How do I troubleshoot issues connecting to my EC2 instance using EC2 Instance Connect?

Short description

The following are common reasons why EC2 Instance Connect might not work as expected:

• EC2 Instance Connect doesn't support the OS distribution.
• The EC2 Instance Connect package isn't installed on the instance.
• There are missing or incorrect AWS Identity and Access Management (IAM) policies or permissions.
• Security groups associated with the instance don't have EC2 Instance Connect service IPs listed.

To connect using the browser-based client, your instance must have a public IPv4 address. If your instance doesn't have a public IP address, connect using the EC2 Instance Connect Command Line Interface (CLI) from a machine within the same VPC. For more information, see the Limitations section in Connect using EC2 Instance Connect.

Note: If you’ve turned on the EC2 Serial Console for Linux, you can use it to troubleshoot supported Nitro-based instance types. The serial console helps you troubleshoot boot issues, network configuration, and SSH configuration issues. The serial console connects to your instance without requiring a working network connection. You can access the serial console using the Amazon EC2 console or the AWS Command Line Interface (AWS CLI).

Before using the serial console, you must grant access to it at the account level and create IAM policies granting access to your IAM users. Also, every instance using the serial console must include at least one password-based user. If your instance is unreachable and you haven’t configured access to the serial console, you can follow the instructions for manually connecting to the instance provided in the following article links.

For information on configuring EC2 Serial Console for Linux, see Configure access to the EC2 Serial Console.

Note: If you receive errors when running AWS CLI commands, make sure that you’re using the most recent version of the AWS CLI.

Resolution

1.    Verify that EC2 Instance Connect supports your instance's Linux distribution.

2.    Verify that your supported instance has the EC2 Instance Connect package installed.

3.    Verify that the IAM user trying to use EC2 Instance Connect has permission to push the public key to the instance.

4.    Verify that the instance's security group rules list EC2 Instance Connect IPs:

Browser-based SSH connections

Browser-based SSH connections require that your instance's security group inbound rules allow EC2 Instance Connect access to SSH on TCP port 22.

EC2 Instance Connect uses specific IP ranges for browser-based SSH connections to your instance. These IP ranges differ between AWS Regions. To find the AWS IP address range for EC2 Instance Connect in a specific Region, use the following commands:

Note: In the following commands, replace us-east-1 with the AWS Region of your instance. Be sure your instance is in a Region supported by EC2 Instance Connect.

Windows (requires Windows PowerShell for AWS)

PS C:\> Get-AWSPublicIpAddressRange -Region us-east-1 -ServiceKey EC2_INSTANCE_CONNECT | select IpPrefix

Linux (requires curl and jq)

$ curl -s https://ip-ranges.amazonaws.com/ip-ranges.json| jq -r '.prefixes[] | select(.region=="us-east-1") | select(.service=="EC2_INSTANCE_CONNECT") | .ip_prefix'

Update your security group inbound rules to allow TCP port 22 access from the IP range returned by the preceding commands.

EC2 Instance Connect CLI connections

Update your security group inbound rules to allow TCP port 22 access from your IP.

Related information

Set up EC2 Instance Connect

Connect to your Linux instance using EC2 Instance Connect

How can I connect to my Amazon EC2 instance if I lost my SSH key pair after its initial launch?

Why can't I connect to my Amazon EC2 Linux instance using SSH?