48

I've taken the following steps:

  1. Created a VPC (with a single public subnet)
  2. Added an EC2 instance to the VPC
  3. Allocated an elastic IP
  4. Associated the elastic IP with the instance
  5. Created a security group and assigned it to the instance
  6. Modified the security rules to allow inbound ICMP echo and TCP on port 22

I've done all this and I still can't ping or ssh into the instance. If I follow the same steps minus the VPC bits I am able to set this up without issue. What step am I missing?

Ryan Lynch
  • 583
  • 1
  • 4
  • 6
  • 3
    Did you assign a gateway and a route to the VPC subnet? – zorlem Apr 06 '13 at 04:48
  • If I go to Internet Gateways, there is a gateway assigned to the VPC. How do I check if a route has been assigned? – Ryan Lynch Apr 06 '13 at 04:52
  • Is route a route table? – Ryan Lynch Apr 06 '13 at 04:55
  • 3
    yes, you need to assign an "internet gateway" to the public routing table. – zorlem Apr 06 '13 at 04:58
  • 2
    Excellent, thanks man. If you put it in the form of an answer I'll accept it. In your answer, could you also specify what exactly to put into the routes table? I put in 0.0.0.0/0 and the target as the internet gateway, but that doesn't sound like the right thing to do. – Ryan Lynch Apr 06 '13 at 05:07
  • That's exactly the thing you need to do. Amazon tried to simplify the config recently with some sane(?) defaults, but it is very easy to mess it up. I've had similar issues with VPC and public networks before. – zorlem Apr 06 '13 at 05:33
  • When you create a public subnet and launch an instance in that public subnet, the public subnet needs to have a route table which will route the traffic to the internet gateway back and forth. Did you also add the ACL? if you did then make sure it is attached to your VPC and you have allowed all the connections which you need to ssh into your linux EC2. I am very new to AWS but according to my knowledge on it this should help you a bit, if I am wrong please correct me. –  Sep 20 '16 at 14:11

5 Answers5

79

To communicate outside of the VPC, each non-default subnet needs a routing table and an internet gateway associated to it (the default subnets get an external gateway and a routing table by default).

Depending on the way you have created public subnet in the VPC, you might need to explicitly add them additionally. Your VPC setup sounds like it matches Scenario 1 - a private cloud (VPC) with a single public subnet, and an Internet gateway to enable communication over the Internet from the AWS VPC documentation.

You will need to add an internet gateway to your VPC and inside the Public subnet's routing table assign 0.0.0.0/0 (default route) to go to the assigned internet gateway. There is a nice illustration of the exact network topology inside the documentation.

Also, for more information, you can check the VPC Internet Gateway AWS documentation. Unfortunately it's a little messy and a non-obvious gotcha.

For more details about connection issues, see also: Troubleshooting Connecting to Your Instance.

kenorb
  • 5,943
  • 1
  • 44
  • 53
zorlem
  • 1,071
  • 7
  • 5
  • 3
    In addition to assigning the default route for the internet gateway I also had to associate the subnet with the routing table. But once I had done these two things I was up and running. Thanks. – Sam Kenny Oct 17 '13 at 15:41
  • 5
    VPC management > Route Table > [Routes] > Add , 0.0.0.0/0, dropdown to pick your internet gateway – Scott R. Frost Nov 11 '16 at 19:25
  • I will throw this out there for the internet to learn from my mistake. If your route to the Internet Gateway has destination 0.0.0.0/32 then it will not work. The route needs to be changed to 0.0.0.0/0 as specified in Zorlem's answer. – Douglas Held Jul 21 '17 at 15:36
6

Not sure if this is exactly this case but I just created a VPC with Public and Private Subnets and noticed that there is a default security group that has the source address as the same security group name. Effective it has no access. Had to change this source to Anywhere and it started working.

dil
  • 61
  • 1
  • 1
  • Hello, I'm testing that Scenario 2 too. Public and private instance in public and private subnet. The point is i don't understand how the private instance could be able to access Internet and update software. – The One Jul 01 '16 at 06:54
  • Thanks, this was my problem, I was assuming, that means all instances inside VPC had access – Santthosh Nov 22 '16 at 16:58
4

I've noticed that (I think) you need to be careful about which availability zone your instance is created in. The SubNet, Network Interface and Instance need to be in the same availability zone otherwise there is no way to connect to a public IP for that instance.

I may be wrong - but I don't think so, this has cost me 12 hours of work to figure out.

Hope this helps someone else.

malsmith
  • 141
  • 1
  • That's correct. Scenario 1, as mentioned in the answer, is where you create a `/16` VPC and then create a `/24` in each AZ you want to work in – Machavity Dec 23 '14 at 16:37
2

You should allocate an ENI and assign the Elastic IP to this ENI. Also, you should assign this ENI to your VPC. The route table must be correct too, to correctly forward the outside packets to your VPC.

Lucas Freitas
  • 11
  • 2
  • I believe that adding an ENI is needed when you want additional network interfaces on your instances, by default they come with one NIC. – zorlem Apr 06 '13 at 05:57
0

Since SSH is statefull protocol, you need to make sure that you have the following OUTBOUND rule in your network ACL: 

Rule #  Type            Protocol        Port Range      Destination     Allow / Deny
100     Custom TCP Rule TCP (6)         49152-65535     0.0.0.0/0       ALLOW
womble
  • 95,029
  • 29
  • 173
  • 228
Khalid Anwar
  • 1