Can't connect to EC2 instance in VPC (Amazon AWS)

Question

I've taken the following steps:

Created a VPC (with a single public subnet)
Added an EC2 instance to the VPC
Allocated an elastic IP
Associated the elastic IP with the instance
Created a security group and assigned it to the instance
Modified the security rules to allow inbound ICMP echo and TCP on port 22

I've done all this and I still can't ping or ssh into the instance. If I follow the same steps minus the VPC bits I am able to set this up without issue. What step am I missing?

score 81 · Accepted Answer · edited Jun 12 '16 at 16:50

To communicate outside of the VPC, each non-default subnet needs a routing table and an internet gateway associated to it (the default subnets get an external gateway and a routing table by default).

Depending on the way you have created public subnet in the VPC, you might need to explicitly add them additionally. Your VPC setup sounds like it matches Scenario 1 - a private cloud (VPC) with a single public subnet, and an Internet gateway to enable communication over the Internet from the AWS VPC documentation.

You will need to add an internet gateway to your VPC and inside the Public subnet's routing table assign 0.0.0.0/0 (default route) to go to the assigned internet gateway. There is a nice illustration of the exact network topology inside the documentation.

Also, for more information, you can check the VPC Internet Gateway AWS documentation. Unfortunately it's a little messy and a non-obvious gotcha.

For more details about connection issues, see also: Troubleshooting Connecting to Your Instance.

score 6 · Answer 2 · answered Jul 11 '15 at 09:11

Not sure if this is exactly this case but I just created a VPC with Public and Private Subnets and noticed that there is a default security group that has the source address as the same security group name. Effective it has no access. Had to change this source to Anywhere and it started working.

score 4 · Answer 3 · answered Feb 11 '14 at 18:13

I've noticed that (I think) you need to be careful about which availability zone your instance is created in. The SubNet, Network Interface and Instance need to be in the same availability zone otherwise there is no way to connect to a public IP for that instance.

I may be wrong - but I don't think so, this has cost me 12 hours of work to figure out.

Hope this helps someone else.

score 2 · Answer 4 · answered Apr 06 '13 at 04:59

2

You should allocate an ENI and assign the Elastic IP to this ENI. Also, you should assign this ENI to your VPC. The route table must be correct too, to correctly forward the outside packets to your VPC.

answered Apr 06 '13 at 04:59

Lucas Freitas

11

score 0 · Answer 5 · edited Nov 01 '15 at 07:08

0

Since SSH is statefull protocol, you need to make sure that you have the following OUTBOUND rule in your network ACL:

Rule #  Type            Protocol        Port Range      Destination     Allow / Deny
100     Custom TCP Rule TCP (6)         49152-65535     0.0.0.0/0       ALLOW

edited Nov 01 '15 at 07:08

womble

98,245

answered Nov 01 '15 at 06:03

Khalid Anwar

1

Can't connect to EC2 instance in VPC (Amazon AWS)

5 Answers5

Linked