By using AWS re:Post, you agree to the Terms of Use

EC2 VM doesn't have Internet connection


I have a testing VPC created long time ago, it's connected to our On-Prem network with a VPN connection. We don't assign public IP in EC2 instances in this VPC and only access them through the VPN.

It was working before, but today when I powered up the only EC2 instance in the VPC, I found it lost Internet access. I can still ssh into it with the private IP from On-Prem, but it can't reach any website by curl, I can't ping any public IP including ( DNS resolving is still working ).

[root@ip-10-240-46-19 ec2-user]# ping
PING ( 56(84) bytes of data.
--- ping statistics ---
1 packets transmitted, 0 received, 100% packet loss, time 0ms

[root@ip-10-240-46-19 ec2-user]# nslookup

Non-authoritative answer: canonical name =

[root@ip-10-240-46-19 ec2-user]# ping
PING ( 56(84) bytes of data.
--- ping statistics ---

[root@ip-10-240-46-19 ec2-user]# yum update
Loaded plugins: extras_suggestions, langpacks, priorities, update-motd
Could not retrieve mirrorlist error was
12: Timeout on (28, 'Connection timed out after 5000 milliseconds')

[root@ip-10-240-46-19 ec2-user]# curl -v

  • Trying


  • Trying 2600:1fa0:c040:250:34db:78a1::...


tcpdump shows there is no response from public server:
14:36:42.468736 IP > Flags [S], seq 3488750344, win 26883, options [mss 8961,sackOK,TS val 1544269441 ecr 0,nop,wscale 7], length 0
14:36:43.475306 IP > Flags [S], seq 3488750344, win 26883, options [mss 8961,sackOK,TS val 1544270448 ecr 0,nop,wscale 7], length 0
14:36:45.491327 IP > Flags [S], seq 3488750344, win 26883, options [mss 8961,sackOK,TS val 1544272464 ecr 0,nop,wscale 7], length 0

I did some troubleshooting:

  1. checked security group:
    There is only one inbound rule to allow TCP 22; one outbound rule to allow "All All".

  2. Checked VPC routing table, there are three rules: local -> internet gateway -> VPN Gateway ( apparent this one still working )

  3. Tried to create a new Internet Gateway and swap it, didn't fix it.

  4. Tried to create a Nat gateway and changed routing to use the Nat Gateway, didn't fix it.

  5. removed Nat Gateway, changed it back to use Internet Gateway for

  6. Created a new EC2 instance in same subnet with a different private IP, same problem.

Inside the instance, it shows:
Destination Gateway Genmask Flags Metric Ref Use Iface UG 0 0 0 eth0 U 0 0 0 eth0 UH 0 0 0 eth0

Now I run out of idea.
Is there some where else I should be looking?


asked 3 years ago143 views
3 Answers

forgot to mention, also checked VPC ACL,its outbound rule has rule 100 to allow any.

answered 3 years ago

OK will answer the question myself:

opened support ticket with AWS and the support answered my question:
"In order for your NAT Gateway to work properly, you will have to place it in a public subnet ie. the subnet should have an internet gateway attached to it and you should have subnet specific route tables where the on your private subnet is routed to your NAT Gateway and the on your public subnet is routed to the Internet Gateway."

Worked mostly in Azure ( where Internet gateway and NAT gateway were setup directly by Azure Vnet ), I didn't realize how private network should be configured in AWS.

answered 3 years ago

Hi jackchen858,

I'm glad that you were able to solve the issue. Please let us know if you need any further help.


answered 3 years ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions