Ben helps you troubleshoot issues
connecting to your instance

instance-vpc-troubleshoot-ben

I can’t connect to an Amazon EC2 instance in a virtual private cloud (VPC) using SSH.

The following list of troubleshooting steps will help you identify or resolve most issues about connecting to an instance in a VPC.

  1. Verify that you’re using the correct public IP address or DNS name of your instance, and that you’re using the correct user name and private key to log in to the instance.
  2. Verify that your instance has either a public IP address or an Elastic IP address associated with it:
    1. Open the Amazon EC2 console and navigate to the Instances pane.
    2. Select the instance and note the public IP address from the Public IP field, or the external DNS hostname from the Public DNS field. If an Elastic IP address has been associated with the instance, get the Elastic IP address from the Elastic IP field.
      Note: If both the Public IP field and Public DNS field are blank, ensure that you have associated an Elastic IP address with the instance.
  3. Verify that your desktop machine has access to the Internet by using SSH to connect to another instance. Use the ping tool to verify TCP/IP connectivity to a public host or IP address.
    Note: Because Amazon.com and other well-known websites tend to ignore ICMP packets used by the ping tool, use the tracert (Windows) command or traceroute (Linux) command to display the hops in the route to the specified end point. If you then ping the IP address of one of the hops in the route you should receive a reply. For example, though the command “ping amazon.com” will not return a reply, the command ping (IP address of one of the hops in the route to amazon.com) usually will.
  4. Verify that the instance passes both the System Status and Instance Status checks:
    1. Open the Amazon Elastic Compute Cloud (EC2) console and navigate to the Instances pane.
    2. Select the instance, and then choose the Status Checks tab.
    3. Verify that the instance passes both status checks. If the instance fails both status checks, see Status Checks for Your Instances.
  5. Verify that the security groups associated with the instance allow connections for the required protocols and ports:
    1. Open the Amazon EC2 console and navigate to the Security Groups pane.
    2. Choose the security group associated with your instance and select the Inbound tab. Inbound rules are applied to the traffic coming into the instance. Your security groups should allow SSH access over port 22 and web server access over port 80.
    • For SSH traffic, create a rule with a Type of SSH, Protocol of TCP, Port Range of 22, and Source set to the public IP address of your computer.
    • For web server traffic, create a rule with a Type of HTTP, Protocol of TCP, Port Range of 80, and Source set to the Public IP address of your computer.
  6. Verify that the network ACLs associated with the subnet allow traffic from necessary ports and protocols:
    1. Open the Amazon Virtual Private Cloud (VPC) console and navigate to Network ACLs.
    2. Choose either the Inbound Rules or Outbound Rules tab.
    3. Choose Allow for the traffic from the source IP address in both Inbound and Outbound rules.
  7. Verify that an Internet gateway is attached to your VPC by navigating to the Internet Gateways pane and viewing the VPC column, which displays the ID and the name of the VPC, if there is one. If there is no Internet gateway attached to your VPC, create one by following these steps:
    1. Open the Amazon VPC console.
    2. Navigate to Internet Gateways, choose Create Internet Gateway, and type a name for the Internet gateway.
    3. Select the Internet gateway that you just created, choose Attach to VPC, and select your VPC from the list to attach it to your VPC.
  8. Verify that the route table has appropriate routes entered for the destination 0.0.0.0/0 via the Internet gateway.
    1. Open the Amazon VPC console.
    2. Open the Route Tables pane in the navigation bar on the right side of the screen.
    3. Choose the route table associated with the subnet that contains your instance, and then select the Routes tab. Make sure that there is a default route or a route that specifies your desktop’s IP address to allow communication between instances in the VPC to the Internet or your desktop.
      Note: If you are connecting to the instance from your corporate network, in the route table, specify your company’s IP address range instead of the default route.

If you are still experiencing problems, then you should investigate potential conflicts with your local firewall rules or local routing table.


Did this page help you? Yes | No

Back to the AWS Support Knowledge Center

Need help? Visit the AWS Support Center

Published: 2016-07-19