Skip to main content

Troubleshooting Amazon EC2 Network Connectivity

Hands-On Lab

 

Photo of Mark Richman

Mark Richman

AWS Training Architect II in Content

Length

01:00:00

Difficulty

Intermediate

The goal of this hands-on lab is to fix the broken environment and achieve the goal as outlined below. The first video in this lab presents the scenario and the goal, while the second video provides the solution (if needed). Do your best to solve the connectivity issue without viewing the solution video. Goal: Fix the connectivity issue in the AWS environment so that you can update the yum package installer (from the command line) on the provided EC2 instance (named "web server"). This environment has been created with security in mind, so the "web server" EC2 instance has been provisioned in a private subnet and placed behind a bastion host and NAT gateway.

What are Hands-On Labs?

Hands-On Labs are scenario-based learning environments where learners can practice without consequences. Don't compromise a system or waste money on expensive downloads. Practice real-world skills without the real-world risk, no assembly required.

Troubleshooting Amazon EC2 Network Connectivity

Introduction

The goal of this hands-on lab is to fix the connectivity issue in the AWS environment so we can update the yum package installer (from the command line) on the provided EC2 instance (named "web server"). Here, we'll go step-by-step through the scenario and offer detailed instructions on how to solve the connectivity issue.

Solution

Log in to the live AWS environment using the credentials provided. Make sure you're in the N. Virginia (us-east-1) region throughout the lab.

Fix SSH Ingress to Bastion Host

The Issue

SSH traffic is being denied by the security group associated with the bastion host.

How to Fix the Issue

Add an SSH (port 22) allow rule to the security group associated with the bastion host

  1. Locate the public IP address of the bastion host on the lab page and copy it. Alternately, in the AWS console, navigate to EC2 > Instances and copy it from there.

  2. Open a terminal session, and log in via SSH:

    ssh cloud_user@<PUBLIC IP ADDRESS>
  3. It doesn't seem to connect. Head back to the AWS console to look at the bastion host.

  4. Click the listed security group associated with the bastion host.

  5. In the Inbound rules tab, we'll see the only allow rule is port 80, which is for HTTP traffic and not SSH traffic.

  6. Click Edit.

  7. Delete the existing rule.

  8. Click Add Rule, and set the following values:

    • Type: SSH
    • Protocol: TCP
    • Port Range: 22
    • Source: Anywhere
  9. Click Save.

  10. Back in the terminal, we should see the prompt to continue connecting. Enter yes, and then enter the password for the instance (provided on the lab page). We've now successfully logged in to the bastion host.

  11. Now, we need to log in to the "web server" instance. Copy the private IP address from the lab credentials page (or in the AWS console). In the terminal, enter:

    ssh cloud_user@<PRIVATE IP ADDRESS>

    Enter yes at the prompt, and then enter the password provided on the lab page for the web server instance.

  12. Now, run the YUM package installer:

    sudo yum update
  13. Enter the password again.

There seems to be a hangup. Why is the EC2 instance not able to connect to the open internet in order to successfully update the YUM package installer?

Fix Egress from Web Server to Internet

The Issue

The NACL protecting the web server only allows return traffic to the public subnet, not the internet.

How to Fix the Issue

Add an outbound "All Traffic" allow rule to 0.0.0.0/0 to the NACL.

  1. In the AWS console, navigate to VPC > Network ACLs.
  2. Click the Private Network NACL listed.
  3. In the Outbound Rules tab, click Edit outbound rules.
  4. Change the Destination to 0.0.0.0/0.
  5. Click Save.
  6. Back in the terminal, run:

    sudo yum update

It still won't connect.

Fix Web Server Route to Internet

The Issue

The web server does not have a route to the NAT gateway.

How to Fix the Issue

Add a route to the NAT gateway on the route table associated with the private subnet the web server is located in.

  1. In the AWS console, navigate to the VPC > Route Tables.
  2. Select the Private route table, and click the Routes tab. We'll see there isn't a route to the NAT gateway.
  3. Click Edit routes.
  4. Click Add route, and set the following values:
    • Destination: 0.0.0.0/0
    • Target: Type "nat", and select the pre-populated NAT gateway listed in the dropdown
  5. Click Save routes.
  6. Back in the terminal, run:

    sudo yum update

It should work this time.

Conclusion

Congratulations on completing this hands-on lab!