By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

Cannot access EC2 instance, tried the troubleshooting

1

Cannot connect to my EC2 instances via SSH or browser public IP for the accounts in an organization using control tower. I've tested it in 3 different AWS accounts. 1 with ec2 that is accessible but not in an organization/control tower. The 2 accounts under an organization using AWS control tower cannot be accessed both publicly or privately. I can create the instances and they get green for "running" "2/2 heath checks". Both access via browser EC2 ip address input, and via SSH with EC2 public ip/dns ip cant be accessed. The connection is refused on the web browser or say invalid address, and in SSH they're both denied access with the proper .pem keys used. Here are the thing's I've tried ->

  1. Looking through rePost for similar issues.
  2. Restarting, rebooting, remaking the EC2 instances.
  3. NAT gateway attached to both private and public subnets.
  4. EIP's attached to the EC2 instances and network interfaces.
  5. Routing both NAT gateways and Internet Gateways or by themselves to private and public subnets.
  6. NACL's were never touched stayed default. I checked to make sure they were as is compared to the AWS account's ec2's accessible NACL's.
  7. Security groups, I've tried inbound http:80, https:443, ssh:20, and even tried the all:anywhere.
  8. I tried creating new VPC's with both private/public subnets and just public subnets.
  9. Tried creating ec2's in both private and public subnets(both unaccessible)
  10. Checked other services such S3 buckets, which are accessible.
Topics
Networking & Content DeliveryComputeManagement & Governance
Tags
Amazon VPCAmazon EC2AWS Control TowerNetworking & Content Delivery
Language
English
eP
asked 7 months ago309 views
1 Answer
0
Accepted Answer

Hello.

Setting SCP guardrails in AWS Control Tower will not prevent you from using SSH.
Depending on the contents of the SCP, connections from the management console (Session Manager, EC2 Instance Connect), etc. may not be available, but SSH from a terminal such as Linux or Mac is not restricted.

What error are you getting when doing SSH from your local PC?
If it is a timeout error, I think you need to check the security group, network ACL, and route table settings of the subnet where EC2 is running.
Is a route destined for the Internet gateway added to the subnet's route table?
https://repost.aws/knowledge-center/ec2-linux-ssh-troubleshooting

  1. NAT gateway attached to both private and public subnets.

There is no need to add a route to the NAT Gateway in the public subnet's route table.

  1. Security groups, I've tried inbound http:80, https:443, ssh:20, and even tried the all:anywhere.

The default port for SSH is port 22.

profile picture
EXPERT
Riku_Kobayashi
answered 7 months ago
profile picture
EXPERT
Gary Mclean
reviewed 7 months ago
profile pictureAWS
EXPERT
Didier_Durand
reviewed 7 months ago
  • eP
    7 months ago

    Hi thank you for answering, so I tried something else after which was to try using a different computer I had access to. Seeing as 2 of them didn't seem to be able to connect to it, but on this 3rd computer tried connecting via SSH and I was able to get through successfully but although I can connect via ssh now, the main issue I had is still related to browser access. I was testing my ec2 instances to see if outside access could get a response from ec2 as I was trying to setup a host zone and dns to a outside domain I had. The route tables show the subnet which the ec2 is on have connection to the internet gateway. I tried changing the ACL inbound rule to just http:80, but that didn't work either. I tried pinging a specific ip and it does have access to internet as I get a response back, therefore I'm a little confused what's the hiccup here.

  • Riku_Kobayashi EXPERT
    7 months ago

    In the network ACL, allow number 80 in the inbound rule and allow all traffic in the outbound rule. Please allow number 80 in the inbound rule in the security group. Also, check if a web server such as Apache or Nginx is running on EC2.

  • eP
    7 months ago

    Thank you so much, I was not expecting it to be because I didn't have a server installed. But this brings up the question as the 1 of the 3 accounts I tested on didn't have apache installed, I used a simple user data which enabled the the httpd and it worked fine with a blank page or html text I included and public ip was accessible via browser. So why was it that I had to manually install the the apache server before I could manually access the ip address to get some response from the ec2 on the other 2 accounts even though I replicated the setup method on all 3?

  • Riku_Kobayashi EXPERT
    7 months ago

    Maybe the user data didn't work for some reason. We recommend that you check the user data execution log etc. https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/user-data.html

    sudo cat /var/log/cloud-init-output.log
  • eP
    7 months ago

    Oh thank you, I'm still very new to this so the AWS ssh/cli terminal commands are still foreign to me. After doing as you suggested for the log, my script did indeed not run as it didn't show any server installation. Good to know for testing purposes I should manually do the installs rather than try to use a script that worked before and alter it.

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content