For the most recent update on ongoing service disruptions affecting the AWS Middle East (UAE) Region (ME-CENTRAL-1), refer to the AWS Health Dashboard. For information on AWS Service migration, see How do I migrate my services to another region?
Why can't I connect to my Amazon EC2 instance?
When I try to connect to my Amazon Elastic Compute Cloud (Amazon EC2) instance, I get an error.
Short description
First, check your EC2 instance configuration and make sure that the instance passes the instance and system statuses.
If you still can't connect, then restore your connection for SSH, EC2 Instance Connect, or Session Manager, a capability of AWS Systems Manager. Or, use the EC2 Serial Console to restore your connection.
Note: Typically, you use the EC2 Serial Console only to troubleshoot issues, not to perform standard processes.
If one connection method doesn't work, then use another connection method to access your instance and troubleshoot issues.
If you still can't restore your connection, then use a rescue instance to check the affected instance's logs for errors.
Resolution
Note: If you receive errors when you run AWS Command Line Interface (AWS CLI) commands, then see Troubleshooting errors for the AWS CLI. Also, make sure that you're using the most recent AWS CLI version.
Check the configuration of your instance access
Review your security group rules
The inbound security group rules must allow access from your IP address to port 22 for Linux and port 3389 for Windows.
To check your security group rules, run the following describe-security-groups AWS CLI command:
aws ec2 describe-security-groups --group-ids SG-IDs
Note: Replace SG-IDs with your security group IDs.
If port 22 or 3389 aren't on your allowlist, then run the following authorize-security-group-ingress command to update your rules to allow access:
aws ec2 authorize-security-group-ingress --group-id SG-ID --protocol tcp --port 22 --cidr SOURCE-IP/32
Note: Replace SG-ID with your security group ID and SOURCE-IP with your source IP address. If you use a Windows instance, then replace 22 with 3389. If the source IP address is a public IP address, you can use the checkip.amazonaws.com tool to identify the IP address.
Review your network ACLs
By default, network access control lists (network ACLs) allow all inbound and outbound traffic. Make sure that your network ACLs allow inbound SSH access to the instance and outbound access to ephemeral ports (1024-65535). If the network ACLs block port 22 or 3389, then add a new rule to allow the traffic. For public IP addresses, make sure that the route table has an entry that routes traffic to an internet gateway.
Check your route table
Verify that your route table has a route for the connection.
Make sure that your instance passes its status checks
To connect to an instance, the instance must pass its status checks. Use the Amazon EC2 console to check whether System status and Instance status both show OK. You can also use Amazon CloudWatch metrics to check the status of your instance and identify issues that affect connectivity.
Note: It's a best practice to check for scheduled maintenance and other events that can affect the instance connectivity.
If the Instance status isn't OK, then reboot your instance. An instance reboot typically resolves minor issues. If you still can't connect, or System status isn't OK, then the issue might be the AWS infrastructure. To resolve this issue, see Why is my Amazon EC2 instance down with a system status check failure?
If you still encounter issues, then see How do I troubleshoot status check failures for my EC2 Linux instance? or Why is my EC2 Windows instance down with an instance status check failure?
Troubleshoot connection errors
If your instance passes status checks, but you get connection errors, then see the following resources:
- How do I resolve SSH connection issues to my Amazon EC2 Linux instance?
- How do I troubleshoot RDP connection issues with my EC2 Windows instance?
- How do I troubleshoot authentication errors when I use RDP to connect to an EC2 Windows instance?
- Troubleshoot issues connecting to your Amazon EC2 Linux instance
- Troubleshoot issues connecting to your Amazon EC2 Windows instance
Restore your SSH connection
Note: If you lost your SSH key pair, then see How do I connect to my Amazon EC2 instance if I lose my SSH key pair after the initial instance launch?
Review your username and IP address settings
Make sure that you use the correct username for your instance. Then, connect to the instance from a public IP address.
Note: If you connect from a private IP address, then make sure that you have a working network connection to the destination instance.
Check the SSH server status
To check the status of the SSH server, use Session Manager, EC2 Instance Connect or the EC2 Serial Console to connect to the instance.
Run the following command to check the status of the SSH service based on your distribution:
Systems that use systemd:
sudo systemctl status sshd
Ubuntu or Debian systems:
sudo systemctl status ssh
Legacy systems, such as CentOS 6:
sudo service sshd status
If the SSH service status is Stopped, then run the following command to start the service based on your distribution:
Systems that use systemd:
sudo systemctl start sshd
Ubuntu or Debian systems:
systemctl start ssh
Legacy systems, such as CentOS 6:
sudo service sshd start
Review your private key file permissions
Make sure that your private key file has the required read permissions.
