (named "web server"). This environment has been created with security in mind, so the "web server" EC2 instance has been provisioned in a private subnet and placed behind a bastion host and NAT gateway.

Log in to the AWS environment using the cloud_user credentials provided. Make sure you are working in the us-east-1 (N. Virginia) region.

Navigate to EC2 and our instances.

There are a few issues here. Let's solve them.

Issue #1

The Issue

The NACL protecting the bastion host is denying all outbound traffic.

The Solution

In a terminal window, log in to either of the provided EC2 instances using one of the following commands:

ssh linuxacademy@PUBLIC-IP-ADDRESS

Or:

ssh linuxacademy@PRIVATE-IP-ADDRESS

It will eventually time us out.

In the AWS Console, navigate to the VPC service and then click Internet Gateways in the sidebar to make sure we have one attached to our VPC, which we do.

Click Route Tables in the sidebar to make sure the route table associated with our subnet has a route to the internet gateway. Everything should be good here.

Click Network ACLs in the sidebar. There's one associated with all four subnets. In the Inbound Rules tab below, we'll see it's allowing all traffic, which is fine. In the Outbound Rules tab, though, we'll see there's no outbound rule at all. We need to provide one.

Under Outbound Rules, click Edit and Add another rule.

  • Rule #: 100
  • Type: ALL TCP
  • Protocol: TCP (6)
  • Port Range: ALL
  • Destination: 0.0.0.0/0
  • Save

Back in the terminal, run the ssh command again. It still won't connect.

Issue #2

The Issue

SSH traffic is being denied by the security group associated with the bastion host.

The Solution

Back in the AWS Console, click Security Groups in the sidebar. If you're not sure which security group is associated with the instance, navigate back to EC2. Under the Description tab for the instance, find Security groups and click view inbound rules. There, we'll see the only Allow rule is port 80, which is for HTTP traffic and not SSH traffic.

Navigate back to security groups. Under Inbound Rules, click Edit. Change Type: to SSH (22). Click Save.

Back in the terminal, run the ssh command again. It should work this time. Enter yes at the prompt, and then enter the password. We've now successfully logged in to the bastion host.

Now, we want to log in to "web server". Get the private IP address from the lab credentials page. From the terminal where we are logged in to our bastion server, enter:

ssh linuxacademy@PRIVATE-IP-ADDRESS

Enter yes at the prompt, and then enter the password.

Now, run the YUM package installer:

sudo yum update

Enter the password:

123456

There seems to be a hangup. Why is the EC2 instance not able to connect to the open internet in order to successfully update packages?

Issue #3

The Issue

The "web server" does not have a route to the NAT gateway.

The Solution

Back in the AWS Console, navigate to the NAT gateway in the VPC section. We have a NAT gateway here, but we need to check if it has proper routing to be associated with both route tables, so the subnets can access it and so it has access to the open internet.

Click Route Tables in the sidebar. Select the route table associated with the private subnet the "web server" is located in, and click the Routes tab at the bottom. We'll see there isn't a route to the NAT gateway.

Click Edit and Add another route.

  • Destination: 0.0.0.0/0
  • Target: select the NAT gateway from the dropdown
  • Save

Back in the terminal, run the YUM package installer again. It should work this time.

Conclusion

Congratulations on completing this lab!