- Newest
- Most votes
- Most comments
Does your network ACL have all outbound ports open or at least the ephemeral ports 1024-65535? NACLs, unlike Security Groups, are stateless.
Few things you can check to make sure you have the correct networking logic running.
- Check your subnet route table if you have 0.0.0.0/0 with target (next-hop) pointing to IGW(Internet Gateway). You have to create one if you don't have IGW.
- Check the correct subnet association of the route 0.0.0.0/0 is with your subnet. This will make sure your instance can return traffic to the internet.
- You can check from you can access internet by ping (default should allow any outbound traffic) any host that is accessible from the internet.
The above steps help you verify the outbound(return) traffic for the request respond. Then you can further check your inbound access control (NACL, SG, Firewall, etc).
One thing keep in mind that if your subnet is private with the use of NAT gateway to access the internet, then your EC2 instance cannot publish the "public IP" even you associated with. You have to use public subnet with IGW.
If you new to AWS Networking, there is a workshop you can take a look and play around to get more experience. https://networking.workshop.aws/
Here is an example that creates a publicly reachable EC2 instance. You can set this and then:
- Verify you can reach it. If you cannot, then there is likely something outside of AWS that is blocking you
- If you can reach it, then compare it to your own configuration to spot the problem
Relevant content
- asked 5 months ago
- Accepted Answerasked 5 years ago
- AWS OFFICIALUpdated 9 months ago
- AWS OFFICIALUpdated 9 months ago