How do I troubleshoot instance connection timeout errors in Amazon VPC?

Last updated: 2020-10-29

I can’t connect to an Amazon Elastic Compute Cloud (Amazon EC2) instance in my Amazon Virtual Private Cloud (Amazon VPC). When I try to connect, the connection hangs, and then I receive an error similar to "Network error: Connection timed out". How can I fix this?

Short description

AWS provides several layers of security for Amazon EC2 resources, including security groups and network access control lists (ACLs). Be sure to verify that your security settings for Amazon EC2 instances in your VPC allow appropriate access.

Note: For "Permission Denied" or "Connection Refused" errors, see How do I troubleshoot problems connecting to my Amazon EC2 Linux instance using SSH?

Resolution

Review the following settings in your configuration.

Public and Elastic IP addresses

Verify that your instance has an associated public IP address or Elastic IP address. For more information, see Determining your public, private, and Elastic IP addresses. Be sure to use this IP address when connecting to the instance.

System and instance status checks

Verify that your instance is passing system and instance status checks.

Security groups

Add a rule to your security groups to allow access to your instance from your IP address using SSH.

Network ACLs

Verify that network ACLs allow access to your instance over SSH from your IP address as follows. For an example configuration, see Example: Controlling access to instances in a subnet.

  1. Open the Amazon EC2 console.
  2. In the navigation pane, under Instances, choose Instances.
  3. Select your instance.
  4. Choose the Description view.
  5. Note the Subnet ID.
  6. Open the Amazon VPC console.
  7. In the navigation pane, under Virtual Private Cloud, choose Subnets.
  8. In the content pane, select the subnet ID you noted in step 5.
  9. Choose the Description view.
  10. Choose the Network ACL value.
    Important: If you have more than one subnet associated with your instance, complete steps 10-15 for each subnet.
  11. Select the network ACL again.
  12. Choose the Inbound Rules view.
  13. Check if the inbound rules differ from the default network ACL configuration. If the rules differ, add a rule to allow inbound traffic for SSH to and from your IP address.
  14. Choose the Outbound Rules view.
  15. Check if the outbound rules differ from the default network ACL configuration. If the rules differ, add a rule to allow outbound traffic for SSH to and from your IP address.

VPC route table

Verify that your VPC route table allows traffic to and from the internet.

  1. Open the Amazon EC2 console.
  2. In the navigation pane, under Instances, choose Instances.
  3. Select your instance.
  4. Choose the Description view.
  5. Note the VPC ID.
  6. Open the Amazon VPC console.
  7. In the navigation pane, under Virtual Private Cloud, choose Route Tables.
  8. Select the route table of the VPC ID you noted in step 5.
  9. Choose the Routes view.
  10. Verify that you have a default route (a route whose destination is 0.0.0.0/0) pointing to your internet gateway. If there's no default route to your internet gateway, choose Internet Gateways under Virtual Private Cloud from the navigation pane.
  11. Select your VPC’s internet gateway.
  12. In the Description view, note the ID value of the internet gateway.
  13. Add a new route with a Destination of 0.0.0.0/0 and a Target of your internet gateway ID. Be sure to save your new route table configuration.

Local firewalls and routing tables

If you continue to experience connection problems, check for conflicts with your local firewall rules or local routing tables.


Did this article help?


Do you need billing or technical support?