I host my website on an Amazon Elastic Compute Cloud (Amazon EC2) instance. I want users to connect to my website on HTTP (port 80) or HTTPS (port 443).
Resolution
To allow traffic on port 80 and 443, you must configure the associated security group and network access control list (network ACL).
Security group rules
For HTTP traffic, add an inbound rule on port 80 from the source address 0.0.0.0/0.
For HTTPS traffic, add an inbound rule on port 443 from the source address 0.0.0.0/0.
These inbound rules allow traffic from IPv4 addresses. To allow IPv6 traffic, add inbound rules on the same ports from the source address ::/0. For more information on creating or modifying security groups, see Control traffic to your AWS resources using security groups.
Security groups are stateful, so the return traffic from the instance to users is allowed automatically. You don't need to modify the security group's outbound rules.
Note: The following example shows the security group rules for allowing IPv4 and IPv6 traffic on TCP port 80 (HTTP) and 443 (HTTPS). Determine if other sources of traffic, such as SSH or RDP to log in to the instance, must be allowed for your use case. Then, make sure that your SG has the relevant inbound rules to allow the needed traffic.
Inbound rules
| | | |
---|
Type | Protocol | Port Range | Source |
HTTP (80) | TCP (6) | 80 | 0.0.0.0/0 |
HTTP (80) | TCP (6) | 80 | ::/0 |
HTTPS (443) | TCP (6) | 443 | 0.0.0.0/0 |
HTTPS (443) | TCP (6) | 443 | ::/0 |
Network ACL
The default network ACL allows all inbound and outbound IPv4 traffic. If your users connect over IPv6 and your Amazon Virtual Private Cloud (Amazon VPC) has an associated IPv6 CIDR block, then your default network ACL also automatically adds rules allowing all inbound and outbound IPv6 traffic. However, if you use a custom network ACL with more restrictive rules, then you must explicitly allow traffic on port 80 and 443.
Network ACLs are stateless, so you must add both inbound and outbound rules to allow the connection to your website. For more information on modifying network ACL rules, see Control subnet traffic with network access control lists.
Note: The following example shows a custom network ACL that allows traffic on TCP port 80 (HTTP) and 443 (HTTPS). Network ACLs are applied to all resources in an entire subnet, not just a single EC2 instance. In the example configuration, all traffic to and from resources in the same subnet is blocked, except on destination port 80 and 443. Determine if other sources of traffic, such as SSH or RDP to log in to the instance, must be allowed for your use case. Then, make sure that you have the relevant inbound rules to allow the needed traffic.
Inbound rules
| | | | | |
---|
Rule # | Type | Protocol | Port Range | Source | Allow/Deny |
100 | HTTP (80) | TCP (6) | 80 | 0.0.0.0/0 | ALLOW |
101 | HTTPS (443) | TCP (6) | 443 | 0.0.0.0/0 | ALLOW |
102 | HTTP (80) | TCP (6) | 80 | ::/0 | ALLOW |
103 | HTTPS (443) | TCP (6) | 443 | ::/0 | ALLOW |
* | ALL Traffic | ALL | ALL | ::/0 | DENY |
* | ALL Traffic | ALL | ALL | 0.0.0.0/0 | DENY |
Outbound rules
| | | | | |
---|
Rule # | Type | Protocol | Port Range | Destination | Allow/Deny |
100 | Custom TCP Rule | TCP (6) | 1024-65535 | 0.0.0.0/0 | ALLOW |
101 | Custom TCP Rule | TCP (6) | 1024-65535 | ::/0 | ALLOW |
* | ALL Traffic | ALL | ALL | ::/0 | DENY |
* | ALL Traffic | ALL | ALL | 0.0.0.0/0 | DENY |
Troubleshoot a connection refused error
A connection refused error means that the connection request is routed to the instance but isn't received from the service on the specified port. If Host A initiates a TCP connection to Host B and receives a connection refused error, then that error means the following:
- First, Host A sent a TCP SYN packet to Host B.
- Then, Host B sent a TCP RST packet in reply to Host A.
If you encounter this error, even after allowing TCP ports 80 and 443 in the Security group and Network ACL. Then, troubleshoot the service daemon, such as httpd (Apache), isn't running or is in a stopped state.
To troubleshoot, check if the service is in the running state in the EC2 instance.
If the service is listening on a wrong port, then check if the EC2 instance is listening on the required TCP port (80/443)
If the port is blocked by a firewall, then check the OS-level firewall in the EC2 instance. Make sure this firewall isn't blocking incoming TCP traffic on the required port.