You've just launched your shiny new EC2 instance, the dashboard shows all green lights, yet when you try to connect, you're met with frustrating timeouts. Here's what might be happening under the hood.
The most common culprit is misconfigured security groups. By default, AWS doesn't allow any inbound traffic unless explicitly permitted. Try this:
# Example security group rules via AWS CLI
aws ec2 authorize-security-group-ingress \
--group-id sg-903004f8 \
--protocol tcp \
--port 22 \
--cidr 0.0.0.0/0 # Warning: This allows SSH from any IP
For production environments, always restrict the CIDR range to your specific IP.
Unlike security groups, network ACLs are stateless and apply to the entire subnet. Check if your VPC's network ACL allows inbound/outbound traffic on ports 22 (SSH) and ICMP (ping).
While the dashboard shows "running," the instance might not be fully operational. Run:
aws ec2 describe-instance-status --instance-id i-1234567890abcdef0
Look for both "instance-status" and "system-status" to show "ok".
Ubuntu's default UFW firewall might be active. If you can access the instance via AWS console (EC2 Instance Connect), check:
sudo ufw status
# If enabled, allow SSH:
sudo ufw allow ssh
EC2 instances lose their public IP when stopped/started unless using Elastic IP. Verify the IP you're trying to connect to is correct:
aws ec2 describe-instances --instance-ids i-1234567890abcdef0 \
--query 'Reservations[0].Instances[0].PublicIpAddress'
- Check VPC route tables - is there an internet gateway attached?
- Verify the subnet is public (auto-assign public IP enabled)
- Try connecting via AWS Systems Manager Session Manager as alternative
- Check CloudTrail logs for any API errors during instance creation
Before you tear your hair out, run through this quick verification:
1. Security group allows SSH (port 22) from your IP
2. Instance has a public IP
3. Route table has internet gateway (0.0.0.0/0 -> igw-xxx)
4. Network ACL allows inbound/outbound traffic
5. OS firewall (UFW/iptables) isn't blocking connections
6. Key pair is properly associated with the instance
7. You're using the correct username (ubuntu for Ubuntu, ec2-user for Amazon Linux)
Remember that changes to security groups take effect immediately, while network ACL changes might take a few seconds to propagate.
html
When your newly launched EC2 instance isn't responding to ping or SSH attempts despite showing "running" status, these are the most likely suspects:
- Security group misconfiguration (most common)
- Incorrect network ACL settings
- Instance firewall (iptables/ufw) blocking traffic
- VPC routing problems
- Operating-level network configuration issues
1. Verify Security Group Rules
# Example AWS CLI command to check security groups aws ec2 describe-security-groups --group-ids sg-1234567890abcdef0
Ensure you have these minimum inbound rules:
- SSH (TCP 22) - from your IP or 0.0.0.0/0 (temporary)
- ICMP (Type 8) - for ping tests
2. Check Instance Metadata
# Get instance metadata from within the instance (if accessible) curl http://169.254.169.254/latest/meta-data/network/interfaces/macs/
Use AWS Reachability Analyzer:
aws ec2 create-network-insights-path \
--source $INSTANCE_ID \
--destination-port 22 \
--protocol tcp
If you can access the instance via AWS Systems Manager:
# Check ufw status sudo ufw status # Temporarily disable firewall (for testing) sudo ufw disable # Verify sshd is running sudo systemctl status ssh
For an Ubuntu 22.04 LTS instance that wasn't responding, here's what worked:
# In AWS Console: 1. Added inbound rule for ICMPv4 (All ICMP - IPv4) 2. Created temporary SSH rule from MyIP # On the instance: sudo apt update sudo apt install awscli sudo aws ec2 associate-address --instance-id $INSTANCE_ID --public-ip $EIP
When basic checks don't reveal the issue:
aws ec2 create-flow-logs \
--resource-type VPC \
--resource-ids vpc-12345678 \
--traffic-type REJECT \
--log-destination-type cloud-watch-logs
Analyze rejected packets in CloudWatch to identify blocked traffic patterns.