How do I troubleshoot Amazon EC2 instance connection timeout errors from the internet?

Last updated: 2022-05-05

I can't connect to an Amazon Elastic Compute Cloud (Amazon EC2) instance in my Amazon Virtual Private Cloud (Amazon VPC) from the internet. When I try to connect, the connection hangs, and then I receive an error similar to "Network error: Connection timed out". How can I fix this?

Resolution

Verify that your security settings allow appropriate access

Review the following security settings for Amazon EC2 instances in your VPC:

  1. Verify that your instance has an associated public IP address or Elastic IP address. Be sure to use this IP address when connecting to the instance.
    Note: For more troubleshooting guidance, see How can I fix the connection to my Amazon EC2 instance or elastic network interface that has an attached Elastic IP address?
  2. Add a rule to your security groups to allow access to your instance from your IP address using SSH.
  3. Verify that your instance is passing system and instance status checks.

Verify that your network ACLs allow access to your instance

Verify that network ACLs allow access to your instance over SSH from your IP address as follows. For an example configuration, see Example: Control access to instances in a subnet.

First, find the Subnet ID for your instance:

  1. Open the Amazon EC2 console.
  2. In the navigation pane, under Instances, choose Instances.
  3. Select your instance.
  4. Choose Details.
  5. Note the Subnet ID.

Then, review the inbound and outbound rules for the network ACL:

  1. Open the Amazon VPC console.
  2. In the navigation pane, under Virtual Private Cloud, choose Subnets.
  3. In the content pane, select the Subnet ID that you previously noted.
  4. Choose the Network ACL tab.
    Important: If you have more than one subnet associated with your instance, then complete steps 5 and 6 for each subnet.
  5. Check if the inbound rules differ from the default network ACL configuration. If the rules differ, then add a rule to allow inbound traffic for SSH to and from your IP address. For an example configuration for SSH, see Custom network ACL.
  6. Check if the outbound rules differ from the default network ACL configuration. If the rules differ, then add a rule to allow outbound traffic for SSH to and from your IP address.

Verify that your VPC route table allows traffic to and from the internet

First, find the Subnet ID for your instance:

  1. Open the Amazon EC2 console.
  2. In the navigation pane, under Instances, choose Instances.
  3. Select your instance.
  4. Choose Details.
  5. Note the Subnet ID.

Then, verify that your VPC route table allows traffic to and from the internet:

  1. Open the Amazon VPC console.
  2. In the navigation pane, under Virtual Private Cloud, choose Subnets.
  3. In the content pane, select the Subnet ID that you previously noted.
  4. Choose the Routes table tab.
  5. Verify that you have a default route (a route whose destination is 0.0.0.0/0) pointing to your internet gateway. If there's no default route to your internet gateway, then choose Internet Gateways under Virtual Private Cloud from the navigation pane.
  6. Select your VPC's internet gateway.
    Note: You can find the VPC ID on the Details page of the instance.
  7. In the Details view, note the ID value of the internet gateway.
  8. Add a new route with a Destination of 0.0.0.0/0 and a Target of your internet gateway ID. Be sure to save your new route table configuration.
    Note: If connecting from a bastion host, the VPC route table can't have a default route (0.0.0.0/0) to an internet gateway because it's a private subnet. For more information, see How do I troubleshoot accessing my EC2 instance using an SSH connection through a bastion host?

Check for conflicts with your local firewalls and routing tables

If you continue to experience connection problems, check for conflicts with your local firewall rules or local routing tables.