EC2 Connectivity problem on port 443

0

Hello to everyone, i have two EC2 instances set up in a bastion host (public on a pubic subnet) - bastion guest (private on a private subnet) configuration and i have a connectivity problem on the latter specifically on port 443 that i cannot resolve by myself: i can connect to it no worries via the cli but then i cannot perform any operation because the session just hangs; it does that with any command.

This is what i had been able to ascertain:

  • the public instance is not the problem since i can connect to it and perform any kind of operation
  • i completely opened the gates from the ACL down to the security groups on all protocols and ports, also specifically port 80 and 443 just to stay on the safe side, but nothing changed
  • the security groups rules do not seem conflicting
  • i can ssh into the private instance through port 22 without a hitch both from the AWS website and any of my devices
  • i can telnet to the bastion guest via port 22, but any connection through any other port gets refused
  • the reachability analyzer did not find any problem inbound/outbound between the two instances or inbound to the bastion host, even when tested specifically on port 80 and 443
  • the only operation that i can successfully perform is the creation of an IAM profile with the "aws configure" command
  • it can definitely read the config file containing the IAM profile mentioned above, since the cli prompts me whenever i do not specify a profile name (You can configure credentials by running "aws configure") or i insert a dummy one (The config profile (Admin-IAM1) could not be found)
  • the execution of the commands i type works when i insert the right profile and the cli tries to establish a connection on port 443 until it times out; i checked the debug printout and it all looks fine untill it tries to connect

Honestly i am out of options and i do not know what else i can do to solve the issue; if any of you guys would be able to give me some insight that would be great; otherwise i fear that the only solution would be to upgrade my subscription and get someone from technical support to have a look at it.

Please let me know if you need me to upload the debug printout from the cli and i will do so. Thank you in advance for all your support and have a great day.

Stefano

Stefano
asked a month ago149 views
3 Answers
0

Confirm that Network ACLs associated with the private subnet allow outbound traffic on port 443.

Are you using a NAT Gateway or NAT Instance for internet access?

profile pictureAWS
EXPERT
Deeksha
answered a month ago
  • Hello Deekshitha, i can confirm you that the Network ACL allows all traffic from all IP addresses on all protocols both inbound and outbound leaving the protection of the system to be handled by the security groups. No, I do not utilize any NAT Gateway or NAT Instance in my architecture.

0

AWS service endpoints are on the public internet. To connect to the internet from a private subnet over IPv4, you'll first need to create a NAT gateway with a public IP address in a public subnet in the same VPC. In the route table attached to the private subnet, change the route towards 0.0.0.0/0 to use the NAT gateway as its next hop. Then your connections will work.

There's a simple block diagram of the design in documentation: https://docs.aws.amazon.com/vpc/latest/userguide/vpc-example-private-subnets-nat.html. You don't need the Application Load Balancer for your bastion hosts, but you do need at least one NAT gateway.

To save on costs, you should additionally create VPC endpoints of the gateway type for S3 and DynamoDB and associate them with all the route tables of your VPC. This will provide systems in your VPC with a shortcut to S3 and DynamoDB which is completely free to use. If you connect to S3 through a NAT gateway, it'll technically work, but the difference is that the NAT gateway charges you for every byte of traffic passing through it, while running it through a VPC gateway endpoint is free of charge. Note specifically to use the "gateway" type of endpoint; interface endpoints incur similar costs as NAT gateways. The diagram in the documentation also shows the "S3 gateway" symbol to the left.

EXPERT
Leo K
answered a month ago
0

1. Check Security Groups and NACLs Again

Security Groups: Ensure the security group attached to the private instance allows outbound traffic on port 443 and that the bastion host's security group allows inbound traffic on port 443.

**Network ACLs: **Verify that the Network ACLs for both the public and private subnets allow both inbound and outbound traffic on port 443. Remember that NACLs are stateless, so both inbound and outbound rules need to be explicitly allowed.

2. Check Route Tables

Private Subnet Route Table: Ensure that the private subnet's route table is correctly configured to route traffic to the Internet Gateway via the NAT Gateway or the NAT instance. Without this, your private instance won’t be able to access the internet on port 443.

3. NAT Gateway/Instance Configuration

If you’re using a NAT Gateway or NAT Instance for internet access, ensure it’s properly configured and associated with the private subnet. NAT Instance Security Group: If using a NAT instance, check its security group to ensure it allows outbound traffic on port 443.

NAT Gateway Health: If using a NAT Gateway, ensure it’s healthy and functioning correctly.

4. Check VPC Flow Logs

Enable VPC Flow Logs on your VPC or on the specific subnets. These logs can help you see whether traffic is being allowed or denied, and where the traffic is getting dropped. Check if there are any DENY entries for traffic on port 443.

5. Test Connectivity from the Private Instance

Curl/Wget Test: SSH into your private instance and use curl or wget to test connectivity to external services on port 443:

curl -v https://www.example.com
wget https://www.example.com

6. Check Instance Configuration

Instance Metadata Service (IMDS) Configuration: Ensure that the EC2 instance has access to the IMDS if IAM roles are being used for access. Incorrect IAM role attachment or metadata access issues could cause the CLI to hang when trying to access services.

Network Interface: Check the network interface of the private instance to ensure it’s attached to the correct subnet and that it’s healthy.

7. Application-Level Issues

**SSL/TLS Issues: **If the issue is specifically related to SSL/TLS connections, there might be an SSL/TLS issue or configuration problem at the application level. Consider testing with different SSL/TLS versions or ciphers.

Firewall/Anti-Virus: Ensure there’s no software firewall or anti-virus on the private instance that could be blocking outbound connections on port 443.

8. Reachability Analyzer

Although you mentioned using the Reachability Analyzer, try running it again with a focus on outbound traffic from the private instance to the internet on port 443. This can help identify any overlooked issues.

9. Proxy Settings Check if there are any proxy settings that might be misconfigured, either on the instance itself or within the VPC.

10. Check System Logs

Review the system logs (/var/log/messages, /var/log/syslog, /var/log/awslogs.log, etc.) on the private instance for any errors or warnings related to networking or SSL/TLS connections.

11. DNS Resolution

Ensure that DNS resolution is working correctly on the private instance. Try pinging a well-known domain or using nslookup or dig to confirm DNS resolution.

12. Consider Technical Support

If the issue persists after trying all the above steps, and considering the complexity, it may be worth escalating to AWS Technical Support for more in-depth analysis.

EXPERT
answered a month ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions