Troubleshooting Amazon EC2 Public DNS Access: Security Groups, Firewalls and Port Configuration


2 views

When your EC2 instance's public DNS isn't accessible, there are typically three main components to investigate:

  1. Security Group configurations
  2. Operating system firewall settings
  3. Service/listener configuration on the instance

Your current security group configuration includes:

Inbound rules:
- HTTP (port 80)
- RDP (port 3389)
- SMTPS (port 465) 
- ICMP (ping)

To verify this programmatically using AWS CLI:

aws ec2 describe-security-groups \
--group-ids your-security-group-id \
--query 'SecurityGroups[0].IpPermissions' \
--output json

For a WebMatrix hosting server, you'll need to ensure these Windows Firewall rules are enabled:

# PowerShell command to check firewall rules
Get-NetFirewallRule -DisplayName "Web Deployment Agent Service*" | 
Format-Table -Property DisplayName,Enabled,Profile,Direction,Action

Example output should show rules enabled for Domain, Private, and Public profiles.

Before diving deeper, perform these basic checks:

# Check if port 80 is open from your local machine
Test-NetConnection -ComputerName your-public-dns -Port 80

# Verify the web server is running on the instance
Invoke-Command -ComputerName localhost -ScriptBlock {
    Get-Service -Name W3SVC
}

For WebMatrix specifically, these configuration files often need adjustment:

# applicationhost.config location
C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\applicationhost.config

# web.config settings example
<system.webServer>
    <security>
        <ipSecurity allowUnlisted="true">
            <add ipAddress="127.0.0.1" allowed="true"/>
        </ipSecurity>
    </security>
</system.webServer>

When basic checks pass but the issue persists:

# Check listening ports on the instance
netstat -ano | findstr :80

# AWS VPC flow logs query (if enabled)
fields @timestamp, srcAddr, dstAddr, srcPort, dstPort, action
| filter dstPort = 80
| sort @timestamp desc
| limit 20

Here's a comprehensive PowerShell script to diagnose common issues:

# EC2 Public DNS Access Diagnostic Tool
$dnsName = "your-public-dns"
$port = 80

# 1. Network connectivity check
Write-Host "Testing basic connectivity..."
Test-NetConnection -ComputerName $dnsName -Port $port -InformationLevel Detailed

# 2. Local service verification
Write-Host "Checking local services..."
Get-Service -Name W3SVC | Format-List *

# 3. Firewall rule verification
Write-Host "Checking firewall rules..."
Get-NetFirewallRule -DisplayName "*HTTP*" | Where-Object {
    $_.Enabled -eq $true -and $_.Direction -eq "Inbound"
} | Format-Table -AutoSize

# 4. IIS binding check
if (Get-Module -ListAvailable -Name WebAdministration) {
    Import-Module WebAdministration
    Get-WebBinding | Where-Object { $_.Protocol -eq "http" } | Format-List *
} else {
    Write-Warning "WebAdministration module not available"
}
  • Security group allows 0.0.0.0/0 on port 80 (for testing)
  • Windows Firewall has an inbound rule allowing port 80 TCP
  • IIS or your web server is properly bound to all IP addresses (0.0.0.0)
  • No network ACLs are blocking traffic in your VPC
  • The instance has a public IP or is behind a NAT gateway with proper routing

When your EC2 instance's Public DNS isn't responding in a web browser despite correct security group settings, we need to examine multiple layers of configuration. The issue typically stems from interactions between AWS security groups and the Windows Firewall.

First, confirm your security group configuration matches these requirements:

aws ec2 describe-security-groups --group-ids sg-xxxxxxxx --query 'SecurityGroups[0].IpPermissions'

Your inbound rules should include:

  • HTTP (port 80) from 0.0.0.0/0
  • RDP (port 3389) from your IP
  • ICMP (for ping tests)

For a WebMatrix server, you'll need these PowerShell commands to configure the Windows Firewall:

# Allow HTTP traffic
New-NetFirewallRule -DisplayName "HTTP Inbound" -Direction Inbound -LocalPort 80 -Protocol TCP -Action Allow

# Verify rule creation
Get-NetFirewallRule -DisplayName "HTTP Inbound" | Select-Object DisplayName,Enabled,Action,Direction

# Check current listening ports
netstat -ano | findstr :80

Perform these diagnostic steps:

  1. From your local machine: telnet your-public-dns 80
  2. From another EC2 instance in the same VPC: curl http://private-ip
  3. Check Windows Event Viewer for firewall blocking events

Verify IIS or your web server is properly configured:

# For IIS
Import-Module WebAdministration
Get-Website | Select-Object Name, State, Bindings

# Check application pool status
Get-WebAppPoolState -Name "DefaultAppPool"

Don't forget to check the VPC's Network ACLs:

aws ec2 describe-network-acls --filters "Name=vpc-id,Values=vpc-xxxxxx" --query 'NetworkAcls[].Entries[]'

Ensure both inbound and outbound rules allow HTTP traffic (port 80).

Sometimes instance metadata can reveal configuration issues:

# From the EC2 instance itself:
curl http://169.254.169.254/latest/meta-data/public-ipv4
curl http://169.254.169.254/latest/meta-data/public-hostname