I can't connect from the internet to an Amazon Elastic Compute Cloud (Amazon EC2) instance within an Amazon Virtual Private Cloud (Amazon VPC).
Short description
Connection issues from the internet to Amazon EC2 instances are typically related to the following configuration settings:
Resolution
Before you start, confirm that your EC2 instance passes system status checks and instance status checks.
If you're using Network Firewall, see How do I troubleshoot issues with Network Firewall when a rule isn't working as expected?
Check security groups
Confirm that the security group that's associated with the elastic network interface of the instance allows connections from the required ports. Because security groups are stateful, you don't need to configure security group egress rules.
Important: In a production environment, allow only a specific IP address or range of addresses to access your instance. For testing purposes, specify the custom IP address 0.0.0.0/0 to allow all IP addresses to use SSH or RDP to access your instance.
For example, if you're using SSH to connect to the instance from the internet, then add a rule on port 22. Make sure that the rule allows the source IP address to access the instance. To allow anyone to connect, add a rule to allow port 80 for IP address 0.0.0.0/0.
Check network ACLs
Check your network ACLs for the following configuration settings:
- The network ACLs that are associated with your VPC subnet must allow traffic through the required ports. For more information, see Control traffic to subnets using network ACLs and Add and delete rules.
- Allow both inbound and outbound traffic. Network ACLs are stateless. Responses to allowed inbound traffic are subject to the rules for outbound traffic. Responses to allowed outbound traffic are subject to the rules for inbound traffic.
- Make sure that ephemeral ports are the only ports open to outbound network ACLs. It's a best practice to allow only the ports that you need.
Important: If you're still not sure what's blocking traffic from access to your instance, then turn on VPC Flow Logs. Flow logs capture IP address traffic that flows through your VPC. If you see rejected traffic in your flow logs, then check your security groups and network ACL settings again.
Check route tables
To check if an internet gateway is attached to your VPC, complete the following steps:
- Open the Amazon VPC console.
- In the navigation pane, in the Virtual Private Cloud section, choose Internet Gateways.
- Search for the internet gateway that's attached to your VPC. You can also search for your Attached VPC ID, for example, vpc-xxxxxxxx.
- Note the ID of the internet gateway, for example, igw-xxxxxxxx.
If an internet gateway is already attached to your VPC, then complete the following steps:
- Check your VPC's route tables for a route to your internet gateway. Look for a route entry whose Target is the ID of the internet gateway that's attached to your VPC, and whose Destination is 0.0.0.0/0.
- If the route doesn't exist, then add a route entry with the internet gateway as the Target and 0.0.0.0/0 as the Destination.
- Be sure that the subnet route table also has a route entry to the internet gateway. If this entry doesn't exist, then the instance is in a private subnet and is inaccessible from the internet.
Note: Confirm that the OS-level route tables allow traffic from the internet. Depending on your configuration, use the route -n command for Linux instances or netstat -rn command for Linux or Windows instances.
Check IP addresses
Related information
Why can't my EC2 instances access the internet using a NAT gateway?
Internetwork traffic privacy in Amazon VPC