Why can't my Amazon EC2 instance access the internet through an internet gateway?

Resolution

Prerequisites:

• Associate a route table with your instance's subnet that has a default route to an internet gateway (0.0.0.0/0).
• Check that you didn't delete the internet gateway that's associated with the route.
• Configure the security group that's attached to your instance's elastic network interface with rules that allow outbound internet traffic (0.0.0.0/0) for your ports and protocols.
• Confirm that the network access control list (ACL) that's associated with your instance's subnet has rules that allow both outbound and inbound traffic to the internet.

If the instance that's in a public subnet doesn't have a public IP address, then the instance isn't accessible outside its virtual private cloud (VPC). This is true even if the instance has an internet gateway.

To allow the instance to connect to the internet, allocate an Elastic IP address, and then associate the Elastic IP address with the instance.

For instances that have a public IP address, check whether there's a firewall rule that blocks internet access, and then remove the rule. Or, deactivate the firewall.

Remove the firewall rule that blocks access

A local firewall that runs in the operating system (OS) might block outbound access to specific ports or IP addresses. To resolve this issue, list your firewall rules and then delete the ones that block access.

Note: Before you delete any rules, backup the rules to the file.

Linux distributions

To list the firewall rules, run one the following commands based on the firewall that you configured on your instance:

Uncomplicated firewall

sudo ufw status numbered

firewalld

sudo firewall-cmd --list-all-zones

iptables

sudo iptables -L --line-numbers

To delete a firewall rule, run one of the following commands based on the firewall that you configured on your instance.

Uncomplicated firewall

sudo ufw delete rule_number

Note: Replace rule_number with the firewall rule that you want to delete.

firewalld

sudo firewall-cmd --zone=zone --remove-rich-rule=rule --permanent
sudo firewall-cmd --reload

Note: After you remove --permanent rules, you must reload the firewall for the changes to immediately take effect in the runtime configuration.

iptables

sudo iptables-save > iptables_backup.txt
sudo iptables -D chain rule_number

Windows Server

To list the firewall rules for a Windows Server default firewall, run the following command:

netsh advfirewall firewall show rule name=all

If any of the rules from the output of the preceding command show blocked traffic, then run the following command to remove the firewall rule:

netsh advfirewall firewall delete rule name=rule_name

Note: Replace rule_name with the name of the firewall rule that blocks traffic.

For more information, see Windows Firewall tools on the Microsoft Learn website.

Deactivate the firewall

Linux distributions

You can also deactivate the local firewall and use security groups instead.

Note: Firewall deactivation might affect your workload.

To deactivate your firewall, run one of the following commands:

Uncomplicated firewall

sudo ufw disable

firewalld

sudo systemctl disable firewalld --now

iptables

sudo systemctl disable iptables

If you must use a firewall, then run one of the following commands to allow outgoing traffic:

Uncomplicated firewall

sudo ufw default allow outgoing

iptables

sudo iptables P OUTPUT ACCEPT
sudo iptables I OUTPUT j ACCEPT

Note: By default, firewalld allows all outgoing traffic from the system for any zone, unless there's no rich rule.

Windows Server

To deactivate Windows Firewall for Windows Server default firewall, run the following command:

netsh advfirewall set allprofiles state off

For more information, see Windows Firewall tools on the Microsoft Learn website.

Related information

Enable internet access for a VPC using an internet gateway

Why can't I use NAT to connect my EC2 instance in a private subnet to the internet?