By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

EC2 Instance ENI_SG_RULES_MISMATCH but I can not see a mismatch

0

Hi there,

I am configuring my first EC2 Instance and I run into problems. I ran the reachability analyzer and saw that it will display the error ENI_SG_RULES_MISMATCH. My instance ist not available if i test it from igw to instance. My Network ACL has two lines for outgoing and ingoing traffic that i did not touch. Rule Number 100 allows everything. Rules Number * Deny everything.

My Security Groups are the default one that allow all inbound/outbound traffic on all ports.

Why can I not reach my instance over ssh and why do i get the ENI_SG_RULES_MISMATCH error. I followed this tutorial: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EC2_GetStarted.html#ec2-launch-instance_linux

I run nmap on my laptop with nmap PUBLICIPOFINSTANCE and it says that port 22 is open and many more ports are also open. The instance is running.

Topics
Networking & Content DeliveryCompute
Tags
Amazon VPCAmazon EC2Security Group
Language
English
rePost-User-5097470
asked a year ago594 views
3 Answers
1

it worked with a security group with tighter restrictions. Idk why.

rePost-User-5097470
answered 10 months ago
0

Hi, this link shows an example on how to understand and analyze an ENI_SG_RULES_MISMATCH error: https://docs.aws.amazon.com/vpc/latest/reachability/getting-started-cli.html#view-results-cli

It may help you in the error diagnosis.

As a starting point of your diagnosis, you may change your sec groups definition by removing all denies and allow any kind of trafic of any protocol to see if your error disappear. Then you tighten up again incrementally by restricting the allowed protocols until the error message appears again.

profile pictureAWS
EXPERT
Didier_Durand
answered a year ago
  • rePost-User-5097470
    a year ago

    Hi and thanks for the answer. My security group rule allow every traffic and there is no entry that disallows traffic. My network ACL has an Entry that allows traffic and an * entry that denies traffic. I can not delete the * entry. I dont know why it is not working. the rules are already loose.

0

It pains me to say it, but changing it from all access across all ports to only 6379 worked for me also. This seems like a bug Amazon should address

xmcp
answered 8 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content