Why can't my EC2 instance connect to the internet using an internet gateway?
Last updated: 2020-11-16
My Amazon Elastic Compute Cloud (Amazon EC2) instance has a public IP address, but can’t access the internet. How can I fix this?
Verify that the instance meets all prerequisites
The instance must meet the following conditions:
- The route table that is associated with your instance’s subnet has a default route to an internet gateway (0.0.0./0).
- The internet gateway that is associated with the route isn't deleted.
- The security group that is attached to the instance’s elastic network interface has rules allowing outbound internet traffic (0.0.0.0/0) for your ports and protocols.
- The network access control list (network ACL) that is associated with the instance's subnet has rules allowing both outbound and inbound traffic to the internet.
Verify that the instance has a public IP address
If the instance doesn't have a public IP address, but has an internet gateway, the instance isn't accessible outside of the virtual private cloud (VPC) that it resides in.
Or, enable the public IPv4 addressing attribute in your subnet. Enabling the IPv4 addressing attribute means that instances launched in the subnet are attributed public IP addresses at launch.
Verify that a firewall isn't blocking access
If the instance meets the preceding conditions and internet connectivity issues persist, then try the following:
1. Test the accessibility of the site or location from a known working instance or device using the ping or curl tools.
2. Verify that any firewall devices or software allow traffic over HTTP or HTTPs. The following commands add inbound firewall rules:
For Windows Server default firewalls, run the following command:
netsh advfirewall firewall show rule name=all
If the preceding command indicates blocked traffic, remove the old rule, or add a new rule allowing traffic for that specific port. In the following example, replace port 80 with your specific port number.
netsh advfirewall firewall add rule name="Open Port 80" dir=in action=allow protocol=TCP localport=80
Amazon Linux, CentOS, RHEL 6, and Ubuntu 16.04-:
Run the following command to verify that there aren't rules blocking traffic:
$ sudo iptables -L $ sudo iptables -L -t nat
If the preceding command indicates blocked traffic, remove the rule or add a rule allowing traffic for that specific port. In the following example, replace examplerule with the new rule and port 80 with your specific port number.
$ sudo iptables -D examplerule $ sudo iptables -A INPUT -p tcp --destination-port 80 -j ACCEPT
Amazon Linux 2, CentOS7+, RHEL 7+, and Ubuntu 18.04+
Run the following command to verify that the firewall allows HTTP/HTTPS traffic:
$ firewall-cmd --list-services
If the preceding command indicates blocked traffic, add a rule allowing traffic for your specific port. In the following command, replace port 80 with your specific port.
$ sudo firewall-cmd --zone=public --add-port=80/tcp --permanent $ sudo firewall-cmd –reload