By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post
About re:Post

My EC2 Linux Instance on AWS can't connect to internet

0

I deployed an linux image from amazon on EC2 instance and I wanted to install some dependencies like pip and selenium. But it seems like my instance is not reaching the internet. I made sure to have public Ip address to my instance, I create a public subnet, which I assigned a route table with internet gateway to 0.0.0./0 target according to AWS documentation.

But still I can't install dependencies. Below are some screenshots that represent parts of my configuration:

Security rules settings

Network settings

Routing table

ACL

Now when I connect to my instance using SSH I tried sudo yum update -y but I just get a loading state of progress and it sort of 'freezes':

First error

Then after a while I get this timeout error: Second error

I also tried ping google.com and it says Name of Service not known.

I am new into AWS and learning about Cloud Computing so any help or feedback on this is appreciated!

Topics
Networking & Content DeliveryCompute
Tags
Amazon VPCAmazon EC2Networking & Content DeliveryLinux
Language
English
Benjamin
asked 8 months ago162 views
7 Answers
1

Hello.

I also tried ping google.com and it says Name of Service not known.

Name resolution may not be working properly on the EC2 OS.
Are "DNS hostnames" and "DNS resolution" enabled in the VPC where EC2 is running?
If this is not enabled, name resolution from EC2 will fail.
https://docs.aws.amazon.com/vpc/latest/userguide/AmazonDNS-concepts.html#vpc-dns-support

You can enable it by following the steps in the document below.
https://docs.aws.amazon.com/vpc/latest/userguide/vpc-dns-updating.html

profile picture
EXPERT
Riku_Kobayashi
answered 8 months ago
  • Riku_Kobayashi EXPERT
    8 months ago

    Currently, SSH is available, so EC2 should be publicly accessible. If there is a problem with the route table, you need to check the route table associated with the subnet where EC2 is running.

  • Riku_Kobayashi EXPERT
    8 months ago

    Is it possible to resolve the name "google.com" using the "dig" or "nslookup" command?

    dig google.com
nslookup google.com

    If name resolution is not possible, try adding the IP of Google's name server as shown below to force name resolution. https://repost.aws/knowledge-center/ec2-static-dns-ubuntu-debian

    sudo vi /etc/resolv.conf

nameserver 8.8.8.8

    By default, the settings are as follows. The IP address changes depending on the CIDR of the VPC you are using.

    cat /etc/resolv.conf
# This is /run/systemd/resolve/resolv.conf managed by man:systemd-resolved(8).
# Do not edit.
#
# This file might be symlinked as /etc/resolv.conf. If you're looking at
# /etc/resolv.conf and seeing this text, you have followed the symlink.
#
# This is a dynamic resolv.conf file for connecting local clients directly to
# all known uplink DNS servers. This file lists all configured search domains.
#
# Third party programs should typically not access this file directly, but only
# through the symlink at /etc/resolv.conf. To manage man:resolv.conf(5) in a
# different way, replace this symlink by a static file or a different symlink.
#
# See man:systemd-resolved.service(8) for details about the supported modes of
# operation for /etc/resolv.conf.

nameserver 172.31.0.2
search ap-northeast-1.compute.internal
  • Riku_Kobayashi EXPERT
    8 months ago

    To begin with, I feel like there is a problem with the VPC CIDR. I thought there was a problem because it was outside the range of private IP addresses specified in RFC 1918. https://docs.aws.amazon.com/vpc/latest/userguide/vpc-cidr-blocks.html#vpc-sizing-ipv4

  • Riku_Kobayashi EXPERT
    8 months ago

    The CIDR of a VPC cannot be changed once it has been created, so you will need to recreate the VPC.

1

Hi there,

Do you have custom NACL attached? Make sure your NACL is not using the default deny All

AWS
Cheng Wang
answered 8 months ago
  • Benjamin
    8 months ago

    Hey!

    So I managed to fix this issue. The problem was actually with my organization, apperently there is an extra layer of security which does not allow internet communication on VPC. I had to use a Security Group that is made by my company, it has 50 custom made rules which unfortunetley I am not allowed to share due to obvious security reasons. But I would suggest you re create your VPC, Instance and Security group. In my case I did everything correct but there was small issue which was blocking me from internet that was related to organization which am working for. So its very specific.

1

Hi Benjamin, were you able to get this resolved? I'm facing same issue.

I have NACL associated to the VPC and validated the outbound rules allows all traffic all ports all IP. I checked SG -> NACL -> IGW and all of it have outbound rules allowing. I detached NACL and tried only with SG and it is able to communicate. So I can say something is wrong with my custom NACL. Outbound rule to allow traffic is explicitly defined and this should ignore the default rule to deny all traffic, correct? Not sure if I'm missing something here.

P kumar
answered 8 months ago
  • Cheng Wang
    8 months ago

    Hi there, sounds like your NACL is blocking the traffic. NACL is stateless, so you will need to allow both inbound and outbound for the traffic to be allowed. e.g. when connecting out to the internet on port 80, you need to allow outbound port 80, and inbound on ephemeral port (normally 1024-65535)

0

Hi, thank you for the fast response!

Yes both DNS Name and Resolution are enabled in the VPC which I am using currently.

However I did saw something just now, when I click on the VPC's detail where my Instance is located, and then see main routing table of that VPC, I can see that its not associated with any subnet. Could that be the reason why I am not receiving any network connection in my EC2 instnace? I did created my own subnet and associated it with routing table as you saw on images I provide but I assume the main routing table perhaps should have the same configuration when it comes to associating it with subnet?

Benjamin
answered 8 months ago
0

So again everything seems to check out, I posted below picture of my subnet where the EC2 is running. Maybe there is something I missed? Subnet

And my routing table associating with that same subnet: Route table

Benjamin
answered 8 months ago
0

So I did dig google.com and nslookup but I got communication error:

Error

Benjamin
answered 8 months ago
0

Any tip on how can I fix the IPv4 CIDR then?

Benjamin
answered 8 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content