Skip to content
By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post
About re:Post

EC2 instance only accessible via SSH (22), HTTP/HTTPS blocked even though SG/NACL allow all

0

Hi all,

I have an EC2 instance in ap-southeast-1 with Elastic IP 52.74.222.227. It was working fine before, but suddenly only SSH (22) is reachable — HTTP (80) and HTTPS (443) no longer work.

What I’ve checked so far:

Nginx is running and listening on port 80 (ss -lntp shows 0.0.0.0:80).

Security Group: inbound/outbound allow all (0.0.0.0/0).

Network ACL: inbound/outbound allow all.

Route Table: has 0.0.0.0/0 → Internet Gateway and 172.31.0.0/16 → local.

Elastic IP: still attached (since I can SSH).

Test results:

curl http://localhost inside instance → works (301 redirect from nginx).

curl http://172.31.x.x (private IP) inside instance → works (returns 404, as expected).

curl http://52.74.222.227 inside instance → No route to host.

From my laptop: nmap -p 22,80,443 52.74.222.227 →

22/tcp open
80/tcp filtered
443/tcp closed

So far it looks like traffic to port 80/443 is being blocked before reaching the instance, despite open SG/NACL/Routes.

Question:

Could this be an AWS-level port restriction on my account or Elastic IP?

How can I verify and request unblocking if AWS is filtering 80/443 traffic?

Thanks in advance!

Topics
ComputeNetworking & Content Delivery
Tags
Amazon EC2Security Group
Language
English
asked a month ago82 views
1 Answer
0

Based on your description, this appears to be an issue with your instance's firewall configuration rather than an AWS-level restriction. Since you can SSH into the instance but not access HTTP/HTTPS ports, even though your security groups and NACLs allow all traffic, the problem is likely at the OS level.

Here are the most likely causes and solutions:

  1. Host-level firewall: Your EC2 instance's operating system firewall might be blocking incoming HTTP/HTTPS connections. Depending on your OS:
  • For Ubuntu: Check if UFW is enabled with sudo ufw status and consider disabling it temporarily with sudo ufw disable
  • For RHEL/CentOS/Amazon Linux: Check if firewalld is running with sudo systemctl status firewalld and try stopping it with sudo systemctl stop firewalld

  1. iptables rules: Your iptables configuration might have rules that are blocking incoming connections. Check your current rules with sudo iptables -L. Look for REJECT rules that appear before your ACCEPT rules for HTTP/HTTPS ports. The order of rules matters in iptables - if a REJECT rule appears before an ACCEPT rule, the traffic will be rejected before reaching the ACCEPT rule.

  2. Web server configuration: Nginx might be configured to only listen on localhost or specific IPs rather than all interfaces. Check your Nginx configuration to ensure it's listening on 0.0.0.0:80 (all interfaces).

  3. Routing issue: The fact that you can't curl your public IP from inside the instance with "No route to host" error suggests a routing issue. This is expected behavior as AWS doesn't support hairpin NAT (accessing your public IP from inside the instance).

Since you mentioned that this was working before and suddenly stopped working, it's likely that a system update or configuration change modified your firewall settings. I would recommend checking your system logs to see if there were any recent changes or updates that might have affected your firewall configuration.

If none of these solutions work, you might want to try creating an AMI of your current instance and launching a new instance from it to see if the issue persists, which would help determine if it's an instance-specific problem or something broader.
Sources
Unable to Connect Http ports Even after allowing in Security group. | AWS re:Post
Can't connect to EC2 instance on any port other than SSH | AWS re:Post
EC2 instance with public IP can't access internet (HTTPS 443 timeout) | AWS re:Post

answered a month ago
  • Welly
    a month ago

    Thanks for the suggestion. I already checked host-level firewalls (iptables empty, no UFW, no firewalld running) and Nginx is listening on 0.0.0.0:80.

    From outside, nmap shows port 22 open, port 80 filtered, and port 443 closed — even though my SG and NACL allow all.

    Given this, it looks more like a network-level restriction rather than an OS firewall issue. Could this be an AWS account-level block on ports 80/443?

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Relevant content