Why can't I connect to an Amazon EC2 instance within my Amazon VPC from the internet?

Short description

Problems connecting to Amazon EC2 instances in Amazon VPC are usually related to the configuration of security groups, network access control lists (ACLs), or route tables.

Resolution

Before you start, be sure that your Amazon EC2 instance is passing system status checks and instance status checks.

Check security groups

Be sure that the security groups associated with the elastic network interface of the instance allow connections from the required ports.

Important: In a production environment, enable only a specific IP address or range of addresses to access your instance. For testing purposes, you can specify a custom IP address of 0.0.0.0/0 to enable all IP addresses to access your instance using SSH or RDP.

Note: You don't need to configure security group egress rules, because security groups are stateful.

Check network ACLs

Check your network ACLs for the following:

• Be sure that the network ACLs associated with your VPC subnet allow traffic through the required ports.
  Note: For more information, see Recommended network ACL rules for your VPC and Adding and deleting rules.
• Be sure that both inbound and outbound traffic are allowed.
  Note: Network ACLs are stateless. Responses to allowed inbound traffic are subject to the rules for outbound traffic, but responses to allowed outbound traffic are subject to the rules for inbound traffic.
• Be sure to open only ephemeral ports in outbound ACLs.
  Note: It's a best practice to allow only the ports that you need.

Important: If you're still not certain what is blocking traffic from accessing your instance, consider enabling VPC flow logs. Flow logs capture IP address traffic that flows through your VPC. If you see rejected traffic in your flow logs, be sure to check your security groups and network ACL settings again.

Check route tables

To check if an internet gateway is attached to your VPC, complete the following steps:

1. Sign in to the Amazon VPC console.
2. On the navigation pane, in the Virtual Private Cloud section, choose Internet Gateways.
3. In the search box, search for the internet gateway attached to your VPC. You can also use the search bar on the page to search for your Attached VPC ID (for example, vpc-xxxxxxxx).
4. Note the ID of the internet gateway (for example, igw-xxxxxxxx).

If an internet gateway is already attached to your VPC, complete the following steps:

1. Check your VPC's route tables for a route to your internet gateway. Look for a route entry whose Target is the ID internet gateway attached to your VPC (for example, igw-xxxxxxxx), and whose Destination is 0.0.0.0/0.
2. If the route doesn't exist, add a route entry with the internet gateway as the Target and 0.0.0.0/0 as the Destination.
3. Be sure that the subnet route table also has a route entry to the internet gateway. If this entry doesn't exist, the instance is in a private subnet and is inaccessible from the internet.

Note: Be sure that operating system-level (OS-level) route tables allow traffic from the internet. Use the command route -n (Linux instances) or netstat -rn (Linux or Windows instances), depending on your configuration.

Check IP addresses

• Check if a public IP address is assigned to your VPC instance, or an Elastic IP address is attached to the network interface of the instance. If a public IP address or elastic IP address isn't assigned to the network interface of the instance, then assign one.
  Note: For more information, see Working with IP addresses and Working with elastic IP addresses.
• Be sure that the OS-level software or firewalls on the instance allow traffic through the required ports.

Related information

Comparison of security groups and network ACLs