Test network connectivity
To test connectivity to port 22, run one of the following commands from your client:
nc -zv Host 22
-or-
telnet Host 22
Note: Replace Host with your IP address or the fully qualified domain name (FQDN).
Then, run the following command to use SSH connect to your instance in verbose mode:
ssh -i key_pair.pem user@Host -vvv
Note: Replace Host with your IP address or the FQDN.
To troubleshoot connection issues, see, How do I troubleshoot "Connection refused" or "Connection timed out" errors when I use SSH to connect to my EC2 instance? and Troubleshoot issues connecting to your Amazon EC2 Linux instance.
Restore your EC2 Instance Connect connection
First, use SSH, Session Manager or the EC2 Serial Console to connect to your instance to make sure that you installed EC2 Instance Connect. Then, use EC2 Instance Connect to connect to the instance.
If you experience issues when you use EC2 Instance Connect, then make sure that you allow inbound SSH traffic on port 22 for the com.amazonaws.region.ec2-instance-connect prefix list name. Also, verify that your AWS Identity and Access Management (IAM) user's policy includes the ec2-instance-connect:SendSSHPublicKey action.
If you still experience issues, then see How do I troubleshoot errors that I receive when I use EC2 Instance Connect to connect to my EC2 instance?
Use the EC2 Serial Console to restore connection
Prerequisite: Configure access to the EC2 Serial Console.
To use the EC2 Serial Console to connect to your instance, you can use the Amazon EC2 console or SSH. For more information, see How do I access the EC2 Serial Console of an unreachable or inaccessible Linux instance?
After you connect, troubleshoot your instance for boot, network configuration, or other issues.
If you experience issues when you use EC2 Serial Console, then make sure that your IAM policy includes the ec2-instance-connect:SendSerialConsoleSSHPublicKey action.
Restore your Session Manager connection
Session Manager manages authentication only through IAM roles and permissions instead of through SSH keys. Before you use Session Manager, make sure that you adhere to the prerequisites for Session Manager. Then, use Session Manager to connect to your instance.
If you experience issues when you use Session Manager, then take the following actions.
Check your IAM roles
Confirm that the instance has an IAM role with the AmazonSSMManagedInstanceCore policy attached.
Or, make sure that the role has the following required permissions:
- ssmmessages:CreateControlChannel
- ssmmessages:CreateDataChannel
- ssmmessages:OpenControlChannel
- ssmmessages:OpenDataChannel
You can add the required Session Manager permissions to an existing role.
Note: If you use Default Host Management Configuration to manage your instances, then you don't need to create an IAM instance profile to manage instances.
If you update the permissions, then detach and reattach the IAM role. Wait for couple of minutes, and then start AWS Systems Manager Agent (SSM Agent) or start the instance.
Troubleshoot the SSM Agent status
Verify that you installed SSM Agent on the instance.
Use SSH, EC2 Serial Console, or EC2 Instance Connect to connect to your instance. Then, run the following command to check the status of the SSM Agent based on your distribution.
Systems that use systemd:
sudo systemctl status amazon-ssm-agent
Debian or Ubuntu systems:
sudo systemctl status snap.amazon-ssm-agent.amazon-ssm-agent.service
If the agent status is Stopped, then run the following command to start it, based on your distribution.
Systems that use systemd:
sudo systemctl start amazon-ssm-agent
Debian or Ubuntu systems:
sudo systemctl start snap.amazon-ssm-agent.amazon-ssm-agent.service
To verify that SSM Agent is running, check the system log.
It's a best practice to use the latest version of SSM Agent. To check whether you have the latest version, see amazon-ssm-agent/RELEASENOTES on the GitHub website. If you don't have the latest version, then install an updated SSM Agent based on your operating system (OS).
To further troubleshoot, check the /var/log/amazon/ssm/amazon-ssm-agent.log logs for errors. Or, see Troubleshooting SSM Agent.
Verify network connectivity
Make sure that your network ACLs and security groups allow an outbound connection to the AWS Systems Manager endpoint on port 443.
If your instance doesn't appear in Session Manager, then see Why isn't Systems Manager showing my Amazon EC2 instance as a managed instance?
For private instances, create virtual private cloud (VPC) endpoints. For Service name, select com.amazonaws.REGION.ssm and com.amazonaws.REGION.ssmmessages.
Note: Replace REGION with your AWS Region.
The security group that you attach to the VPC endpoints must allow inbound traffic on port 443.
For more information, see Unable to connect to SSM endpoints.
Check for missing prerequisites
Use SSH, EC2 Serial Console, or EC2 Instance Connect to connect to your instance, and then run the following command to troubleshoot managed node availability:
sudo ssm-cli get-diagnostics --output table
Check the output for Session Manager prerequisites that you're missing.
