Why can't my Amazon EC2 instance access the internet through an internet gateway?

3 minute read
0

My Amazon Elastic Compute Cloud (Amazon EC2) instance that's in a public subnet has a public IP address or an internet gateway but can't access the internet.

Resolution

Prerequisites

  • The route table that's associated with your instance's subnet has a default route to an internet gateway (0.0.0.0/0).
  • The internet gateway that's associated with the route isn't deleted.
  • The security group that's attached to your instance's elastic network interface has security group rules that allow outbound internet traffic (0.0.0.0/0) for your ports and protocols.
  • The network access control list (network ACL) that's associated with your instance's subnet has rules that allow both outbound and inbound traffic to the internet.

Associate an Elastic IP address with instances that don't have a public IP address

If the instance that's in a public subnet doesn't have a public IP address, then the instance isn't accessible outside its virtual private cloud (VPC). This is true even if the instance has an internet gateway.

To allow the instance to connect to the internet, allocate an Elastic IP address, and then associate the Elastic IP address with the instance.

Deactivate a firewall that's blocking access for instances that have a public IP address

A local firewall that's running in the operating system (OS) might be blocking access. As a best practice, deactivate the local firewall and use security groups instead.

Note: Firewall deactivation might affect your workload.

To deactivate your firewall, run the following commands:

# For Uncomplicated Firewall
sudo ufw disable

# For firewalld
sudo systemctl disable firewalld --nowIf you must use a firewall, then the internet connectivity issues are usually related to the OUTPUT chain. You can allow outgoing traffic by running the following commands:sudo iptables -P OUTPUT ACCEPT
sudo iptables -I OUTPUT 1 -j ACCEPT

Windows Server

For Windows Server default firewalls, run the following command:

netsh advfirewall firewall show rule name=all

If the output from the preceding command shows blocked traffic, then remove the old rule or add a new rule that allows traffic for the specific port. For more information, see Windows Firewall rules on the Microsoft Learn website.

Related information

Turn on VPC internet access using internet gateways

Why can't my Amazon EC2 instance in a private subnet connect to the internet using a NAT gateway?

AWS OFFICIAL
AWS OFFICIALUpdated 7 months ago