How do I allow my users to connect to my website I host on an EC2 instance on HTTP or HTTPS?

5 minute read

I host my website on an Amazon Elastic Compute Cloud (Amazon EC2) instance. I want users to connect to my website on HTTP (port 80) or HTTPS (port 443).

Resolution

To allow traffic on port 80 or port 443, you must configure the associated security group and network access control list (ACL).

Configure the security group rules

For HTTP traffic, add an inbound rule on port 80 from the 0.0.0.0/0 source address.

For HTTPS traffic, add an inbound rule on port 443 from the 0.0.0.0/0 source address.

The previous inbound rules allow traffic from IPv4 addresses. To allow IPv6 traffic, add inbound rules on the same ports from the ::/0 source address.

You don't need to modify the security group's outbound rules. Security groups are stateful, so the they automatically allows return traffic from the instance.

The following example configuration has rules that allow IPv4 and IPv6 traffic on TCP port 80 and 443.

Inbound rules

Type	Protocol	Port range	Source
HTTP (80)	TCP (6)	80	0.0.0.0/0
HTTP (80	TCP (6)	80	::/0
HTTPS (443)	TCP (6)	443	0.0.0.0/0
HTTPS (443)	TCP (6)	443	::/0

Note: Check whether you must allow other sources of traffic, such as SSH or Remote Desktop Protocol (RDP), to log in to the instance. Then, make sure that your security group has the inbound rules to allow the required traffic.

Configure the network ACL

The default network ACL allows all inbound and outbound IPv4 traffic. If your Amazon Virtual Private Cloud (Amazon VPC) has an associated IPv6 CIDR block, then the default network ACL automatically adds rules to allow inbound and outbound IPv6 traffic. However, if you use a custom network ACL with more restrictive rules, then you must explicitly allow traffic on port 80 and 443.

Network ACLs are stateless, so you must add both inbound and outbound rules to allow the connection to your website.

The following configuration is an example of a custom network ACL that allows traffic on TCP port 80 and 443. You use network ACLs for all resources in a subnet, not just a single Amazon EC2 instance. The following configuration blocks all traffic to and from resources in the subnet, except on destination port 80 and 443.

Inbound rules

Rule #	Type	Protocol	Port range	Source	Allow/Deny
100	HTTP (80)	TCP (6)	80	0.0.0.0/0	ALLOW
101	HTTPS (443)	TCP (6)	443	0.0.0.0/0	ALLOW
102	HTTP (80)	TCP (6)	80	::/0	ALLOW
103	HTTPS (443)	TCP (6)	443	::/0	ALLOW
*	ALL Traffic	ALL	ALL	::/0	DENY
*	ALL Traffic	ALL	ALL	0.0.0.0/0	DENY

Outbound rules

Rule #	Type	Protocol	Port range	Destination	Allow/Deny
100	Custom TCP Rule	TCP (6)	1024-65535	0.0.0.0/0	ALLOW
101	Custom TCP Rule	TCP (6)	1024-65535	::/0	ALLOW
*	ALL Traffic	ALL	ALL	::/0	DENY
*	ALL Traffic	ALL	ALL	0.0.0.0/0	DENY

Note: Check whether you must allow other sources of traffic, such as SSH or RDP, to log in to the instance. Then, make sure that your network ACL has the inbound rules to allow the required traffic.

Troubleshoot a "connection refused" error

A "connection refused" error occurs when the connection routes on a port that you didn't specify in your security group or network ACL rules. For example, Host A initiates a TCP connection to Host B. First, Host A sends a TCP SYN packet to Host B. Then, Host B sends a TCP RST packet in response to Host A. If these connection requests don't occur on the specified port, then Host A receives the "connection refused" error.

To troubleshoot this issue, check whether the web server service is in the Running state in the instance on port 80 or 443.

Troubleshoot a "connection timeout" error

If you receive the "connection timeout" error after you explicitly allow TCP ports 80 and 443, then check your operating system (OS) firewall. Make sure that the firewall doesn't block inbound TCP traffic on the required ports.

Topics: Networking & Content Delivery
Tags: Amazon VPC
Language: English

AWS OFFICIALUpdated 9 months ago

No comments

Relevant content

Port 80 (HTTP) and Port 443 (HTTPS) stopped working for all my EC2 instances of ap-south-1 Region (including any new instance i launch in this region)
AWS-User-2807026
asked 4 years ago
Why Can I not connect to my website running on EC2 with https?
rePost-User-5835596
asked 3 years ago
EC2 instance only accessible via SSH (22), HTTP/HTTPS blocked even though SG/NACL allow all
Welly
asked 7 months ago
My t2.micro cannot access outgoing traffic on port 80
Leon
asked a year ago
How can I redirect HTTP requests to HTTPS using an Application Load Balancer for an application on port 3000?
Accepted Answer
cxc
asked 3 years ago
Why can't I connect to a port on an EC2 Windows instance?
AWS OFFICIALUpdated 4 years ago
Why can't I connect to a website that's hosted on my Amazon EC2 instance?
AWS OFFICIALUpdated 14 days ago
How do I troubleshoot website connectivity issues on my Amazon EC2 Windows instance?
AWS OFFICIALUpdated 5 months ago
How do I redirect HTTP traffic to HTTPS on my ELB Classic Load Balancer?
AWS OFFICIALUpdated 2 years ago
Security Groups and Classic Ports
EXPERT
NARRAVULA MUNI SAI TEJA
published 2 years ago