html
When your AWS console shows all green checks but you still can't SSH/RDP into your instance, it's time for some systematic debugging. Here's how I approach this common yet frustrating scenario:
The most frequent culprit is misconfigured security groups. Verify your inbound rules with:
aws ec2 describe-security-groups --group-ids sg-xxxxxxxx --query 'SecurityGroups[0].IpPermissions'
Sample correct configuration for SSH access:
[
{
"FromPort": 22,
"IpProtocol": "tcp",
"IpRanges": [
{
"CidrIp": "0.0.0.0/0",
"Description": "SSH access from anywhere"
}
],
"ToPort": 22
}
]
Unlike security groups, Network ACLs are stateless and often overlooked. Check them with:
aws ec2 describe-network-acls --filters Name=vpc-id,Values=vpc-xxxxxxxx
Even with proper SG rules, instance firewalls can block traffic. For Linux instances:
# Check iptables rules
sudo iptables -L -n -v
# Temporary disable (for testing only)
sudo systemctl stop firewalld
Incorrect route tables can prevent external traffic from reaching your instance:
aws ec2 describe-route-tables --filters Name=vpc-id,Values=vpc-xxxxxxxx
If using Elastic IPs, verify proper allocation and association:
aws ec2 describe-addresses --public-ips x.x.x.x
Sometimes the SSH service itself isn't running or misconfigured:
# Check SSH service status
sudo systemctl status sshd
# Verify SSH config
sudo cat /etc/ssh/sshd_config | grep -v "^#" | grep -v "^$"
AWS provides two different checks:
- Instance status checks: Monitor the instance's software/hardware
- Reachability checks: Verify the instance network path
When all else fails, enable VPC Flow Logs:
aws ec2 create-flow-logs \
--resource-type VPC \
--resource-ids vpc-xxxxxxxx \
--traffic-type ALL \
--log-destination-type cloud-watch-logs \
--deliver-logs-permission-arn arn:aws:iam::xxxxxxxxxxxx:role/FlowLogsRole
As a last resort, use AWS's built-in connection method:
aws ec2-instance-connect send-ssh-public-key \
--instance-id i-xxxxxxxxxxxxx \
--availability-zone us-west-2a \
--instance-os-user ec2-user \
--ssh-public-key file://~/.ssh/id_rsa.pub
When your EC2 instance shows "reachability check passed" but remains inaccessible, you're facing one of the most common yet frustrating AWS scenarios. Let's systematically diagnose this.
The most frequent culprit is improper security group rules. Verify:
# Example of correct security group inbound rules for SSH
aws ec2 authorize-security-group-ingress \
--group-id sg-xxxxxxxx \
--protocol tcp \
--port 22 \
--cidr 0.0.0.0/0 # For testing only! Narrow this down in productionCommon mistakes include:
- Allowing ICMP only for IPv6 (ping uses ICMPv4)
- Restricting SSH access to wrong IP ranges
- Forgetting to enable the protocol (TCP vs ICMP)
Unlike security groups, Network ACLs are stateless and often overlooked. Check both inbound and outbound rules:
aws ec2 describe-network-acls --filters Name=association.subnet-id,Values=subnet-xxxxxxxxEven with proper AWS networking, instance OS firewalls can block access:
# For Linux instances
sudo iptables -L # Check current rules
sudo systemctl status firewalld # Check if firewalld is activeIncorrect route tables can silently drop traffic. Verify your subnet's route table has:
aws ec2 describe-route-tables --filters Name=association.subnet-id,Values=subnet-xxxxxxxxIt should include a route to 0.0.0.0/0 via an internet gateway (for public subnets).
If using Elastic IPs, confirm proper allocation and association:
aws ec2 describe-addresses --filters Name=instance-id,Values=i-xxxxxxxxAWS's reachability check passing doesn't guarantee your instance is fully operational:
aws ec2 describe-instance-status --instance-ids i-xxxxxxxx --include-all-instances# Verbose SSH output for debugging
ssh -vvv ec2-user@your-instance-public-dns
# Alternative connection methods
aws ssm start-session --target i-xxxxxxxx # Requires SSM agent installedCreate a new instance with these minimum working configuration:
aws ec2 run-instances \
--image-id ami-0abcdef1234567890 \
--instance-type t2.micro \
--security-group-ids sg-xxxxxxxx \
--subnet-id subnet-xxxxxxxx \
--key-name YourKeyPair \
--associate-public-ip-address