Short description
Websites running on an EC2 instance might become unreachable for multiple reasons. To resolve this issue, confirm that the configuration settings on your EC2 instance are correct. For example, if your instance isn't booting correctly or doesn't have the right DNS configurations, you can't connect to any website hosted on that instance.
Use the steps in this article to check the configuration settings of your EC2 instance and find the root cause of this issue.
Resolution
Note: If you receive errors when running AWS Command Line Interface (AWS CLI) commands, make sure that you’re using the most recent version of the AWS CLI.
Use the EC2 Serial Console for Linux to troubleshoot Nitro-based instance types
If you turned on EC2 Serial Console for Linux, you can use it to troubleshoot supported Nitro-based instance types. You can access the serial console using the serial console or the AWS CLI. You don't need a working connection to connect to your instance when you use the EC2 Serial console.
Before you use the serial console to troubleshoot, follow these steps:
- Grant access to the serial console at the account level
- Create AWS Identity and Access Management (IAM) policies granting access to your IAM users
- Check that your instance includes at least on password-based user
Check that the instance is running and passing both status checks
Make sure that the instance is listed as running in the Amazon EC2 console. If your instance isn't running or you have another status check issue, follow the steps in Why is my EC2 Linux instance unreachable and failing its status checks?
Check that the instance boots correctly
Check the instance's system logs for boot errors.
Check the instance's security group and network ACL configuration
Check that the instance has the correct DNS configuration
Check that the web server is running and that there are no OS-level firewalls blocking access to ports
Network ports are the communication endpoints that various services send requests to. These requests include users' website connection requests. Web servers listen on port 80 for HTTP traffic and use port 443 for traffic encrypted with TLS/SSL. If the web server isn't running or firewalls block these ports, then users can't connect to your website.
To check if the website is running locally, run this command from within the EC2 instance hosting website:
curl https://localhost
-or-
curl http://localhost:443
1. Remotely connect to the instance through SSH.
2. Check the web server status.
- For RHEL or CentOS systems, use the command systemctl status httpd to check the web server's status. The command returns information that the web server is inactive:
$ sudo systemctl status httpd
httpd.service - The Apache HTTP Server
Loaded: loaded (/usr/lib/systemd/system/httpd.service; disabled; vendor preset: disabled)
Active: inactive (dead)
- For Debian or Ubuntu systems, the use command systemctl status httpd to check the web server's status. The web server must be listening on port 80 or 443. The command returns information that the web server is inactive:
$ sudo systemctl status apache2
apache2.service - The Apache HTTP Server
Loaded: loaded (/lib/systemd/system/apache2.service; enabled; vendor preset: enabled)
Active: inactive (dead)
3. To restart the web server, run this command:
- For REHL or CentOS systems:
$ sudo systemctl restart httpd
- For Debian or Ubuntu systems, run this command:
$ sudo systemctl restart apache2
4. Verify that the web server is now running:
- For REHL or CentOS systems, run this command:
$ sudo systemctl status httpd
httpd.service - The Apache HTTP Server
Loaded: loaded (/usr/lib/systemd/system/httpd.service; disabled; vendor preset: disabled)
Active: active (running) since Thu 2020-11-19 14:40:15 UTC; 42s ago
- For Debian or Ubuntu systems, run this command:
$ sudo systemctl status apache2
apache2.service - The Apache HTTP Server
Loaded: loaded (/lib/systemd/system/apache2.service; enabled; vendor preset: enabled)
Active: active (running)
Note: For older Linux systems running SystemV, run this command to check the web server status.
For Debian or Ubuntu systems, you must replace httpd with apache2:
$ sudo service httpd status
httpd is stopped
To restart a stopped web server on SystemV, run this command:
$ sudo service httpd restart
Stopping httpd: [FAILED]
Starting httpd: [ OK ]
5. Run this command to confirm that the web server is listening on port 80 or 443 for incoming connection requests from users:
- For REHL or CentOS systems, run this command:
$ sudo netstat -tulpn | grep httpd
tcp 0 0 :::80 :::* LISTEN 2961/httpd
- For Debian or Ubuntu systems, run this command:
$ sudo netstat -tulpn | grep apache2
tcp6 0 0 :::80 :::* LISTEN 2741/apache2
6. Verify the status of OS-level firewalls. If you find an active firewall, make sure that it allows requests on ports 80 and 443.
Note: If there are multiple interfaces running, confirm that the web server is listening on all IPs by running this command:
cat /etc/httpd/conf/httpd.conf | grep Listen
These are examples of successful outputs:
Listen *:80
-or-
Listen *:443
Amazon Linux, CentOS, and RHEL
1. Run this command to check that the iptables rules block incoming requests on ports 80 and 443:
$ sudo iptables -nvL
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
2. Run this command to allow port 80 to accept incoming HTTP connection requests:
$ sudo iptables -A INPUT -p tcp --dport 80 --syn -m conntrack --ctstate NEW -j ACCEPT
3. Run this command to allow port 443 to accept incoming HTTPS connection requests:
$ sudo iptables -A INPUT -p tcp --dport 443 --syn -m conntrack --ctstate NEW -j ACCEPT
Amazon Linux 2023, Amazon Linux 2 and RHEL 7 and above
1. Run this command to check that firewalld is running:
$ sudo firewall-cmd --state
running
2. If firewalld is running, then run these commands to configure it to allow connections on ports 80 and 443. The last command in this example reloads the service so that the new rules take effect:
$ sudo firewall-cmd --add-service=http --permanent
success
$ sudo firewall-cmd --add-service=https --permanent
success
$ sudo firewall-cmd --reload
success
Debian and Ubuntu servers
1. Run this command to check for a UFW firewall:
$ sudo ufw status verbose
Status: active
2. If UFW is running, use this command to allowing incoming connection requests on ports 80 and port 443:
$ sudo ufw allow in 80/tcp
Rule added
Rule added (v6)
$ sudo ufw allow 443/tcp
Rule added
Rule added (v6)
Check your web server access error logs for issues. Web server logs are located at /var/log. This location might change, depending on your server configuration. These are default web server log locations:
- Amazon Linux and RHEL: /var/log/httpd
- Debian and Ubuntu: /var/log/apache2
Related information
How do I troubleshoot slow connections to a website hosted on my EC2 instance?