Reputation: 3
EC2 instance can’t access the internet
Apparently, my EC2 instance can’t access the internet properly. Here is what happens when I try to install a Python module:
[ec2-user@ip-172-31-90-31 ~]$ pip3 install flask
Defaulting to user installation because normal site-packages is not writeable
WARNING: Retrying (Retry(total=4, connect=None, read=None, redirect=None, status=None)) after connection broken by 'NewConnectionError('<pip._vendor.urllib3.connection.HTTPSConnection object at 0x7fab198cbe10>: Failed to establish a new connection: [Errno 101] Network is unreachable')': /simple/flask/
etc.
However, the website that is hosted on the same EC2 instance can be accessed using both http and https.
The security group is configured as follows:
| Port range | Protocol | Source |
|---|---|---|
| 80 | TCP | 0.0.0.0/0 |
| 22 | TCP | 0.0.0.0/0 |
| 80 | TCP | ::/0 |
| 22 | TCP | ::/0 |
| 443 | TCP | 0.0.0.0/0 |
| 443 | TCP | ::/0 |
The ACL inbound rules are:
| Type | Protocol | Port range | Source | Allow/Deny |
|---|---|---|---|---|
| HTTP (80) | TCP (6) | 80 | 0.0.0.0/0 | Allow |
| SSH (22) | TCP (6) | 22 | 0.0.0.0/0 | Allow |
| HTTPS (443) | TCP (6) | 443 | 0.0.0.0/0 | Allow |
| All ICMP - IPv4 | ICMP (1) | All | 0.0.0.0/0 | Allow |
| All trafic | All | All | 0.0.0.0/0 | Deny |
and the outbound rules are:
| Type | Protocol | Port range | Source | Allow/Deny |
|---|---|---|---|---|
| Custom TCP | TCP (6) | 1024 - 65535 | 0.0.0.0/0 | Allow |
| HTTP (80) | TCP (6) | 80 | 0.0.0.0/0 | Allow |
| SSH (22) | TCP (6) | 22 | 0.0.0.0/0 | Allow |
| HTTPS (443) | TCP (6) | 443 | 0.0.0.0/0 | Allow |
| All ICMP - IPv4 | ICMP (1) | All | 0.0.0.0/0 | Allow |
| All trafic | All | All | 0.0.0.0/0 | Deny |
This is what the route table associated with the subnet looks like:
| Destination | Target | Status | Propagated |
|---|---|---|---|
| 172.31.0.0/16 | local | Active | No |
| 0.0.0.0/0 | igw-09b554e4da387238c | Active | No |
(no explicit or edge associations).
As for the firewall, executing sudo iptables –L results in
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
and sudo iptables -L -t nat gives
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
What am I missing here? Any suggestions or ideas on this would be greatly appreciated.
Thanks
Upvotes: 0
Views: 3804
Answers (1)
Reputation: 269881
You did not list your settings for the Outbound rules of the security group(s) attached to the instance. You should keep the "Allow All" outbound rules to allow the instance to access the Internet.
In general, you should not modify the ACL rules away from their default "Allow All" setting unless you have a very specific need (eg creating a DMZ). I recommend that you start by removing all custom rules from the ACLs and set the 'All traffic' option to "Allow". At least try this temporarily to try and identify the problem.
For example, when establishing a connection to the Internet, traffic will come from a randomly-assigned port. Your ACL is currently blocking all such ports. (To clarify: You might be connecting to port 80 on a remote computer, but that request is not coming from port 80 on your own computer. It is coming from a randomly-assigned port.)
Upvotes: 3
Related Questions
- Cannot ping AWS EC2 instance
- Cannot ping AWS EC2 instance with public IP
- my ec2 linux is not connect to the internet?
- Why is it that I cannot ping an ec2 instance but can SSH, even with ICMP traffic allowed
- Unable ping AWS EC2 instance
- Not able to connect to internet from Amazon EC2 instance linux box
- Cannot connect to AWS E2 instance (but security group allows inbound)
- Unable to ping EC2 Server
- Cannot ping AWS instance (Yes, I added a security group)
- EC2 instances not responding to internal ping