EC2 instance can’t access the internet
Question
Apparently, my EC2 instance can't access the inte.net properly. Here is what happens when I try to install a Python module:
[ec2-user@ip-172-31-90-31 ~]$ pip3 install flask
Defaulting to user installation because normal site-packages is not writeable
WARNING: Retrying (Retry(total=4, connect=None, read=None, redirect=None, status=None)) after connection broken by 'NewConnectionError('<pip._vendor.urllib3.connection.HTTPSConnection object at 0x7fab198cbe10>: Failed to establish a new connection: [Errno 101] Network is unreachable')': /simple/flask/ etc.
However, the website that is hosted on the same EC2 instance can be accessed using both http and https.
The security group is configured as follows:
| Port range | Protocol | Source |
|---|---|---|
| 80 | TCP | 0.0.0.0/0 |
| 22 | TCP | 0.0.0.0/0 |
| 80 | TCP | ::/0 |
| 22 | TCP | ::/0 |
| 443 | TCP | 0.0.0.0/0 |
| 443 | TCP | ::/0 |
The ACL inbound rules are:
| Type | Protocol | Port range | Source | Allow/Deny |
|---|---|---|---|---|
| HTTP (80) | TCP (6) | 80 | 0.0.0.0/0 | Allow |
| SSH (22) | TCP (6) | 22 | 0.0.0.0/0 | Allow |
| HTTPS (443) | TCP (6) | 443 | 0.0.0.0/0 | Allow |
| All ICMP - IPv4 | ICMP (1) | All | 0.0.0.0/0 | Allow |
| All trafic | All | All | 0.0.0.0/0 | Deny |
and the outbound rules are:
| Type | Protocol | Port range | Source | Allow/Deny |
|---|---|---|---|---|
| Custom TCP | TCP (6) | 1024 - 65535 | 0.0.0.0/0 | Allow |
| HTTP (80) | TCP (6) | 80 | 0.0.0.0/0 | Allow |
| SSH (22) | TCP (6) | 22 | 0.0.0.0/0 | Allow |
| HTTPS (443) | TCP (6) | 443 | 0.0.0.0/0 | Allow |
| All ICMP - IPv4 | ICMP (1) | All | 0.0.0.0/0 | Allow |
| All trafic | All | All | 0.0.0.0/0 | Deny |
This is what the route table associated with the su.net looks like:
| Destination | Target | Status | Propagated |
|---|---|---|---|
| 172.31.0.0/16 | local | Active | No |
| 0.0.0.0/0 | igw-09b554e4da387238c | Active | No |
(no explicit or edge associations).
As for the firewall, executing sudo iptables –L results in
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
and sudo iptables -L -t nat gives
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
What am I missing here? Any suggestions or ideas on this would be greatly appreciated.
Thanks
1 answers
solution1
3 2022-03-14 02:22:09
You did not list your settings for the Outbound rules of the security group(s) attached to the instance. You should keep the "Allow All" outbound rules to allow the instance to access the Inte.net.
In general, you should not modify the ACL rules away from their default "Allow All" setting unless you have a very specific need (eg creating a DMZ). I recommend that you start by removing all custom rules from the ACLs and set the 'All traffic' option to "Allow". At least try this temporarily to try and identify the problem.
For example, when establishing a connection to the Inte.net, traffic will come from a randomly-assigned port. Your ACL is currently blocking all such ports. (To clarify: You might be connecting to port 80 on a remote computer, but that request is not coming from port 80 on your own computer. It is coming from a randomly-assigned port.)
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.