1 Answer
- Newest
- Most votes
- Most comments
0
Hello.
Do the inbound rules for the security groups configured on each EC2 allow the required communication?
For example, if you are communicating on HTTP port 80, you need to allow port 80 in the security group's inbound rules.
If you want to check communication using ping, you need to allow ICMP in the security group's inbound rules.
https://docs.aws.amazon.com/vpc/latest/userguide/security-group-rules.html
Relevant content
- asked 10 months ago
- asked 2 years ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated 9 months ago
- AWS OFFICIALUpdated 4 months ago
- AWS OFFICIALUpdated 7 months ago
the security group for the internal ec2 is free all rules are permissive for all traffic
How do you confirm communication? Also, is the security group attached to the instance correct? Did you edit the wrong security group? From the diagram you shared, it looks like you are using EC2 like a NAT instance. Have you configured "Disable source/destination checks" in the ENI? https://docs.aws.amazon.com/vpc/latest/userguide/VPC_NAT_Instance.html#EIP_Disable_SrcDestCheck
I am trying to remove the other network interface to leave the instance with only the internal network interface and it won't let me, I get that error. Image is in question
I don't think you need to remove the network interface. Also, You are trying to remove the primary ENI from the error content, but the primary ENI cannot be removed.
Thank you for the suggestion. That fixed the problem. We were having multiple interfaces per ec2. We reverted to having the one original.
Have you configured "Disable source/destination checks" in the ENI? We fixed using this.