EC2 Instance ENI_SG_RULES_MISMATCH but I can not see a mismatch

Question

Hi there,

I am configuring my first EC2 Instance and I run into problems. I ran the reachability analyzer and saw that it will display the error ENI_SG_RULES_MISMATCH. My instance ist not available if i test it from igw to instance. My Network ACL has two lines for outgoing and ingoing traffic that i did not touch. Rule Number 100 allows everything. Rules Number * Deny everything.

My Security Groups are the default one that allow all inbound/outbound traffic on all ports.

Why can I not reach my instance over ssh and why do i get the ENI_SG_RULES_MISMATCH error. I followed this tutorial: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EC2_GetStarted.html#ec2-launch-instance_linux

I run nmap on my laptop with nmap PUBLICIPOFINSTANCE and it says that port 22 is open and many more ports are also open. The instance is running.

Answer

it worked with a security group with tighter restrictions. Idk why.

Answer

It pains me to say it, but changing it from all access across all ports to only 6379 worked for me also. This seems like a bug Amazon should address

Answer

Hi, 
this link shows an example on how to understand and analyze an ENI_SG_RULES_MISMATCH error:
https://docs.aws.amazon.com/vpc/latest/reachability/getting-started-cli.html#view-results-cli

It may help you in the error diagnosis.

As a starting point of your diagnosis, you may change your sec groups definition by removing all denies and allow any kind of trafic of any protocol to see if your error disappear. Then you tighten up again incrementally by restricting the allowed protocols until the error message appears again.

EC2 Instance ENI_SG_RULES_MISMATCH but I can not see a mismatch

관련 콘텐츠