cloud
network_error
ai_generated
true
Connection timed out when connecting to EC2 instance via SSH
ID: cloud/aws-ec2-instance-connect-timeout
88%Fix Rate
89%Confidence
1Evidence
2023-04-12First Seen
Version Compatibility
| Version | Status | Introduced | Deprecated | Notes |
|---|---|---|---|---|
| AWS EC2 | active | — | — | — |
| Amazon Linux 2023 | active | — | — | — |
| Ubuntu 22.04 | active | — | — | — |
| OpenSSH 9.0 | active | — | — | — |
Root Cause
EC2 instance is not reachable over SSH due to missing or misconfigured security group rules, incorrect subnet routing, or the instance not having a public IP (or not being behind a NAT gateway).
generic中文
EC2 实例无法通过 SSH 连接,原因是缺少或配置错误的安全组规则、子网路由不正确,或实例没有公有 IP(或未位于 NAT 网关之后)。
Official Documentation
https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/TroubleshootingInstancesConnecting.htmlWorkarounds
-
90% success Verify the security group attached to the EC2 instance allows inbound SSH (port 22) from your IP. Use AWS CLI: `aws ec2 authorize-security-group-ingress --group-id sg-xxxxxxxx --protocol tcp --port 22 --cidr <YOUR_IP>/32`. Replace <YOUR_IP> with your public IP (check via `curl ifconfig.me`).
Verify the security group attached to the EC2 instance allows inbound SSH (port 22) from your IP. Use AWS CLI: `aws ec2 authorize-security-group-ingress --group-id sg-xxxxxxxx --protocol tcp --port 22 --cidr <YOUR_IP>/32`. Replace <YOUR_IP> with your public IP (check via `curl ifconfig.me`).
-
85% success If the instance is in a private subnet, set up an SSH bastion host or use AWS Systems Manager Session Manager: `aws ssm start-session --target <instance-id>`. Ensure the instance has an IAM role with `ssm:StartSession` permission and the SSM Agent is installed.
If the instance is in a private subnet, set up an SSH bastion host or use AWS Systems Manager Session Manager: `aws ssm start-session --target <instance-id>`. Ensure the instance has an IAM role with `ssm:StartSession` permission and the SSM Agent is installed.
中文步骤
Verify the security group attached to the EC2 instance allows inbound SSH (port 22) from your IP. Use AWS CLI: `aws ec2 authorize-security-group-ingress --group-id sg-xxxxxxxx --protocol tcp --port 22 --cidr <YOUR_IP>/32`. Replace <YOUR_IP> with your public IP (check via `curl ifconfig.me`).
If the instance is in a private subnet, set up an SSH bastion host or use AWS Systems Manager Session Manager: `aws ssm start-session --target <instance-id>`. Ensure the instance has an IAM role with `ssm:StartSession` permission and the SSM Agent is installed.
Dead Ends
Common approaches that don't work:
-
80% fail
The OS firewall may allow SSH, but the security group acts as a network-level firewall outside the instance; traffic is dropped before reaching the OS.
-
95% fail
Rebooting only restarts the OS; security group and VPC routing remain unchanged.