By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

EC2 instance can’t access the internet

0

Apparently, my EC2 instance can’t access the internet properly. Here is what happens when I try to install a Python module:
[ec2-user@ip-172-31-90-31 ~]$ pip3 install flask
Defaulting to user installation because normal site-packages is not writeable
WARNING: Retrying (Retry(total=4, connect=None, read=None, redirect=None, status=None)) after connection broken by 'NewConnectionError('<pip._vendor.urllib3.connection.HTTPSConnection object at 0x7fab198cbe10>: Failed to establish a new connection: [Errno 101] Network is unreachable')': /simple/flask/ etc.

Besides, inbound ping requests to instances the Elastic IP fail (Request Timed Out).

However, the website that is hosted on the same EC2 instance can be accessed using both http and https.

The security group is configured as follows: the inbound rules are

Port rangeProtocolSource
80TCP0.0.0.0/0
22TCP0.0.0.0/0
80TCP::/0
22TCP::/0
443TCP0.0.0.0/0
443TCP::/0

the outbound rules are

IP VersionTypeProtocolPort rangeSource
IPv4All trafficAllAll0.0.0.0/0

The ACL inbound rules are:

TypeProtocolPort rangeSourceAllow/Deny
HTTP (80)TCP (6)800.0.0.0/0Allow
SSH (22)TCP (6)220.0.0.0/0Allow
HTTPS (443)TCP (6)4430.0.0.0/0Allow
All ICMP - IPv4ICMP (1)All0.0.0.0/0Allow
All traficAllAll0.0.0.0/0Deny

and the outbound rules are:

TypeProtocolPort rangeSourceAllow/Deny
Custom TCPTCP (6)1024 - 655350.0.0.0/0Allow
HTTP (80)TCP (6)800.0.0.0/0Allow
SSH (22)TCP (6)220.0.0.0/0Allow
HTTPS (443)TCP (6)4430.0.0.0/0Allow
All ICMP - IPv4ICMP (1)All0.0.0.0/0Allow
All traficAllAll0.0.0.0/0Deny

This is what the route table associated with the subnet looks like:

DestinationTargetStatusPropagated
172.31.0.0/16localActiveNo
0.0.0.0/0igw-09b554e4da387238cActiveNo

(no explicit or edge associations).

As for the firewall, executing sudo iptables –L results in

Chain INPUT (policy ACCEPT)
target prot opt source destination

Chain FORWARD (policy ACCEPT)
target prot opt source destination

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

and sudo iptables -L -t nat gives

Chain PREROUTING (policy ACCEPT)
target prot opt source destination

Chain INPUT (policy ACCEPT)
target prot opt source destination

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

Chain POSTROUTING (policy ACCEPT)
target prot opt source destination

What am I missing here? Any suggestions or ideas on this would be greatly appreciated.

Thanks

Topics
Developer ToolsComputeNetworking & Content DeliveryAWS Well-Architected Framework
Tags
Developer ToolsAmazon EC2Networking & Content DeliveryElastic Load BalancingSecurity
Language
English
AWS-User-9646998
asked 2 years ago1356 views
2 Answers
1

Ping uses ICMP; not TCP or UDP. You will need to add to allow ICMP traffic in both directions in your NACLs and ICMP from CIDRs you approve in your security group. ICMP doesn't specify ports.

profile pictureAWS
CameronTod-aws
answered 2 years ago
  • AWS-User-9646998
    2 years ago

    Hi Cameron, I've allowed ICMP traffic, and now outbound pings work fine. There are (at least) two problems though: inbound ping requests fail (the message is Request Timed Out) and, more importantly, functionality like installing Python modules is unavailable (please see the details I added at the beginning of the question). If you could advise me on this, I'd be most grateful. Thank you.

0

Where you say "The security group is configured as follows", that's your ingress rules I guess? What are your egress rules?

EXPERT
skinsman
answered 2 years ago
  • AWS-User-9646998
    2 years ago

    Thank you for your question, skinsman. I've just added the SG outbound rules to my original text.

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content