(t2.micro) Editing port rules in Security Group makes no changes - Can always ping port 3389, but 22 fails


This is a rather odd issue, and I couldn't find anything on it.

I've assigned my Windows t2.micro instance a Security Group, and a VPC. I've made two rules, using the presets for RDP and SSH respectively. I can ping the instance's IP on the RDP port (3389) just fine, and can connect. But pinging on the SSH port (22) always fails, even if I create a new rule that accepts all traffic from all sources.

Custom defined ports, such as 27015, also has the same issue as port 22. Editing the rules makes no difference, neither does changing the Security Group for my instance.

Any idea what is going on here? It is very odd that RDP works fine, but nothing else does.

asked 2 years ago322 views
1 Answer


It appears to me that there is no process running on the ports 22 or 27015. Could you please check by either of the following commands

  1. Install telnet and try to connect to port 22 or your custom port on the instance. This is to ensure if a service is running on any of those ports.
telnet localhost 22
  1. You could use netstat to check if there is something listening on those ports 22 or custom port
  1. Check NACL as well please
profile picture
answered 2 years ago
  • Hey there. Thanks for the response.

    1 - Installed telnet, ran the command. The following error was logged: Connecting To localhost...Could not open connection to the host, on port 22: Connect failed

    2 - Nothing is listening on those ports. Only three connections exist. 3389, which is my RDP connection. 49762, and 49763, which I assume are connections to Amazon's servers.

    3 - Aha, I think you might be onto something there. My instance's ACL has the following rules, for inbound and outbound:

    100 All traffic All All Allow

    • All traffic All All Deny

    But it is weird that port 3389 works perfectly. How should I proceed here?

    Edit: Using Test-NetConnection -ComputerName localhost -Port 27015 in Powershell, the check failed with the following error:

    WARNING: TCP connect to ( : 27015) failed
    ComputerName           : localhost
    RemoteAddress          : ::1
    RemotePort             : 27015
    InterfaceAlias         : Loopback Pseudo-Interface 1
    SourceAddress          : ::1
    PingSucceeded          : True
    PingReplyDetails (RTT) : 0 ms
    TcpTestSucceeded       : False
  • ACL seems to be default and it's fine. The way ACL's work is based on priority numbering. In this case 100 is the first rule, which allows everything, so it won't go to the next rule In order for you to connect on port 22 or any other port, you need to install something that can listen on those ports

    There are some windows utilities that you could also use to listen on a port, for example: https://docs.microsoft.com/en-us/troubleshoot/windows-server/networking/portqry-command-line-port-scanner-v2#:~:text=PortQry%20is%20a%20command%2Dline,the%20local%20computer's%20port%20usage.


  • I actually found the solution. The EC2 instance created 2 default security groups, as well as the security group I created when prompted. I had to edit the rules for all three of them, for the ports to be open.

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions