aws network_error ai_generated true

Connection to EC2 instance timed out while using Instance Connect

ID: aws/ec2-instance-connect-timeout

Also available as: JSON · Markdown · 中文
80%Fix Rate
85%Confidence
1Evidence
2023-06-15First Seen

Version Compatibility

VersionStatusIntroducedDeprecatedNotes
ec2-instance-connect-1.0 active
aws-cli-2.15.0 active
amazon-ec2-2024 active

Root Cause

EC2 Instance Connect service cannot reach the instance due to missing or misconfigured security group rules, lack of public IP, or network ACL blocking.

generic

中文

由于安全组规则缺失或配置错误、缺少公网IP或网络ACL阻止,EC2 Instance Connect服务无法连接到实例。

Official Documentation

https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-instance-connect-set-up.html

Workarounds

  1. 80% success Verify that the security group attached to the instance allows inbound TCP traffic on port 22 from the Instance Connect IP ranges. Use: aws ec2 describe-security-groups --group-ids sg-xxx, then add rule: aws ec2 authorize-security-group-ingress --group-id sg-xxx --protocol tcp --port 22 --cidr 18.206.107.24/29 
    Verify that the security group attached to the instance allows inbound TCP traffic on port 22 from the Instance Connect IP ranges. Use: aws ec2 describe-security-groups --group-ids sg-xxx, then add rule: aws ec2 authorize-security-group-ingress --group-id sg-xxx --protocol tcp --port 22 --cidr 18.206.107.24/29
  2. 75% success Ensure the instance has a public IP address (if connecting from outside VPC) or use a bastion host. If using EC2 Instance Connect without public IP, enable VPC endpoint for EC2 Instance Connect. 
    Ensure the instance has a public IP address (if connecting from outside VPC) or use a bastion host. If using EC2 Instance Connect without public IP, enable VPC endpoint for EC2 Instance Connect.

中文步骤

  1. Verify that the security group attached to the instance allows inbound TCP traffic on port 22 from the Instance Connect IP ranges. Use: aws ec2 describe-security-groups --group-ids sg-xxx, then add rule: aws ec2 authorize-security-group-ingress --group-id sg-xxx --protocol tcp --port 22 --cidr 18.206.107.24/29
  2. Ensure the instance has a public IP address (if connecting from outside VPC) or use a bastion host. If using EC2 Instance Connect without public IP, enable VPC endpoint for EC2 Instance Connect.

Dead Ends

Common approaches that don't work:

  1. 90% fail

    超时是网络层问题,客户端设置无法绕过AWS网络策略。

  2. 85% fail

    重启实例不会修复安全组规则或IAM权限配置错误。