By using AWS re:Post, you agree to the Terms of Use

Can't access Instance using custom network acl * security group rules



I have just moved from GCP to AWS to test out CodePipeline / CodeDeploy / and S3. I was following this documentation: "Tutorial: Create a simple pipeline (S3 bucket)" and I have encountered some issues with this step [1]. Apparently de pipeline I have created failed because it coudn't access my EC2 instance.

Taking the above information into consideration, I deleted the pipeline to start fresh and I explored the EC2 service more. To sum up, I have observed that when I configure the securitygroup to use my IP instead of allow all, or if I try to use any custom rule, any attempt to access that instance will fail, SSH, ping. anything.

I tried to add the same rules to Network ACLs and also I have created a Internet Gateway but nothing changed.

Key Information:

  • EC2 instance: second VM test
  • Zone: eu-west-3c
  • Security Group Name: launch-wizard-2

[1]: Step where issue was encountered

  • When you use the same security group (launch-wizard-2), but with an allow all IP addresses (for SSH port), you're able to connect to the instance?

  • Hi Joahna,

    Yes, I am able to. This is the reason why I find this behaviour strange

1 Answer

Can you set the Security Inbound rule to open to internet and then ssh into the EC2 machine and then type "who am i" on the EC2 terminal. It should give you the IP address of the ssh client. Now modify the Security Group to use that IP instead of the IP address that you get from a website like whatsmyip. I just tested it and it worked.

profile picture
answered a month ago
  • Thank you for your response. It works now but can you explain why is this the case? What is this IP? It a proxy of some sort in the middle? This IP is the same for all instances or I need to manualy find out the IP every time I create a new instance?

  • Unless you have a static IP address, the IP could change. I connect over VPN and my iP changed between yesterday and today from a.b.c.d to a.b.c.d+1, so if I had specified a.b.c.0/24 instead of a.b.c.d/32, I would be good. If I disconnect from the VPN then the IP matches what is shown on whatsmyip, which is my ISP assigned IP address, which is assigned using DHCP and also can change. So if you want to be very secure, you should get a static IP or connect from your corporate network.

    The IP that you put in the security group is the IP of the client machine from where you are connecting and will be the same for multiple EC2 machines.

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions