Unable to access to EC2 via SSH or Instance Connect - Sorted!

0

Hi,

I've recently set up a new free-tier Amazon Linux EC2 instance, but at first I was unable to access it using SSH or the Instance Connect service. I've tried various troubleshooting steps, including:

  • Following all possible solutions from AWS documentation. (Obviously ignoring one tricky settings)
  • Using Amazon Q to diagnose the issue (no problems were identified).
  • Deleting and re-creating the instance with both default and custom settings.
  • Unfortunately, none of these approaches have resolved the issue, and I was currently stuck without any clear direction.

Errors I was getting: SSH: "Connection time out" Instance Connect: "Failed to connect to your instance. EC2 Instance Connect is unable to connect to your instance. Ensure your instance network settings are configured correctly for EC2 Instance Connect. "

Solution: I had to add outbound custom TCP rule to my ACL for Ephemeral ports 32768-61000 and bingo! I was able to connect to the EC2 both through Putty (SSH) and Instance Connect.

Regards, Sam

asked 12 days ago31 views
1 Answer
0

Thank you for sharing your experience, Sam. It's great that you were able to resolve the connectivity issue with your Amazon Linux EC2 instance. The solution you found is indeed an important aspect of EC2 networking that can be easily overlooked.

The outbound custom TCP rule for ephemeral ports (32768-61000) in your Network ACL (Access Control List) is crucial for allowing return traffic from your SSH and EC2 Instance Connect sessions. Here's why this was necessary:

  1. When you initiate an SSH or Instance Connect session, your client uses a random high-numbered port (an ephemeral port) as the source.

  2. The EC2 instance needs to be able to send traffic back to this ephemeral port on your client.

  3. Network ACLs are stateless, meaning they don't automatically allow return traffic like security groups do. You need to explicitly allow both inbound and outbound traffic.

  4. By adding the outbound rule for the ephemeral port range, you allowed the EC2 instance to send responses back to your client, completing the connection.

This is a common issue that can be confusing, especially for those new to AWS networking. While security groups are stateful and automatically allow return traffic, Network ACLs require explicit rules for both directions.

For future reference, when troubleshooting EC2 connectivity issues, it's important to check:

  1. Security group rules (both inbound and outbound)
  2. Network ACL rules (both inbound and outbound)
  3. Route tables
  4. Internet Gateway attachment (for public instances)
  5. Public IP assignment (for instances that need to be publicly accessible)

Your experience highlights the importance of understanding all layers of AWS networking when setting up and troubleshooting EC2 instances. It's a valuable lesson that will likely help others facing similar issues.

Thank you for sharing this solution. It serves as a reminder to always consider Network ACLs when diagnosing connectivity problems, even when security groups appear to be correctly configured.
Sources
Troubleshoot issues connecting to your Amazon EC2 Linux instance - Amazon Elastic Compute Cloud
Connect to an Amazon EC2 instance using EC2 Instance Connect Endpoint - Amazon Elastic Compute Cloud

profile picture
answered 12 days ago
profile picture
EXPERT
reviewed 12 days ago
profile picture
EXPERT
reviewed 12 days ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions