By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

Unable to ping EC2 instance from local and remote both

0

My EC2 instance is running Win2019 OS. There is a SecurityGroup inbound rule allowing IPv4 all protocols on all ports from all sources. There is an NetworkID inbound rule #100 allowing IPv4 all protocols on all ports from all sources. I have the same public IPv4 address and elastic IPv4 Address X.XXX.XX.XXX. I ran 4 tests as listed below: Test#1) I can ping from localhost CMD prompt typing "ping ec2-X-XXX-XX-XXX.us-east-2.compute.amazonaws.com" Test#2) I cannot ping from localhost CMD prompt typing "X.XXX.XX.XXX". Getting error "request timed out". Test#3) I cannot ping from remote host CMD prompt typing "ping ec2-X-XXX-XX-XXX.us-east-2.compute.amazonaws.com". Getting error "request timed out". Test#4) I cannot ping from remote host CMD prompt typing "ping X.XXX.XX.XXX". Getting error "request timed out". Please help. Thank you.

Topics
Compute
Tags
Amazon EC2
Language
English
AWS-User-8864356
asked 2 years ago1202 views
2 Answers
0

When you say "NetworkID inbound rule #100", are you talking about the Network ACL for the instance's subnet?

If so, note that Network ACLs are "stateless". Unlike security groups, they don't keep track of incoming requests, then automatically allow the response traffic back out to the client. You need to add an egress rule to your Network ACL to allow the "echo reply" (ICMP type 0) to go back to the client.

For Test #2, is "X.XXX.XX.XXX" a private IP address (within the instance's subnet CIDR), or a public IP address?

KyleKotowick
answered 2 years ago
  • AWS-User-8864356
    2 years ago

    I already have a Security group outbound rule allowing all protocols on all ports to all destinations. I also have a Network ACL outbound rule # 100 allowing all protocols on all ports to all destinations. X.XXX.XX.XXX is a public ipV4 address same as the elastic IPv4 address.

  • AWS-User-8864356
    2 years ago

    All 4 tests are working now. I did not make any incremental changes, and it appears my changes to SecurityGroup and Network ACL took effect with a significant lag (3+hrs).

0

Hi,

The issue seems to be due to Windows Firewall. Changing the Windows Defender Firewall Properties to allow All Inbound connection for domain, Private and Public Profile ensured an ICMP response. The default settings are Block(default). Changing to this setting is a quick test but would not be recommended on a production setup. Im not a Windows expert to assist with nailing down the exact settings or rule in the firewall

The other thing I'm assuming is when you say you have allowed All inbound/outbound in Security group, the Type in the rule is 'All Traffic' and not 'All TCP'

Also, if you noticed, pinging "ec2-X-XXX-XX-XXX.us-east-2.compute.amazonaws.com" from localhost would resolve to Private IP and hence you got a response. The other three ping command were resolving to Public IP which was timing out.

--Syd

profile picture
Syd
answered 2 years ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content