I have ec2 instance with public subnet and vpc associate with it.and igw attach to the vpc
I did enable auto assign ip
Also I have security group with following inbound rules
the route table look like
OpenSSH_8.1p1, OpenSSL 1.1.1d 10 Sep 2019
debug1: Reading configuration data /etc/ssh/ssh_config
debug2: resolving "ec2-XX-XXX.ap-southeast-2.compute.amazonaws.com" port 22
debug2: ssh_connect_direct
debug1: Connecting to ec2-XX-XXX.ap-southeast-2.compute.amazonaws.com [XX.XX] port 22.
debug1: connect to address ec2-XX-XXX port 22: Connection timed out
ssh: connect to host ec2-XX-XXX.ap-southeast-2.compute.amazonaws.com port 22: Connection timed out
you can check the following things
you have mentioned that you have attached the IG to the vpc, verify that you have made the route table changes of routing default traffic to IG so that your instance is reachable through IG.
check for iptable rules which might deny ssh
Related
OS: Ubuntu
public IP from where I try the ssh: 153.5.57.2
Security rule:
Inbound:
Name
Security group rule ID
IP version
Type
Protocol
Port range
Source
Description
– sgr-01a63df5e26bc8e9a IPv4 HTTP TCP 80 0.0.0.0/0 –
– sgr-0cafa26a9ca34ccbe IPv4 SSH TCP 22 153.5.57.2/32 –
– sgr-047038a9c030dd52b IPv4 HTTPS TCP 443 0.0.0.0/0 –
Outbound:
Name
Security group rule ID
IP version
Type
Protocol
Port range
Destination
Description
– sgr-0812dc9c3b21745e1 IPv4 All traffic All All 0.0.0.0/0 –
ACL rule: (Inbound and Outbound)
Rule number
Type
Protocol
Port range
Source
Allow/Deny
22 SSH (22) TCP (6) 22 153.5.57.2/32 Allow
100 All traffic All All 0.0.0.0/0 Allow
\* All traffic All All 0.0.0.0/0 Deny
Route table:
Destination
Target
Status
Propagated
10.0.0.0/24 local Active No
Internet Gateway is attached to my VPC.
Subnet is attached to my VPC.
Route table is associated with subnet.
ACL rule is associated with subnet.
ssh -vvv -i "my-private-key.pem" ec2-user#10.0.0.206
OpenSSH_8.2p1 Ubuntu-4ubuntu0.2, OpenSSL 1.1.1f 31 Mar 2020
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 19: include /etc/ssh/ssh_config.d/*.conf matched no files
debug1: /etc/ssh/ssh_config line 21: Applying options for *
debug2: resolve_canonicalize: hostname 10.0.0.206 is address
debug2: ssh_connect_direct
debug1: Connecting to 10.0.0.206 [10.0.0.206] port 22.
debug1: connect to address 10.0.0.206 port 22: Connection timed out
ssh: connect to host 10.0.0.206 port 22: Connection timed out
Your security group is permitting access from:
SSH TCP 22 153.5.57.2/32
Therefore, it appears that you are wanting to connect from a computer on the Internet to the Amazon EC2 instance.
However, the command you are using to connect is:
ssh -vvv -i "my-private-key.pem" ec2-user#10.0.0.206
The IP address of 10.0.0.206 is a private IP address that is only reachable within the VPC. It is not accessible from the Internet.
To access the EC2 instance from the Internet:
The instance requires a Public IP address
The instance needs to be in a Public Subnet (defined as a subnet that has a Route Table entry to an Internet Gateway)
You need to specify the public IP address when connecting to the instance
I am trying to connect to an EC2 machine with the following command line on my terminal:
ssh -i id_rsa_aws <ec2_ip_address> -l ec2-user -vvv
Here is the result:
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 48: Applying options for *
debug2: resolve_canonicalize: hostname <ec2_ip_address> is address
debug2: ssh_connect_direct
debug1: Connecting to <ec2_ip_address> [<ec2_ip_address>] port 22.
debug1: Connection established.
debug1: identity file id_rsa_aws type 0
debug1: identity file id_rsa_aws-cert type -1
debug1: Local version string SSH-2.0-OpenSSH_7.8
ssh_exchange_identification: read: Operation timed out
My ssh_config file:
Host *
SendEnv LANG LC_*
I know the problem must come from my computer. I have tried using the .pem file and I am getting the same error.
Any help would be appreciated.
