Troubleshooting AWS EC2 SSH Connection Timeouts: Comprehensive Guide for Developers


4 views

When your SSH client reports "Connection timed out" to an EC2 instance, this typically indicates a network-level connectivity issue before any authentication occurs. The verbose output showing the timeout at the connection stage suggests the client can't even reach the EC2 instance's SSH port (22).

First, double-check your Security Group inbound rules. The screenshots show SSH access from your IP, but we should verify several aspects:

# Example of proper Security Group JSON for SSH access
{
  "IpProtocol": "tcp",
  "FromPort": 22,
  "ToPort": 22,
  "IpRanges": [
    {
      "CidrIp": "123.45.67.89/32",
      "Description": "Home/Office SSH access"
    }
  ]
}

Common pitfalls include:

  • Incorrect IP address (ensure you're not using a VPN that changes your public IP)
  • Missing port 22 rule
  • Restrictive outbound rules (though your screenshot shows all traffic allowed)

While Security Groups are the primary firewall, Network ACLs can also block traffic. Run these AWS CLI commands to verify:

aws ec2 describe-instances --instance-ids i-1234567890abcdef0
aws ec2 describe-network-acls --filters "Name=vpc-id,Values=vpc-12345678"

Before troubleshooting SSH, verify basic network reachability:

# Try pinging the instance (note: EC2 instances block ICMP by default)
ping ec2-xx-xx-xx-xx.sa-east-1.compute.amazonaws.com

# Test TCP connectivity to port 22
telnet ec2-xx-xx-xx-xx.sa-east-1.compute.amazonaws.com 22
# Or using netcat:
nc -zv ec2-xx-xx-xx-xx.sa-east-1.compute.amazonaws.com 22

If network connectivity is confirmed but SSH still fails:

  • Verify the instance has a public IP (check the EC2 console)
  • Ensure the instance is running (not stopped or terminated)
  • Check system logs via AWS Console > EC2 > Instances > Select instance > Actions > Monitor and troubleshoot > Get system log

When basic checks pass but SSH still fails, try these advanced techniques:

# Force IPv4 if your network has IPv6 issues
ssh -4 -i key.pem user@host

# Specify exact SSH configuration
ssh -v -o ConnectTimeout=30 -o ConnectionAttempts=3 -i key.pem user@host

# Check for MTU issues
ping -s 1472 -M do hostname  # If this fails, try lowering MTU

AWS provides an alternative connection method:

  1. Navigate to EC2 Console
  2. Select your instance
  3. Choose "Connect" > "EC2 Instance Connect"
  4. Try connecting through the browser-based SSH client

If this works but your local SSH doesn't, the issue is definitely network-related between your machine and AWS.

When all else fails, enable VPC Flow Logs to see packet-level traffic:

aws ec2 create-flow-logs \
    --resource-type VPC \
    --resource-ids vpc-12345678 \
    --traffic-type ALL \
    --log-destination-type cloud-watch-logs \
    --log-group-name "VPCFlowLogs"

Analyze the logs in CloudWatch to see if your SSH packets are reaching the VPC and how they're being handled.

When attempting to SSH into your EC2 instance, seeing a timeout error like this typically indicates one of three fundamental issues:

debug1: connect to address [REDACTED] port 22: Connection timed out
ssh: connect to host [REDACTED] port 22: Connection timed out

Before diving deep, perform these basic verifications:

# Verify instance status
aws ec2 describe-instance-status --instance-id i-1234567890abcdef0

# Check security group rules (replace sg-xxxx with your group ID)
aws ec2 describe-security-groups --group-ids sg-xxxx --query 'SecurityGroups[0].IpPermissions'

Your inbound rules should look similar to this JSON structure when properly configured:

{
    "FromPort": 22,
    "IpProtocol": "tcp",
    "IpRanges": [
        {
            "CidrIp": "YOUR_PUBLIC_IP/32",
            "Description": "SSH access from home"
        }
    ],
    "ToPort": 22,
    "UserIdGroupPairs": []
}

Often overlooked, Network Access Control Lists can override Security Group rules. Verify with:

# Get the subnet ID first
aws ec2 describe-instances --instance-id i-1234567890abcdef0 --query 'Reservations[0].Instances[0].SubnetId'

# Then check NACL rules
aws ec2 describe-network-acls --filters Name=association.subnet-id,Values=subnet-xxxx

Even if AWS networking is correct, the instance's local firewall might block access. For Ubuntu instances:

# Check ufw status (should show inactive or allow port 22)
sudo ufw status

# Verify iptables rules
sudo iptables -L -n -v | grep 22

Improper route tables can prevent traffic from reaching your instance:

# First get the VPC ID
aws ec2 describe-instances --instance-id i-1234567890abcdef0 --query 'Reservations[0].Instances[0].VpcId'

# Then check route tables
aws ec2 describe-route-tables --filters Name=vpc-id,Values=vpc-xxxx

While your error shows timeout (not authentication failure), key issues can manifest similarly:

# Ensure proper permissions on the key file
chmod 400 ~/.ssh/aws-general.pem

# Test key validity
ssh-keygen -y -f ~/.ssh/aws-general.pem

When basic checks don't reveal the issue, try these diagnostic commands:

# Test basic TCP connectivity
telnet ec2-xx-xx-xx-xx.compute-1.amazonaws.com 22

# Or using netcat
nc -zv ec2-xx-xx-xx-xx.compute-1.amazonaws.com 22

# For Windows users:
Test-NetConnection ec2-xx-xx-xx-xx.compute-1.amazonaws.com -Port 22

If you can't SSH but suspect the instance is running:

# From another instance in the same VPC (if available)
aws ec2 get-console-output --instance-id i-1234567890abcdef0 --output text

# Check system logs for SSH service status
aws ec2 get-console-output --instance-id i-1234567890abcdef0 | grep -i sshd