Troubleshooting SSH and Ping Connectivity Issues for New Amazon EC2 Instances


2 views

You've just launched your shiny new EC2 instance, everything looks good in the AWS console, but when you try to connect via SSH or even ping it - nothing happens. This is a common scenario that frustrates many developers working with AWS for the first time. Let's break down the potential causes and solutions.

Before diving deep, verify these basics:

# Verify instance state
aws ec2 describe-instances --instance-ids i-1234567890abcdef0 --query 'Reservations[].Instances[].State.Name'

# Check system logs
aws ec2 get-console-output --instance-id i-1234567890abcdef0

The most common culprit is misconfigured security groups. By default, new EC2 instances don't allow inbound SSH (port 22) or ICMP (ping) traffic. Here's how to fix it:

# Create a new security group with SSH access
aws ec2 create-security-group --group-name SSH-access --description "Enable SSH access" --vpc-id vpc-1a2b3c4d

# Add inbound rule for SSH
aws ec2 authorize-security-group-ingress \
    --group-id sg-903004f8 \
    --protocol tcp \
    --port 22 \
    --cidr 0.0.0.0/0

# Alternatively, for your specific IP only
aws ec2 authorize-security-group-ingress \
    --group-id sg-903004f8 \
    --protocol tcp \
    --port 22 \
    --cidr $(curl -s ifconfig.me)/32

If security groups are correct but you still can't connect, check:

  • Network ACLs in your VPC that might block traffic
  • Route tables to ensure proper internet gateway association
  • Subnet configuration (public vs. private)

Sometimes the issue lies within the instance itself:

# Check SSH service status (if you can get console access)
sudo systemctl status sshd
# Or for older systems:
sudo service sshd status

When SSH isn't working, AWS Systems Manager can be a lifesaver:

# Ensure SSM agent is installed
sudo yum install -y https://s3.amazonaws.com/ec2-downloads-windows/SSMAgent/latest/linux_amd64/amazon-ssm-agent.rpm

# Start the service
sudo systemctl start amazon-ssm-agent

# Connect via Session Manager
aws ssm start-session --target i-1234567890abcdef0

AWS provides EC2 Instance Connect which can bypass some connectivity issues:

# Push your SSH key to the instance temporarily
aws ec2-instance-connect send-ssh-public-key \
    --instance-id i-1234567890abcdef0 \
    --instance-os-user ec2-user \
    --ssh-public-key file://~/.ssh/id_rsa.pub \
    --availability-zone us-east-1a

For persistent issues, enable VPC Flow Logs to see traffic patterns:

# Create flow log
aws ec2 create-flow-logs \
    --resource-type VPC \
    --resource-ids vpc-1a2b3c4d \
    --traffic-type ALL \
    --log-destination-type cloud-watch-logs \
    --log-group-name "VPCFlowLogs"

When setting up a new EC2 instance, the most common connectivity issues stem from security group misconfigurations rather than instance health problems. The fact that your instance shows as "running" in the AWS console but doesn't respond to ping or SSH attempts typically indicates network-level blocking.

Here's your rapid diagnostic checklist:

  • Security Group Rules: Must allow inbound traffic on port 22 (SSH) and ICMP (ping)
  • Network ACLs: Shouldn't override your security group permissions
  • Instance Status Checks: Verify both system and instance status
  • VPC Configuration: Ensure proper internet gateway attachment

1. Security Group Validation:

Run this AWS CLI command to check your security group rules:


aws ec2 describe-security-groups \
  --group-ids sg-yourgroupid \
  --query 'SecurityGroups[0].IpPermissions'

You should see output similar to:


[
  {
    "FromPort": 22,
    "IpProtocol": "tcp",
    "IpRanges": [
      {
        "CidrIp": "0.0.0.0/0"
      }
    ],
    "ToPort": 22
  }
]

Public IP Assignment: Ensure your instance has a public IP if it's in a public subnet. Check with:


aws ec2 describe-instances \
  --instance-ids i-yourinstanceid \
  --query 'Reservations[0].Instances[0].PublicIpAddress'

Key Pair Association: Verify the key pair is properly attached:


aws ec2 describe-instances \
  --instance-ids i-yourinstanceid \
  --query 'Reservations[0].Instances[0].KeyName'

When basic checks don't resolve the issue, try these advanced steps:

  1. Launch the instance in a different availability zone
  2. Create a new security group with minimum permissions
  3. Use VPC Flow Logs to monitor traffic

To enable VPC flow logs:


aws ec2 create-flow-logs \
  --resource-type VPC \
  --resource-id vpc-yourvpcid \
  --traffic-type ALL \
  --log-group-name VPCFlowLogs \
  --deliver-logs-permission-arn arn:aws:iam::your-account-id:role/flowlogs-role

Use AWS's built-in instance connectivity test:


aws ec2-instance-connect test-instance-connectivity \
  --instance-id i-yourinstanceid \
  --region us-east-1

This will verify if AWS's internal systems can reach your instance, helping isolate whether the issue is with your local network or the AWS configuration.