How do I troubleshoot issues connecting to my EC2 instance using EC2 Instance Connect?

4 minute read
0

I'm receiving the following error when trying to connect to my Amazon Elastic Compute Cloud (Amazon EC2) instance using Amazon EC2 Instance Connect:"There was a problem setting up the instance connectionLog in failed. If this instance has just started up, try again in a minute or two."

Short description

The following are common reasons why EC2 Instance Connect might not work as expected:

  • EC2 Instance Connect doesn't support the OS distribution.
  • The EC2 Instance Connect package isn't installed on the instance.
  • There are missing or incorrect AWS Identity and Access Management (IAM) policies or permissions.
  • Security groups associated with the instance don't have EC2 Instance Connect service IPs listed.

To connect using the browser-based client, your instance must have a public IPv4 address. If your instance doesn't have a public IP address, connect using EC2 Instance Connect from a machine within the same VPC.

Note: If you’ve turned on the EC2 Serial Console for Linux, you can use it to troubleshoot supported Nitro-based instance types. The serial console helps you troubleshoot boot issues, network configuration, and SSH configuration issues. The serial console connects to your instance without requiring a working network connection. You can access the serial console using the Amazon EC2 console or the AWS Command Line Interface (AWS CLI).

Before using the serial console, you must grant access to it at the account level and create IAM policies granting access to your IAM users. Also, every instance using the serial console must include at least one password-based user. If your instance is unreachable and you haven’t configured access to the serial console, you can follow the instructions for manually connecting to the instance provided in the following article links.

For information on configuring EC2 Serial Console for Linux, see Configure access to the EC2 Serial Console.

Note: If you receive errors when running AWS CLI commands, make sure that you’re using the most recent version of the AWS CLI.

Resolution

1.    Verify that EC2 Instance Connect supports your instance's Linux distribution.

2.    Verify that your supported instance has the EC2 Instance Connect package installed.

3.    Verify that the IAM user trying to use EC2 Instance Connect has permission to push the public key to the instance.

4.    Verify that the instance's security group rules list EC2 Instance Connect IPs:

Browser-based SSH connections

Browser-based SSH connections require that your instance's security group inbound rules allow EC2 Instance Connect access to SSH on TCP port 22.

EC2 Instance Connect uses specific IP ranges for browser-based SSH connections to your instance. These IP ranges differ between AWS Regions. To find the AWS IP address range for EC2 Instance Connect in a specific Region, use the following commands:

Note: In the following commands, replace us-east-1 with the AWS Region of your instance. Be sure your instance is in a Region supported by EC2 Instance Connect.

Windows (requires Windows PowerShell for AWS)

PS C:\> Get-AWSPublicIpAddressRange -Region us-east-1 -ServiceKey EC2_INSTANCE_CONNECT | select IpPrefix

Linux (requires curl and jq)

$ curl -s https://ip-ranges.amazonaws.com/ip-ranges.json| jq -r '.prefixes[] | select(.region=="us-east-1") | select(.service=="EC2_INSTANCE_CONNECT") | .ip_prefix'

Update your security group inbound rules to allow TCP port 22 access from the IP range returned by the preceding commands.

EC2 Instance Connect CLI connections

Update your security group inbound rules to allow TCP port 22 access from your IP.

Related information

Install EC2 Instance Connect on your EC2 instances

Connect to your Linux instance using EC2 Instance Connect

How can I connect to my Amazon EC2 instance if I lost my SSH key pair after its initial launch?

Why can't I connect to my Amazon EC2 Linux instance using SSH?

AWS OFFICIAL
AWS OFFICIALUpdated 2 years ago
2 Comments

Suggested Enhancement: In addition to the existing troubleshooting steps, I would like to propose adding the following step to the checklist:

Also, add a step to check the route table settings associated with the VPC subnet of the EC2 instance. Ensure that there is a route defined to the Internet Gateway (IGW), and the proper subnet is associated with it. This is crucial for establishing a successful connection using EC2 Instance Connect.

I believe this addition will be beneficial for AWS users who may encounter similar issues in the future, as it addresses a common cause of connectivity problems.

replied 8 months ago

Thank you for your comment. We'll review and update the Knowledge Center article as needed.

profile pictureAWS
MODERATOR
replied 8 months ago