By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

EC2 Instance ENI_SG_RULES_MISMATCH but I can not see a mismatch

0

Hi there,

I am configuring my first EC2 Instance and I run into problems. I ran the reachability analyzer and saw that it will display the error ENI_SG_RULES_MISMATCH. My instance ist not available if i test it from igw to instance. My Network ACL has two lines for outgoing and ingoing traffic that i did not touch. Rule Number 100 allows everything. Rules Number * Deny everything.

My Security Groups are the default one that allow all inbound/outbound traffic on all ports.

Why can I not reach my instance over ssh and why do i get the ENI_SG_RULES_MISMATCH error. I followed this tutorial: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EC2_GetStarted.html#ec2-launch-instance_linux

I run nmap on my laptop with nmap PUBLICIPOFINSTANCE and it says that port 22 is open and many more ports are also open. The instance is running.

Topics
Networking & Content DeliveryCompute
Tags
Amazon VPCAmazon EC2Security Group
Language
English
rePost-User-5097470
asked 2 years ago1.1K views
4 Answers
2

it worked with a security group with tighter restrictions. Idk why.

rePost-User-5097470
answered 2 years ago
  • jsoneaday
    8 months ago

    Can you please share your complete settings for your sg

1

It pains me to say it, but changing it from all access across all ports to only 6379 worked for me also. This seems like a bug Amazon should address

xmcp
answered 2 years ago
  • jsoneaday
    8 months ago

    I'm having this issue on fargate. You're referring to the sg right. What type and protocol did you use? Could you provide the entire set of values please

1

it sounds to me like this is working as expected: traffic is blocked by default until you add an explicit rule to allow that traffic.

AWS
randy_weinstein
answered 8 months ago
0

Hi, this link shows an example on how to understand and analyze an ENI_SG_RULES_MISMATCH error: https://docs.aws.amazon.com/vpc/latest/reachability/getting-started-cli.html#view-results-cli

It may help you in the error diagnosis.

As a starting point of your diagnosis, you may change your sec groups definition by removing all denies and allow any kind of trafic of any protocol to see if your error disappear. Then you tighten up again incrementally by restricting the allowed protocols until the error message appears again.

profile pictureAWS
EXPERT
Didier_Durand
answered 2 years ago
  • rePost-User-5097470
    2 years ago

    Hi and thanks for the answer. My security group rule allow every traffic and there is no entry that disallows traffic. My network ACL has an Entry that allows traffic and an * entry that denies traffic. I can not delete the * entry. I dont know why it is not working. the rules are already loose.

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content