How can I fix the connection to my Amazon EC2 instance or elastic network interface that has an attached Elastic IP address?

Resolution

To troubleshoot a "Connection timed out" error that you receive in Amazon VPC, use Amazon VPC Reachability Analyzer. Or, verify the following network configurations:

• Check that the security group rules for inbound traffic allow connection to the port or protocol.
• Verify that the inbound and outbound network access control list (network ACL) rules allow connection to the port or protocol.
• Make sure that the route table for the subnet of the network interface has a route to send and receive traffic from the internet.
• Check that the operating system (OS) firewall on the Amazon EC2 instance allows traffic to the port or protocol.

Troubleshoot VPC connectivity issues with Reachability Analyzer

Use Reachability Analyzer to analyze the connection to your instance of elastic network address. Then, include or exclude intermediate resources. To check if the path has a Not reachable status, view the results of the path analysis.

If the path is Not reachable, then manually check your network configurations.

Note: Amazon Q now enhances Amazon VPC network troubleshooting and allows users to diagnose connectivity issues with natural language queries.

Manually check your network configurations

If your path has a Not reachable status, then complete the following steps:

1. Open the Amazon EC2 console.
2. In the navigation pane, choose Instances. Then, select the instance that you need to connect to.
3. On the Security tab, select the security group associated with the Amazon EC2 instance that has an Elastic IP address attached to it.
4. On the Inbound rules tab, confirm your security group rule allows traffic from the source to your port or protocol.
   Note: You can add an inbound rule if you don't have one. For more information, see ;Configure security group rules.
5. Choose Instances, and then select the instance that you need to connect to.
6. On the Networking tab, select the network interface that has the attached Elastic IP address. Then, select the network interface ID.
7. On the Details tab, select the associated subnet ID.
8. On the Network ACL tab, confirm that the inbound and outbound rules of the network ACL allow traffic to your port or protocol.
   Note: You can add inbound and outbound rules if you don't have them. For more information, see Custom network ACLs for your VPC.
9. On the Route Table tab, confirm that you can send traffic to the internet through a default route to an internet gateway. If you don't have a default route in your subnet route table, then add a 0.0.0.0/0 route to an internet gateway.
   Important: Your default route must point to an internet gateway, not a NAT gateway.
   Note: When you add a 0.0.0.0/0 route to an internet gateway, subnets associated with the route table become public. Resources with public IP addresses in the associated subnets also become publicly accessible.
10. Connect to your instance to verify your updates.

If connection timeout errors persist, then take the following actions:

• Review the VPC flow log records for your instance's network interface. Confirm that the the network interface recognizes traffic to and from your source IP address.
• Confirm that the instance's OS-level firewall allows traffic.