EC2 created by cloudformation can not be accessed via 22

0

I had a strange issue. Within the same VPC, same subnet, and same security group, If I create an EC2 instance by cloud formation, I can not access the instance via 22 on the internet. but when created by hand in the management console, the EC2 instance could be accessed via 22 on the internet.

Internet gateway, route table, network ACL, and inbound rule are all set up well.

Here is the configuration, I don't know what's wrong with this:

Resources:
  WebServerInstance:
    Type: 'AWS::EC2::Instance'
    Properties:
      ImageId: !FindInMap 
        - AWSRegionArch2AMI
        - !Ref 'AWS::Region'
        - !FindInMap 
          - AWSInstanceType2Arch
          - !Ref InstanceType
          - Arch
      InstanceType: !Ref InstanceType
      NetworkInterfaces: 
      - AssociatePublicIpAddress: "true"
        DeviceIndex: "0"
        GroupSet: 
          - sg-016102e48c9c5d87a
        SubnetId: subnet-0bd9f4938efe103ae
      UserData:
        ...

net acl:

# inbound
100	All traffic	All	All	0.0.0.0/0	Allow
*	All traffic	All	All	0.0.0.0/0	Deny

# outbound
100	All traffic	All	All	0.0.0.0/0	Allow
*	All traffic	All	All	0.0.0.0/0	Deny

route table

0.0.0.0/0	igw-0b07204024ee2bbba	Active	No
10.0.0.0/16	local	Active	No

security group

# in bound
sgr-0636ee1627eda8469	IPv4	HTTP	TCP	80	0.0.0.0/0	–
sgr-051f1753b5437d9a9	IPv4	SSH	TCP	22	0.0.0.0/0	–
sgr-0f3a871d7ff1861fc	IPv4	HTTPS	TCP	443	0.0.0.0/0	–

# out bound
sgr-0470caa332d46e96c	IPv4	All traffic	All	All	0.0.0.0/0	–
asked a year ago259 views
3 Answers
1
Accepted Answer

Can you check that you have met all the Prerequisites for EC2 Instance Connect. AMI? Region? Instance Connect installed?

profile pictureAWS
EXPERT
kentrad
answered a year ago
  • This is really helpful. EC2 Instance Connect is not preinstalled on my original selected AMI. update the latest AMI, SSH works well. Thanks, Kentrad

  • Confused - how come you got it to work for the EC2 that you created in the Console? Did you use a different AMI for that?

  • When I created the EC2 instance from the console, I selected the default AMI which is the latest AMI. But my cloudformaton used an old AMI that has no EC2 Instance connect pre-installed.

0

Hello.
There is no key pair set up for this template, are you doing SSH without a key pair?
https://docs.aws.amazon.com/ja_jp/AWSCloudFormation/latest/UserGuide/aws-properties-ec2-instance.html#cfn-ec2-instance-keyname

Also, would it be possible for you to share what errors you are seeing when you do SSH?
In the case of a timeout error, I would need to check the subnet's network ACL settings, security group settings, etc.

profile picture
EXPERT
answered a year ago
  • Yes, I am proceeding without a key pair as this is only a trial and the stack will be removed after the test. I am utilizing EC2 Instance Connect from the AWS management console, but encountering an error that states: "Failed to connect to your instance. Error establishing SSH connection to your instance. Please try again later."

0

Hi

It's very hard to give an good answer with only this short information. But my best guess is that the specified SG sg-016102e48c9c5d87a don't allow incoming traffic on port 22. An other guess is that subnet-0bd9f4938efe103ae is not routed to an Internet Gateway.

profile picture
EXPERT
answered a year ago
  • I added the route table, ACL, and security group configurations to the post, please check it.

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions