Question 195006 in Amazon Web Sevices Question posted in
The official Amazon Web Services documentation can be found here.

Amazon web services – Can't access EC2 instance

I am learning AWS and Terraform, following an Udemy course on the topic.

I set up an instance, added the necessary rules for networks, but I can’t access the instance through public ip using browser (8080) or SSH-ing into it (22).

For SSH, the error is:

ssh: connect to host *ip here* port 22: Connection timed out

For HTTP:

Unable to connect
Firefox can't establish a connection to the server at *ip*:8080

main.tf

provider "aws" {
    region = "eu-west-3"
}

variable vpc_cidr_block {}
variable subnet_cidr_block {}
variable avail_zone {}
variable env_prefix {}
variable my_ip {}
variable instance_type {}
variable public_key_location {}

resource "aws_vpc" "myapp-vpc" {
  cidr_block = var.vpc_cidr_block
  tags = {
    Name = "${var.env_prefix}-vpc"
  }
}

resource "aws_subnet" "myapp-subnet-1" {
  vpc_id = aws_vpc.myapp-vpc.id
  cidr_block = var.subnet_cidr_block
  availability_zone = var.avail_zone
  tags = {
    Name = "${var.env_prefix}-subnet-1"
  }
}

resource "aws_internet_gateway" "myapp-igw" {
  vpc_id = aws_vpc.myapp-vpc.id
  tags = {
    Name = "${var.env_prefix}-igw"
  }
}

resource "aws_default_route_table" "main-rtb" {
  default_route_table_id = aws_vpc.myapp-vpc.default_route_table_id

  route {
    cidr_block = "0.0.0.0/0"
    gateway_id = aws_internet_gateway.myapp-igw.id
  }
  tags = {
    Name = "${var.env_prefix}-main-rtb"
  }
}

resource "aws_default_security_group" "default-sg" {
  vpc_id = aws_vpc.myapp-vpc.id

  ingress {
    from_port   = 22
    to_port     = 22
    protocol    = "tcp"
    cidr_blocks = [var.my_ip]
  }

  ingress {
    from_port   = 8080
    to_port     = 8080
    protocol    = "tcp"
    cidr_blocks = ["0.0.0.0/0"]
  }

  egress {
    from_port       = 0
    to_port         = 0
    protocol        = "-1"
    cidr_blocks     = ["0.0.0.0/0"]
    prefix_list_ids = []
  }

  tags = {
    Name = "${var.env_prefix}-default-sg"
  }
}

data "aws_ami" "latest-amazon-linux-image" {
  most_recent = true
  owners = ["amazon"]
  filter {
    name = "name"
    values = ["amzn2-ami-hvm-*-x86_64-gp2"]
  }
  filter {
    name = "virtualization-type"
    values = ["hvm"]
  }
}

output "aws_ami_id" {
  value = data.aws_ami.latest-amazon-linux-image.id
}

output "ec2_public_ip" {
  value = aws_instance.myapp-server.public_ip
}

resource "aws_key_pair" "ssh-key" {
  key_name = "server-key"
  public_key = file(var.public_key_location)
}

resource "aws_instance" "myapp-server" {
  ami                         = data.aws_ami.latest-amazon-linux-image.id
  instance_type               = var.instance_type
  subnet_id                   = aws_subnet.myapp-subnet-1.id
  vpc_security_group_ids      = [aws_default_security_group.default-sg.id]
  availability_zone           = var.avail_zone
  associate_public_ip_address = true
  key_name = aws_key_pair.ssh-key.key_name

  user_data = file("entry-script.sh")

  tags = {
        Name = "${var.env_prefix}-server"
  }
}

entry-script.sh

#!/bin/bash
sudo yum update -y && sudo yum install -y docker
sudo systemctl start docker
sudo usermod -aG docker ec2-user
docker run -p 8080:80 nginx

Security Group’s inbound rules

Name Security group rule ID IP version Type Protocol Port range Source Description
–   sgr-0bcbda1a7b9d6e6a8   IPv4    SSH TCP 22  *myIpHere*/32   –
–   sgr-02ebfb5a794a8bd17   IPv4    Custom TCP  TCP 8080    0.0.0.0/0   –

Subnet’s Route Table

Destination Target
10.0.0.0/16 local
0.0.0.0/0   igw-0c111019740d3621b

Network ACL Inbound

Rule number Type Protocol Port range Source Allow/Deny
100         HTTP* (8080)    TCP (6) 8080    0.0.0.0/0   Allow
*       All traffic All     All             0.0.0.0/0   Deny

What I’ve tried so far:

  1. Re-check main.tf, set-up on AWS, docs
  2. Re-generate SSH keys
  3. Check local firewall settings
  4. Destroy and apply everything (5+ times)
  5. Try from other computer

My suspicion is on this ACL Inbound rule with number *, but the AWS UI does not allow me to edit it or remove it (I don’t know why).

I’ve been stuck on this for 2 days now, so any help or guidance is appreciated.

Tags:

2

Answers


  1. 0

    You didn’t state what is the error when you try to ssh.

    • If it is connection timeout, it has to be a network issue.
    • If it is permission denied, it is ssh-related issue. You might be connecting with the wrong key or the wrong user: for example, ubuntu if ubuntu OS, ec2-user if amzn ami.

    In general, if you are a newbie in AWS, do things first your hand, then automate it. Automating what you don’t know is never a good idea. Also try to create in the default VPC instead of a new one first; for example, enable_dns_hostnames is not enabled by default on new VPCs.

    Login or Signup to reply.
  2. 0

    It is probably due to the NACL’s, they are stateless and you need to add the ephemeral port range (1024 – 65535, so not just port 22!) for the other side of the rule. See here some more information:

    https://docs.aws.amazon.com/vpc/latest/userguide/vpc-network-acls.html#nacl-ephemeral-ports

    Also it could help if you post the VPC flow logs for this ENI after connecting through SSH. This can help debug the problem to see if the problem is on the outbound or the inbound connection.

    Security groups are stateful so they automatically allow the other side of the traffic.

    Login or Signup to reply.
Please signup or login to give your own answer.

Back To Top
Search