Why can't I connect to a website that's hosted on my Amazon EC2 instance?

7 minute read

I can't connect to a public website that's hosted on my Amazon Elastic Compute Cloud (Amazon EC2) instance.

Short description

To resolve unreachable website issues, verify that you correctly configured your EC2 instance's website configuration. Incorrect web server settings on your instance block access to all websites that you host on the instance.

Resolution

Verify that the instance is running and passes both status checks

Check the Amazon EC2 console to verify that the instance is running. To troubleshoot status check issues, see How do I troubleshoot status check failures on my Amazon EC2 instance?

Also, use the instance console output and a screenshot of the instance to verify that the instance boots correctly. To troubleshoot boot issues in Windows instances, see Common screenshots to troubleshoot unreachable Windows instances. To troubleshoot boot issues in Linux instances, see Why does my EC2 Linux instance go into emergency mode when I try to boot it?

Check the instance's security group and network ACL configuration

Make sure that the instance's security group and network access control list (network ACL) allow traffic on port 80 and port 443. Also, make sure that the route table in the instance's subnet has a default route to an internet gateway.

Verify that the website has the correct DNS configuration

Take the following actions:

If the website uses the Amazon Route 53 DNS service, then make sure that you correctly configured the DNS records.
Associate an Elastic IP address with the instance.
Note: The Elastic IP address remains associated with the instance even if you stop and start the instance.
Map the public IP address or Elastic IP address to an A record.

Verify that the web server is running and that no OS firewalls block access to ports

Complete the following steps:

Use SSH or Session Manager, a capability of AWS Systems Manager, to connect to the instance. If you can't use SSH or Session Manager to connect, then use the EC2 Serial Console.
Note: You can only use the serial console for instances that are built on the AWS Nitro System.
To check whether the website runs locally, run one of the following command from within the instance's host website:
```
curl https://localhost
```
-or-
```
curl http://localhost:443
```
Note: If you encounter issues when you use curl, then check for issues with the instance's web server and application configuration.

To check the web server service status, run the following command based on the operating system (OS) that you run.
Red Hat Enterprise Linux (RHEL), CentOS, Fedora, and Amazon Linux:

sudo systemctl status httpd.service

Example output:

$sudo systemctl status httpd
Httpd.service - The Apache HTTP Server
Loaded: loaded (/usr/lib/systemd/system/httpd.service; disabled; vendor preset: disabled)
Active: inactive (dead)
	Docs:man:httpd.service(8)

Debian and Ubuntu:

sudo systemctl status apache2.service

Example output:

The Apache HTTP Server
Loaded: loaded (/lib/systemd/system/apache2.service; disabled; vendor 
preset: disabled)
Active: inactive (dead)

In the command output, check for the inactive (dead) status.
If your Linux systems runs System V, then run the following command to check the web server status:

sudo service httpd status

Note: For Debian or Ubuntu, replace httpd with apache2.
Example output:

httpd is stopped

To start the web server and set the service to start at boot, run the following command based on your OS.
RHEL, CentOS, Fedora, and Amazon Linux:

sudo systemctl start httpd; sudo systemctl enable httpd

Debian or Ubuntu:

sudo systemctl start apache2; sudo systemctl enable apache2

To start a stopped web server service for systems that run on System V, run the following command:

sudo service httpd start

To verify that the web server service is running and activated, rerun the commands in step 3. Make sure that the command output has the Active status set to active (running). For Linux instances that run System V, make sure that the output is Starting httpd: [OK].

To confirm that the web server is listening for inbound user connection requests, run the following command:

sudo ss -alnt | grep -E '80|443'
LISTEN 0  128    *:443    *:*   
LISTEN 0  128    *:80    *:* 
$

Note: Web servers listen on port 80 for HTTP traffic and port 443 for traffic that's encrypted with SSL/TLS.
If you run multiple interfaces, then run the following command to confirm that the web server listens on all IP addresses:

cat /etc/httpd/conf/httpd.conf | grep Listen

Example output:

Listen *:80
Listen *:443

If you use an OS firewall, then make sure that it allows requests on ports 80 and 443.

(Optional) To verify that the iptables rules allow inbound requests on ports 80 and 443, run the following command:

sudo iptables -vnL

Example output:

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target   prot opt in   out   source        destination
  35 10863 ACCEPT   all -- *   *    0.0.0.0/0      0.0.0.0/0      state RELATED,ESTABLISHED
  0   0 ACCEPT   icmp -- *   *    0.0.0.0/0      0.0.0.0/0
  0   0 ACCEPT   all -- lo   *    0.0.0.0/0      0.0.0.0/0
  0   0 ACCEPT   tcp -- *   *    0.0.0.0/0      0.0.0.0/0      state NEW tcp dpt:22
  0   0 REJECT   all -- *   *    0.0.0.0/0      0.0.0.0/0      reject-with icmp-host-prohibited

In the preceding example output, the rules allow only Internet Control Message Protocol (ICMP), localhost, and port 22/TCP (SSH). The rules block inbound connections to TCP port 80 or 443.

To configure iptables rules to allow ports 80 and 443, run the following command:

iptables -I INPUT -p tcp --match multiport --dports 80,443 -j ACCEPT

Example output:

Chain INPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target   prot opt in   out   source        destination
  0   0 ACCEPT   tcp -- *   *    0.0.0.0/0      0.0.0.0/0      multiport dports 80,443
 486 104K ACCEPT   all -- *   *    0.0.0.0/0      0.0.0.0/0      state RELATED,ESTABLISHED
  0   0 ACCEPT   icmp -- *   *    0.0.0.0/0      0.0.0.0/0
  0   0 ACCEPT   all -- lo   *    0.0.0.0/0      0.0.0.0/0
  0   0 ACCEPT   tcp -- *   *    0.0.0.0/0      0.0.0.0/0      state NEW tcp dpt:22
  0   0 REJECT   all -- *   *    0.0.0.0/0      0.0.0.0/0      reject-with icmp-host-prohibited

To make the iptables firewall rule persistent after reboot, run the following command:

iptables-save > /etc/sysconfig/iptables

Check configurations for Amazon Linux and RHEL 7 and later

For Amazon Linux 2023 (AL2023), Amazon Linux 2 (AL2), and RHEL instances, run the following command to check whether the firewalld service is running:

sudo firewall-cmd --state

Example output:

running

If the firewalld service is running, then run the following commands to allow connections on TCP ports 80 and 443:

sudo firewall-cmd --add-service=http --permanent
sudo firewall-cmd --add-service=https --permanent
sudo firewall-cmd --reload

Note: The reload command reloads the service and brings previously added rules into effect.

For each command, verify that the output is similar to the following example:

success

Check configurations for Debian and Ubuntu servers

Complete the following steps:

To check for an Uncomplicated Firewall (UFW), run the following command:

sudo ufw status verbose

Example output:

Status: active

If you run a UFW, then use the following command to allow inbound connection requests on the required TCP ports.
TCP port 80:

sudo ufw allow in 80/tcp

TCP port 443:

sudo ufw allow 443/tcp

For each command, verify that the output is similar to the following example:

Rule added
Rule added (v6)

Troubleshoot further issues

To troubleshoot further, check your web server access and error logs at /var/log for issues. For Amazon Linux and RHEL, use /var/log/httpd. For Debian and Ubuntu, use /var/log/apache2.

Note: The web server log location depends on your server configuration.