Unable to Establish SSH Connection to EC2 Instance with Elastic IP

0

I am facing connectivity issues while trying to establish an SSH connection to an EC2 instance in my AWS environment. The EC2 instance was initially deployed in private subnets as part of an Elastic Beanstalk environment, and I have recently associated an Elastic IP address to the instance to enable direct access. Despite making several attempts and following troubleshooting steps, the connection consistently times out. I have already verified the following aspects:

Used 1 and the same custom VPC Checked my computer and allowed the SSH to run and not to be blocked by firewall. Elastic IP address is associated with the instance. Security group rules allow incoming SSH traffic. Route table contains appropriate routes for internet access. However, despite these configurations, I am unable to establish an SSH connection to the instance.

I already tried the command with the given format: ssh -i /path to my pem key file ec2-user@MyInstanceDNS Then I also tried to connect to EC2 instance using own key and SSH client with this command: ssh-keygen -t rsa -b 4096 -C "my_email_here" -f my_key

I kindly request your assistance in diagnosing and resolving this issue so that I can successfully connect to the EC2 instance using SSH so that I can edit my wp-config file. Any guidance or insights you can provide would be greatly appreciated. Thank you.

profile picture
Vin
asked a year ago1374 views
2 Answers
3
Accepted Answer

Since the EC2 was in a private subnet and now you have associated an Elastic IP address, make sure the default route of the EC2 is pointing to the Internet gateway and not the NAT Gateway.

profile pictureAWS
Matt_E
answered a year ago
profile picture
EXPERT
reviewed a year ago
  • This may sound pedantic but isn't meant to be - if you add an entry to the routing table for an internet gateway then this ceases to be a private subnet, changing the security posture of the subnet and (potentially) everything running in it.

  • A subnet can be either private or public. For instance, if you have 10 instances on that same subnet and only one (the one you're trying to SSH into) has a public IP address, then modifying the route table for that subnet by having a default route to the Internet gateway instead of a NAT Gateway will definitely mess up the routing for the other 9 instances and they won't be able to get to the internet.

    A public subnet has a default to the IGW, and private subnet has a default route to the NAT Gateway. Does your EC2 route table has a route to the IGW or NATGW?

    See this for more info https://docs.aws.amazon.com/vpc/latest/userguide/vpc-example-private-subnets-nat.html#routing-vpc-private-subnets-nat

    If you have other EC2s on that same subnet as the other EC2 ((the one you're trying to SSH into), then you may need to move that EC2 to another public subnet so it can have its own route table with default route pointing to the IGW.

  • You're correct Matt and thank you so much! I tried first to find the Route Table ID connected to my EC2 instance and then under Routes tab, I switched the NAT to Internet Gateway as the Target. Then I tried running the command "aws ec2-instance-connect ssh --instance-id i-xxxxxxxxxx" and I was able to connect.

3

First of all, I'd like to mention here that recently with the launch of EC2 Instance Connect Endpoint(EIC), this ask has been quite simpler, here is detailed step by step guide in this blog post.

However, if you don't prefer to go with EIC route and prefer bastion host route then following are the steps.

To SSH EC2 instance in a private subnet, you would require bastion host in a public subnet that would act as an intermediary for connecting to the private instance.

Step-1:

  • EC2 instances in both a private subnet and a public subnet.
  • Security groups set up to allow SSH traffic.
  • Key pair (SSH key) used to access the instances.

Step-2

Launch an EC2 instance (bastion host) in a public subnet. Assign a public IP or an Elastic IP(optional and chargeable) to the bastion host. Attach a security group to allow SSH (port 22) traffic from your IP or IP range.

Step-3:

Now configure Route and Security Group for connectivity:

In the route table for the private subnet containing your target instance, create a route to send traffic destined for the internet (0.0.0.0/0) through the NAT gateway or NAT instance. Make sure that, security group for the private instance allows SSH (port 22) traffic from the bastion host's security group.

Step-4

Now SSH to Bastion Host:

       ssh -i /path/to/your/key.pem ec2-user@bastion-public-ip

SSH from Bastion Host to Private Instance:

Now you are connected bastion host, SSH to the private instance using its private IP:

     ssh -i /path/to/your/key.pem ec2-user@private-instance-private-ip

Make sure you use the correct key path while doing SSH.

I tried to be as thorough as I could as this is one of the most commonly asked question. Refer this blog post, which also talks about same.

Additional Context: To access instance launched in private subnet, it's important to note that while the Elastic IP allows the EC2 instance to be accessed from the internet, the private subnet doesn't provide direct internet access to the instance. To enable internet access for the instance, you'll typically need to set up a Network Address Translation (NAT) gateway or a NAT instance in a public subnet.

Hope you find this useful.

Comment here if you have additional questions, happy to help.

Abhishek

profile pictureAWS
EXPERT
answered a year ago
  • Were you able to figure out the problem?

  • Thank you so much for this information Abhishek! I'm trying the EIC and still looking what caused the timed out. I didn't create a new endpoint in VPC. Instead, I used the existing endpoint associated to the custom VPC that I have attached to my WordPress application.

    In the user role that I created for myself in IAM, I created an inline policy for the following:

    1. Allow users to create, describe, and delete EC2 Instance Connect Endpoints
    2. Allow users to use EC2 Instance Connect Endpoint to connect to instances
    3. Allow users to connect only from a specified source IP address range

    I also checked the 2 security groups connected to my EC2 instance that SSH in port 22 are allowed. The aws cli on my PC was already installed and configured. The OpenSSH client on my PC was already installed. But when I ran "aws ec2-instance-connect ssh --instance-id i-xxxxxxxxxx", it is timed out. Any idea what caused this error?

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions