Why can't I connect to a website that is hosted on my EC2 instance?
Last updated: 2022-05-16
I can't connect to a public website that is hosted on my Amazon Elastic Compute Cloud (Amazon EC2) instance. How do I resolve this?
Websites running on an EC2 instance might become unreachable for multiple reasons. To resolve this issue, confirm that the configuration settings on your EC2 instance are correct. For example, if your instance isn't booting correctly or doesn't have the right DNS configurations, then you can't connect to any website hosted on that instance.
Use the steps in this article to check the configuration settings of your EC2 instance and find the root cause of this issue.
Note: If you receive errors when running AWS Command Line Interface (AWS CLI) commands, make sure that you’re using the most recent version of the AWS CLI.
Use the EC2 Serial Console for Linux to troubleshoot Nitro-based instance types
If you enabled EC2 Serial Console for Linux, you can use it to troubleshoot supported Nitro-based instance types. You can access the serial console using the serial console or the AWS CLI. You don't need a working connection to connect to your instance when you use the EC2 Serial console.
Before you use the serial console to troubleshoot:
- Grant access to the serial console at the account level
- Create AWS Identity and Access Management (IAM) policies granting access to your IAM users
- Check that your instance includes at least on password-based user
Check that the instance is running and passing both status checks
Make sure that the instance is listed as running in the Amazon EC2 console. If your instance isn't running or you have another status check issue, follow the steps in Why is my EC2 Linux instance unreachable and failing one or both of its status checks?
Check that the instance boots correctly
Check the instance's system logs for boot errors.
- If you see a kernel panic error, see I'm receiving a "Kernel panic" error after I've upgraded the kernel or tried to reboot my EC2 Linux instance. How can I fix this?
- For other operating system errors, see My EC2 Linux instance failed the instance status check due to operating system issues. How do I troubleshoot this?
Check the instance's security group and network ACL configuration
- Make sure that the instance's associated security group and network ACL allow traffic on port 80 and 443 .
- Make sure that the route table in the instance's subnet has a default route to an internet gateway.
Check that the instance has the correct DNS configuration
- If your website uses Route 53 DNS service, check that you've configured the DNS records correctly.
- Make sure that the instance has an Elastic IP address assigned to it. If you stop and start your instance, the Elastic IP address is still associated with the instance.
- Make sure to map the public IP address or Elastic IP address to an A-record.
Check that the web server is running and that there are no OS-level firewalls blocking access to ports
Network ports are the communication endpoints that various services send requests to. These requests include users' website connection requests. Web servers generally listen on port 80 for HTTP traffic and use port 443 for traffic encrypted with TLS/SSL. If the web server isn't running or firewalls block these ports, then users can't connect to your website.
To check if the website is running locally, run this command from within the EC2 instance hosting website:
2. Run the systemctl status httpd command to check the web server's status. The web server must be listening on port 80 or port 443. In this example, the command returns information that the web server is inactive.
$ sudo systemctl status httpd httpd.service - The Apache HTTP Server Loaded: loaded (/usr/lib/systemd/system/httpd.service; disabled; vendor preset: disabled) Active: inactive (dead)
3. To restart the web server, run this command:
$ sudo systemctl restart httpd
4. Run this command to check that the web server is now running:
$ sudo systemctl status httpd httpd.service - The Apache HTTP Server Loaded: loaded (/usr/lib/systemd/system/httpd.service; disabled; vendor preset: disabled) Active: active (running) since Thu 2020-11-19 14:40:15 UTC; 42s ago
Note: For older Linux systems running SystemV, run this command to check the web server status:
$ sudo service httpd status httpd is stopped
To restart a stopped web server on SystemV, run this command:
$ sudo service httpd restart Stopping httpd: [FAILED] Starting httpd: [ OK ]
5. Run this command to confirm that the web server is listening on port 80 or 443 for incoming connection requests from users:
$ sudo netstat -tulpn | grep httpd tcp 0 0 :::80 :::* LISTEN 2961/httpd
6. Check the status of OS-level firewalls. If you find an active firewall, make sure that it allows requests on ports 80 and 443.
Note: If there are multiple interfaces running, confirm that the web server is listening on all IPs by running this command:
cat /etc/httpd/conf/httpd.conf | grep Listen
These are examples of successful outputs:
Amazon Linux, CentOS, and RHEL:
1. Run this command to check that the iptables rules block incoming requests on ports 80 and 443:
$ sudo iptables -nvL Chain INPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination
2. Run this command to allow port 80 to accept incoming HTTP connection requests:
$ sudo iptables -A INPUT -p tcp --dport 80 --syn -m conntrack --ctstate NEW -j ACCEPT
3. Run this command to allow port 443 to accept incoming HTTPS connection requests:
$ sudo iptables -A INPUT -p tcp --dport 443 --syn -m conntrack --ctstate NEW -j ACCEPT
Amazon Linux 2 and RHEL 7 and above:
1. Run this command to check that firewalld is running:
$ sudo firewall-cmd --state running
2. If firewalld is running, then run these commands to configure it to allow connections on ports 80 and 443. The last command in this example reloads the service so that the new rules take effect:
$ sudo firewall-cmd --add-service=http --permanent success $ sudo firewall-cmd --add-service=https --permanent success $ sudo firewall-cmd --reload success
Debian and Ubuntu servers:
1. Run this command to check for a UFW firewall:
$ sudo ufw status verbose Status: active
2. If UFW is running, use this command to allowing incoming connection requests on ports 80 and port 443:
$ sudo ufw allow in 80/tcp Rule added Rule added (v6) $ sudo ufw allow 443/tcp Rule added Rule added (v6)
Check your web server access error logs for issues. Web server logs are generally located at /var/log. This location might change, depending on your server configuration. These are default web server log locations:
- Amazon Linux and RHEL: /var/log/httpd
- Debian and Ubuntu: /var/log/apache2