Thank you
Things to check:
The instance is running Linux
The instance is launched in a public subnet, which is defined as having a Route Table entry to points to an Internet Gateway
The instance has a public IP address, which you are using for the connection
The Network Access Control Lists (NACLs) are set to their default "Allow All" values
A Security Group associated with the instance that permits inbound access on port 22 (SSH) either from your IP address, or from the Internet (0.0.0.0/0)
Your network permits an outbound SSH connection (try alternate networks, eg home vs work vs tethered to your phone)
See also: Troubleshooting connecting to your instance - Amazon Elastic Compute Cloud
Although my issue looks very generic and common, it doesn't seem to be identical to anything discussed here in stackoverflow. SecurityGroup has been set up with "MyIP" for ssh connection and I have been using correct pub IP to connect. Yet, I'm still getting timeout error as below. Is there something that I need to change in my Mac?
MacBook-Pro ~ % ssh -vvv -i ~/Documents/awsdemo/aws-livelessons.pem ec2-user#18.181.146.195
OpenSSH_7.9p1, LibreSSL 2.7.3
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 48: Applying options for *
debug2: resolve_canonicalize: hostname 18.181.146.195 is address
debug2: ssh_connect_direct
debug1: Connecting to 18.181.146.195 [18.181.146.195] port 22.
debug1: connect to address 18.181.146.195 port 22: Operation timed out
ssh: connect to host 18.181.146.195 port 22: Operation timed out
Here's my Security Group. You can see that it does have correct protocol and entered with my public IP.
Security Group Screenshot
And I can confirm that it does match when I look up via terminal.
MacBook-Pro ~ % dig TXT +short o-o.myaddr.l.google.com #ns1.google.com
"58.12.38.113"
And the EC2 instance does have this security group attached.
EC2 Instance Screenshot
If there are any other ways to troubleshoot this, I'd really appreciate it.
Based on the comments, the issue was due to use of non-default NACLs. The solution was to allow SSH in the NACLs.
$ ssh -vvv -i "AMSKeyPair.pem" ec2-user#ec2-52-43-0-65.us-west-2.compute.amazonaws.com
OpenSSH_7.4p1, LibreSSL 2.5.0 debug1: Reading configuration data
/etc/ssh/ssh_config debug2: resolving
"ec2-52-43-0-65.us-west-2.compute.amazonaws.com" port 22 debug2:
ssh_connect_direct: needpriv 0 debug1: Connecting to
ec2-52-43-0-65.us-west-2.compute.amazonaws.com [52.43.0.65] port 22.
debug1: connect to address 52.43.0.65 port 22: Operation timed out
ssh: connect to host ec2-52-43-0-65.us-west-2.compute.amazonaws.com
port 22: Operation timed out
Corresponding Security Group allos all inbound traffic on all ports.
I tried on different internet connections, so I don't think NAT is there.
PS: I am not a first time ec2 user, used it before.
Changed Security Group's source from sg-57710f2a to 0.0.0.0/0
Now it works. As #john-hanley pointed out sg-57710f2a allows only connection from within host under that Security Group not outside
Try to learn AWS services I setup my own VPC with ipV4/v6.
Subnet and Security groups setup too (HTTP/S + SSH open on v4/v6)
When I try to ssh -vvv -i myKey.pem ubuntu#xxx.eu-central-1.compute.amazonaws.com
I got :
OpenSSH_7.4p1, LibreSSL 2.5.0
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 20: Applying options for *
debug2: resolving "ec2-35-157-94-119.eu-central-1.compute.amazonaws.com" port 22
debug2: ssh_connect_direct: needpriv 0
debug1: Connecting to ec2-35-157-94-119.eu-central-1.compute.amazonaws.com [35.157.94.119] port 22.
debug1: connect to address 35.157.94.119 port 22: Operation timed out
ssh: connect to host ec2-35-157-94-119.eu-central-1.compute.amazonaws.com port 22: Operation timed out
If try to aws ec2 describe-instances --instance-ids i-09e2830xxxxxx or with the dashboard I can see my instance up and running with Private and Public IPv4/v6 present and a Public DNS
Any idea why ?
Make sure you did the following:
Create an IGW (Internet Gateway) and associate it with your VPC;
Add a route for 0.0.0.0/0 to go through the IGW;
Associate the subnet (the one you launched your EC2) with the correct routing table (the one containing 0.0.0.0/0 -> IGW);