cannot ssh vanilla aws instance

0
votes

I've spend my whole evening on this. guess it is just I missed a stupid step. Here is the procedure I followed:

  1. create an aws vpc 10.0.0.0/24;
  2. create an aws internet gateway and associate it with the VPC;
  3. create a subnet in the VPC 10.0.0.0/26;
  4. Add inbound rule to VPC ACL to allow SSH, HTTP, HTTPS from all IPV4 sources;
  5. Launch aws ec2 instance with Amazon Linux 2 AMI in region us-west-2, t2.micro, instance details: Number of instances: 1 network: VPC created above subnet: subnet created above auto-assign Public IP: use subnet setting(Disable) Capacity reservation: Open everything else as default storage details add on data volume, delete on termination check security group: new security group with inbound rules ssh/http/https opened for all ipv4 sources use existing key pair I created earlier;
  6. create an elastic IP;
  7. associate the elastic IP to the instance created above.
  8. reboot the instance

Then I can see the instance is running well with elastic IP attached. I tried to connect to the ip address with ssh ssh -vvv -i ./aws_private.pem ec2-user@ipaddress and got below failure

OpenSSH_8.1p1, LibreSSL 2.7.3
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 47: Applying options for *
debug2: resolve_canonicalize: hostname <elastic ipaddress> is address
debug2: ssh_connect_direct
debug1: Connecting to <elastic ipaddress> [<elastic ipaddress>] port 22.
debug1: connect to address <elastic ipaddress> port 22: Operation timed out
ssh: connect to host <elastic ipaddress> port 22: Operation timed out

I verified the ACL and Security group. Those are my only ACL and Security Group. I'm using a Mac. And also tried with a windows OS as well as aws cloud shell in the same region. All of them have the same error. telnet <elastic ip> 22 fails as well. what did I do wrong?

3
amazon-web-servicesssh
if you also cannot telnet port 22, please check whether the target computer allows inbound connection thru port 22 (check its firewall)Ken Lee
What about a route table to the internet gateway?Marcin
@KenLee, do you mean computer firewall or VPC ACL or security group? If it's computer firewall, I can't login that VM and couldn't check it. If it is VPC ACL, as I mentioned, it was already allowed. If it is security group, it's already allowed.Dongkai Yu
@Marcin, that's a good catch. I forgot to update the route table in above steps. Actually, I attached the route table with two rules: destination 10.0.0.0/24, target local; destination 0.0.0.0/0, target internet gateway. The problem persist.Dongkai Yu
Can you revert back the NACLs to its default state? Otherwise you have to show exactly how you modified them.Marcin

3 Answers

0
votes

You forgot one thing .

Security Groups

You need to allow SSH connection to your instance port 22. to do this add below rule to your Ec2 instance's security group.

Protocol - TCP, type- SSH , port -22, source - 0.0.0.0/0

Actually , you dont need to edit ACL , as those by default allow access to everything .

but you need to add rules to Security Groups as by default it Not allows any connection

0
votes

In general, NACL rules should not be changed from default unless you have a very specific requirement (eg creating a DMZ).

NACLs are stateless, which means that they need to be specified in both directions. I recommend that you reset the NACLs back to their default setting of "Allow All" for both Inbound and Outbound, and then only use Security Groups for controlling access.

The flow of the connection will be:

  • Elastic IP address points to Internet Gateway
  • Internet Gateway does a reverse NAT to convert it to a private IP address
  • Route Table on Subnet is consulted to confirm that the subnet is "public" (Route Table entry pointing to Internet Gateway)
  • NACL checks traffic on entry to subnet (recommendation is to leave it as default Allow All)
  • Security Group checks traffic coming into the instance
  • Instance processes incoming request
0
votes

turned out it was zscaler on my Mac somehow changes my ip address and messed up the communication between my Mac and aws.