skip to Main Content

I am unable to access an AWS AMI instance even after setting the inbound rules to allow all traffic:

enter image description here

I get this error:

This site can’t be reached
X.XX.XXX.XX refused to connect.
Try:

Checking the connection
Checking the proxy and the firewall
ERR_CONNECTION_REFUSED

How can I fix this?

3

Answers


  1. I would:

    1. Make sure your inbound rules are as you shown and that your outbound rules do allow all traffic to exit.

    2. In the EC2 Dashboard click on the Instances (running) and then click on the Instance ID. Click on the VPC ID for that instance and then on Main network ACL. Click now on the Network ACL ID and confirm your Inbound rules, Outbound rules and Subnet associations. Make sure nothing here is blocking access. By default the Inbound and Outbound rules will allow all traffic and all subnets will be there.

    3. You do not say so, but I imagine you have SSH access to the instance. Make sure HTTP and HTTPS services are running and listening for connections on the interface IP address and not on 127.0.0.1; something like this:
      enter image description here

    4. Make sure IPtables is not blocking access. If you have existing rules you may want to clear them so that they look like:
      enter image description here

    5. Run tcpdump and look for traffic on ports 80 or 443
      enter image description here

    6. If still not working… make sure you are accessing the right IP address; If you’re not using an elastic IP and your restarted the instance it will have a new public IP address.

    Login or Signup to reply.
  2. Is your EC2 on a VPC that permits public IP addresses? This can commonly happen when you have accidentally attached the EC2 to a private VPC.

    If this is the case make an AMI of the EC2 and re-create it on the public VPC.

    Edit:… I had perhaps assumed the issue was simpler than it might be, Dan M explains how to ensure that the HTTP and HTTPS daemon are running, but you could also confirm that it’s working "correctly" by running curl http://localhost from the EC2 itself… if this returns the HTML you’re expecting then I would recommend going to AWS VPC Network Reachability Analyzer – https://eu-west-2.console.aws.amazon.com/vpc/home?region=eu-west-2#ReachabilityAnalyzer (but you’ll need to select the correct region obvs) and create a "path" to test, when this fails (assuming it fails) the report should tell you everything you need to know, and if you’re unsure about how to interpret this, post it in here.

    enter image description here

    NB: perhaps create a path from the internet gateway to the network interface on your EC2 webserver, and define the Destination port - optional as 80.

    Login or Signup to reply.
  3. If this is a NAT instance, you must stop source / destination checking. A NAT instance must be able to send and receive traffic when the source or destination is not itself.

    Source / destination check
    Stop checking

    Login or Signup to reply.
Please signup or login to give your own answer.
Back To Top
Search