Make sure your inbound rules are as you shown and that your outbound rules do allow all traffic to exit.
In the EC2 Dashboard click on the Instances (running) and then click on the Instance ID. Click on the VPC ID for that instance and then on Main network ACL. Click now on the Network ACL ID and confirm your Inbound rules, Outbound rules and Subnet associations. Make sure nothing here is blocking access. By default the Inbound and Outbound rules will allow all traffic and all subnets will be there.
You do not say so, but I imagine you have SSH access to the instance. Make sure HTTP and HTTPS services are running and listening for connections on the interface IP address and not on 127.0.0.1; something like this:
Make sure IPtables is not blocking access. If you have existing rules you may want to clear them so that they look like:
Run tcpdump and look for traffic on ports 80 or 443
If still not working… make sure you are accessing the right IP address; If you’re not using an elastic IP and your restarted the instance it will have a new public IP address.
Is your EC2 on a VPC that permits public IP addresses? This can commonly happen when you have accidentally attached the EC2 to a private VPC.
If this is the case make an AMI of the EC2 and re-create it on the public VPC.
Edit:… I had perhaps assumed the issue was simpler than it might be, Dan M explains how to ensure that the HTTP and HTTPS daemon are running, but you could also confirm that it’s working "correctly" by running curl http://localhost from the EC2 itself… if this returns the HTML you’re expecting then I would recommend going to AWS VPC Network Reachability Analyzer – https://eu-west-2.console.aws.amazon.com/vpc/home?region=eu-west-2#ReachabilityAnalyzer (but you’ll need to select the correct region obvs) and create a "path" to test, when this fails (assuming it fails) the report should tell you everything you need to know, and if you’re unsure about how to interpret this, post it in here.
NB: perhaps create a path from the internet gateway to the network interface on your EC2 webserver, and define the Destination port - optional as 80.
If this is a NAT instance, you must stop source / destination checking. A NAT instance must be able to send and receive traffic when the source or destination is not itself.
3
Answers
I would:
Make sure your inbound rules are as you shown and that your outbound rules do allow all traffic to exit.
In the EC2 Dashboard click on the Instances (running) and then click on the Instance ID. Click on the VPC ID for that instance and then on Main network ACL. Click now on the Network ACL ID and confirm your Inbound rules, Outbound rules and Subnet associations. Make sure nothing here is blocking access. By default the Inbound and Outbound rules will allow all traffic and all subnets will be there.
You do not say so, but I imagine you have SSH access to the instance. Make sure HTTP and HTTPS services are running and listening for connections on the interface IP address and not on 127.0.0.1; something like this:
Make sure IPtables is not blocking access. If you have existing rules you may want to clear them so that they look like:
Run tcpdump and look for traffic on ports 80 or 443
If still not working… make sure you are accessing the right IP address; If you’re not using an elastic IP and your restarted the instance it will have a new public IP address.
Is your EC2 on a VPC that permits public IP addresses? This can commonly happen when you have accidentally attached the EC2 to a private VPC.
If this is the case make an AMI of the EC2 and re-create it on the public VPC.
Edit:… I had perhaps assumed the issue was simpler than it might be, Dan M explains how to ensure that the HTTP and HTTPS daemon are running, but you could also confirm that it’s working "correctly" by running
curl http://localhost
from the EC2 itself… if this returns the HTML you’re expecting then I would recommend going to AWS VPC Network Reachability Analyzer – https://eu-west-2.console.aws.amazon.com/vpc/home?region=eu-west-2#ReachabilityAnalyzer (but you’ll need to select the correct region obvs) and create a "path" to test, when this fails (assuming it fails) the report should tell you everything you need to know, and if you’re unsure about how to interpret this, post it in here.NB: perhaps create a path from the internet gateway to the network interface on your EC2 webserver, and define the
Destination port - optional
as80
.If this is a NAT instance, you must stop source / destination checking. A NAT instance must be able to send and receive traffic when the source or destination is not itself.