- Newest
- Most votes
- Most comments
This is my inbound outbound rules for my NACL
Inbound rule 101 (for ICMP) is superfluous, because rule 100 - being lower-numbered - will be applied first, and that allows everything https://docs.aws.amazon.com/vpc/latest/userguide/vpc-network-acls.html#nacl-rules
The presence of rule 101 isn't going to cause a problem, it just isn't needed.
Thanks I figured, Just a desperate attempt to get something to work. Can't figure out what I could be doing lol
If you have setup security group correctly to allow your ip address on port 22, you should be able to ssh to your EC2 instnce from your local machine. However, there are few other things also, that you need to check and one very common things is NACL.
Check your network ACL settings and allow your IP in the inbound rules, for outbound rules, allow port range "1024-65535" to your IP address Optionally you can also set the allow to 0.0.0.0/0 and you should be able to communicate.
Please refer AWS Documentation.
Lastly, you mentioned that ping is not working either, so please make sure you 've allowed ICMP IPV4 to your IP address since ping uses ICMP protocol.
Comment here if you have additional questions, happy to help.
Abhishek
Hey Abhishek! Thanks, I posted my NACLs and security group rules below.
When you mention you have a route in the routing table for 172.31.0.0/16 > local it makes me think you are using the default VPC, would that be right? If that's the case then the network settings and routing should more-or-less all be in place to allow you to connect to the EC2 instance, you just need to have a security group rule allowing inbound port 22 (which you have done).
Can you confirm the host has a public IP address, and that it's definitely the public IP address that you're trying to connect to?
Also, note that any time you stop & start the instance (which is a normal thing to do as part of troubleshooting) the public IP will have changed, so make sure that its the latest, correct public IP you're using.
As @secondabhi_aws says in his answer, for ping to work you need to allow inbound ICMP in the security group https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/security-group-rules-reference.html#sg-rules-ping
Hey Steve, thanks for the response. So yea I am connected to the default VPC. I can confirm that I have a public IP and I ping the new IP everything I start up my instance. I a rule to allow ICMP-IPv4 from 0.0.0.0/0 (all) in both my attached NACL and in my security group. Still 100% packet loss.
Relevant content
- asked a year ago
- asked a year ago
- asked 4 years ago
AWS OFFICIALUpdated a year ago- AWS OFFICIALUpdated 3 years ago
- AWS OFFICIALUpdated 3 months ago
These rules look fine, and should allow an inbound SSH connection (and ping).
What's the AMI that the EC2 was created with?
Amazon Linux
I have to admit I'm stumped :-( This is the default VPC, deploying into a default subnet, so it will already have an IGW attached, but you've checked that anyway. The default setting for a default subnet is to allocate a public IP, and it's the public IP that you're using. The correct ports are open in the security group to allow ICMP and SSH. It's a standard Amazon Linux AMI, so nothing weird about it.
As it's Amazon Linux this means EC2 Instance Connect should be preinstalled. Can you connect with that, and just check that the EC2 is running normally? https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/connect-linux-inst-eic.html
You could try Reachability Analyser https://docs.aws.amazon.com/vpc/latest/reachability/getting-started.html