How do I troubleshoot SSH or RDP connectivity to my EC2 instances launched in a Wavelength Zone?

2 minute read

I can't connect to my Amazon Elastic Compute Cloud (Amazon EC2) instance launched in a Wavelength Zone using SSH or Windows remote desktop protocol (RDP). I can still ping my instance.

Short description

There are restrictions on connecting to an EC2 instance launched in a Wavelength Zone using the public IP address provided by the 5G service provider.

In a Wavelength Zone, the carrier gateway turns on the following controls for internet flows by default. You can't remove these controls.

  • TCP is allowed for outbound and response. This means that TCP traffic is allowed only in one direction, from the EC2 instance to the internet.
  • UDP is denied. This includes both inbound and outbound UDP traffic.
  • ICMP is allowed. This means that the carrier gateway allows ICMP inbound and outbound traffic.

Pinging an EC2 instance in a Wavelength Zone works with these controls. However, connecting to the instance using SSH or RDP from the internet fails.


Unlike public IPs, private IP connectivity works exactly the same way as it does for any other EC2 instance in the Region. To connect to your EC2 instance in a Wavelength Zone, do the following:

  1. Launch the bastion host in the same VPC as the Wavelength Zone in the Region.
  2. Connect through a bastion host using your instance's private IP address.

Note: Public IP connectivity restrictions apply only when connecting to your instances in a Wavelength Zone from internet. Connectivity to instances in a Wavelength Zone works as expected if the following conditions are true:

  • Your security group and Network ACL are set up correctly.
  • The SSH or RDP client is located in the carrier network.

UDP traffic also works from within the carrier network.

Related information

Quotas and considerations for Wavelength Zones

How AWS Wavelength works

AWS OFFICIALUpdated a year ago