Or, run a Systems Manager runbook to automatically check for missing prerequisites. Run AWSSupport-TroubleshootManagedInstance to check your VPC configuration, including security group rules, VPC endpoints, network ACL rules, route tables, and IAM profiles. Or, run the AWSSupport-TroubleshootSessionManager to check whether you adhere to the Session Manager prerequisites.
Check instance console logs
If you can't use the preceding methods to connect to your instance, then run the following user data script to restore the Session Manager connection:
Content-Type: multipart/mixed; boundary="//"MIME-Version: 1.0 --// Content-Type: text/cloud-config; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename="cloud-config.txt" #cloud-config cloud_final_modules: - [scripts-user, always] --// Content-Type: text/x-shellscript; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename="userdata.txt" #!/bin/bash sudo ssm-cli get-diagnostics --output table >> /dev/console # or sudo ssm-cli get-diagnostics --output table >> /dev/ttyS0
Then, check the instance console output to identify the connection step that's failing. After you troubleshoot the failing step, use Session Manager to test your connection.
If you still can't connect, then use a rescue instance to troubleshoot boot issues.
Related information
- Language
- English
I have tha solution of this why ec2 instance is gives this error. You can simply go to the directory where your .Pem file is stored. and run command "chmod 400 <pemfile>" by giving these permission you can able to connect to your ec2 by ssh.
Another point to add regarding issues with EC2 Instance Connect via AWS Management Console.
If you receive the following error when trying to connect to the instance:
Then it is likely that your Security Group was not properly configured.
EC2 Instance Connect uses specific IP address ranges for browser-based SSH connections to your instance (when users use the Amazon EC2 console to connect to an instance). If your users will use the Amazon EC2 console to connect to an instance, ensure that the security group associated with your instance allows inbound SSH traffic from the IP address range for EC2_INSTANCE_CONNECT. To identify the address range, download the JSON file provided by AWS and filter for the subset for EC2 Instance Connect, using EC2_INSTANCE_CONNECT as the service value. These IP address ranges differ between AWS Regions. For more information about downloading the JSON file and filtering by service, see AWS IP address ranges in the Amazon VPC User Guide.
To look for AWS IP address ranges for each service in each region, use the following JSON file available at https://ip-ranges.amazonaws.com/ip-ranges.json
For example, IP address range for the EC2 instance connect service at the us-east-1 region is:
Thank you for your comment. We'll review and update the Knowledge Center article as needed.
Is there a youTube video or a training video that help with this? I am new to the entire AWS environment and it is not very newbie friendly with the navigation and menus. Been trying all the different options people recommended and now I think my account is a mess.
you can learn the process from following youtube link https://www.youtube.com/watch?v=rtG8S5WsSHg&t=26s
if you are new aws I would suggest attending the course from https://www.udemy.com/ .
for ec2 issue, Please check port 22 from security group
Hi, What's your error? Have you configured your SSH connections ?
- Ensure that the security group attached to your instance allows access to port 22 for Linux and port 3389 for Windows.
- Verify that your network access control list (network ACL) permits access to the instance.
- Confirm that your route table has a route for the connection these are some solutions i can recommend you this video will help you https://www.youtube.com/watch?v=rtG8S5WsSHg&t=26s
Solution: 1. Ensure the security group associated with your EC2 instance allows incoming connections on the required port. SSH (default port 22) for Linux instances. RDP (default port 3389) for Windows instances. Solution:2. ** IAM or AWS Account Issues** Ensure your IAM permissions allow you to manage and access the EC2 instance. Check for potential restrictions, such as AWS Organization Service Control Policies (SCPs). Solution:3.Confirm you're using the correct key pair file (.pem) associated with the EC2 instance. Ensure the key file has proper permissions: chmod 400 your-key.pem
If you are facing an EC2 connecting issue follow the steps to troubleshoot the issue>
- Ensure the ec2 subnet has internet gateway access in the route table associated with the subnet.
- Check if the security group has an inbound rule for Linux 22 port for Windows 3389 port enable to 0.0.0.0/0 or any specific IP
- Please make sure you have created ec2 in the public subnet
- Kindly Check your .pem file permission if you get this type of error.
ssh -i my-apiserver.pem ubuntu@34.70.165.154 @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ @ WARNING: UNPROTECTED PRIVATE KEY FILE! @ @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ Permissions 0644 for 'my-apiserver.pem' are too open. It is required that your private key files are NOT accessible by others. This private key will be ignored. Load key "my-apiserver.pem": bad permissions (ubuntu@34.70.165.154) Password:
if you see the error like above you need to give sudo chmod 400 my-apiserver.pem permission.
Kindly make sure this option is selected while creating an EC2 instance.
Auto-assign public IP Enable
Relevant content
- asked 6 months ago
- asked 3 years ago
