Ben helps you troubleshoot issues
connecting to your instance

instance-vpc-troubleshoot-ben

I can’t connect to an Amazon Elastic Compute Cloud (Amazon EC2) instance inside my Amazon Virtual Private Cloud (Amazon VPC). When I try to connect, the connection hangs and I receive an error similar to Network error: Connection timed out.

Note: For Permission Denied or Connection Refused errors, see How do I troubleshoot problems connecting to my Amazon EC2 Linux instance using SSH?

Amazon Web Services (AWS) provides several layers of security for EC2 resources, including security groups and network access control lists (ACLs). Be sure to verify that your security settings for EC2 instances in your VPC allow appropriate access.

Review the following settings in your configuration:

Public and Elastic IP addresses

Verify that your instance has an associated public IP address or Elastic IP address using Determining Your Public, Private, and Elastic IP Addresses. Be sure to use this IP address when connecting to the instance.

System and instance status checks

Verify that your instance is passing system and instance status checks.

Security groups

Add a rule to your security groups to allow access to your instance from your IP address using SSH.

Network ACLs

Verify that network ACLs allow access to your instance over SSH from your IP address as follows. For a sample configuration, see Example: Controlling Access to Instances in a Subnet.

  1. Sign in to the Amazon EC2 console.
  2. In the navigation pane under Instances, choose Instances.
  3. In the content pane, select your instance.
  4. Choose the Description view.
  5. Note the Subnet ID.
  6. Sign in to the Amazon VPC console.
  7. In the navigation pane under Virtual Private Cloud, choose Subnets.
  8. In the content pane, select the subnet ID you noted before.
  9. Choose the Description view.
  10. Choose the Network ACL value.
    Important: If you have more than one subnet associated with your instance, complete steps 10-17 for each subnet.
  11. Select the network ACL again in the content pane.
  12. Choose the Inbound Rules view.
  13. Check if the inbound rules differ from the default network ACL configuration.
  14. If the rules differ, add a rule to allow inbound traffic for SSH to and from your IP address.
  15. Choose the Outbound Rules view.
  16. Check if the outbound rules differ from the default network ACL configuration.
  17. If the rules differ, add a rule to allow outbound traffic for SSH to and from your IP address.

VPC route table

Verify that your VPC route table allows traffic to and from the internet.

  1. Sign in to the Amazon EC2 console.
  2. In the navigation pane under Instances, choose Instances.
  3. In the content pane, select your instance.
  4. Choose the Description view.
  5. Note the VPC ID.
  6. Sign in to the Amazon VPC console.
  7. In the navigation pane under Virtual Private Cloud, choose Route Tables.
  8. In the content pane, select the route table of the VPC ID you noted before.
  9. Choose the Routes view.
  10. Verify that you have a default route (a route whose destination is 0.0.0.0/0) pointing to your internet gateway.
  11. If there is no default route to your internet gateway, in the navigation pane under Virtual Private Cloud, choose Internet Gateways.
  12. In the content pane, select your VPC’s internet gateway.
  13. In the Description view, note the ID value of the internet gateway.
  14. Add a new route with a Destination of 0.0.0.0/0 and a Target of your internet gateway ID that you noted before. Be sure to save your new route table configuration.

Local firewalls and routing tables

If you continue to experience connection problems, check for conflicts with your local firewall rules or local routing tables.


Did this page help you? Yes | No

Back to the AWS Support Knowledge Center

Need help? Visit the AWS Support Center

Published: 2016-07-19

Updated: 2019-03-21