Troubleshooting AWS EC2 network unreachable error with server and cloud icons.

How To Fix Ec2 Network Unreachable Error [Solved]

by

Symptoms & Diagnosis

The “Network Unreachable” error on an AWS EC2 instance is a common hurdle for cloud engineers. It typically manifests when you attempt to connect via SSH or RDP and receive a “Connection Timed Out” or “No route to host” message.

You can diagnose this by checking the instance status reachability. If the Instance Status check fails, the underlying hardware or OS network stack may be the issue. If the System Status check is passing but you still can’t connect, the problem likely lies in your network configuration.

Use these commands from your local machine to confirm the diagnosis:

# Test basic connectivity
ping [your-instance-ip]

# Check specific port connectivity (e.g., SSH port 22)
nc -zv [your-instance-ip] 22

# Trace the network path
traceroute [your-instance-ip]

Troubleshooting AWS EC2 network unreachable error with server and cloud icons.

Troubleshooting Guide

To fix the network unreachable error, you must verify multiple layers of the AWS networking stack. The following table summarizes the primary checkpoints:

Component Requirement Common Issue
Security Group Inbound rule for port 22 (SSH) or 3389 (RDP) Rule missing or restricted to wrong IP
Network ACLs Inbound AND Outbound rules allowed Stateless filtering blocking return traffic
Route Table Route to 0.0.0.0/0 via Internet Gateway (IGW) Missing IGW or NAT Gateway attachment
Public IP Elastic IP or Public IPv4 assigned Instance has only a private IP in a public subnet

Step 1: Verify Security Groups

Ensure that the Security Group associated with your EC2 instance allows inbound traffic from your specific IP address. AWS Security Groups are stateful, so you only need to define the inbound rule.

Step 2: Check Subnet Route Tables

For a public instance, your subnet’s route table must have a route pointing `0.0.0.0/0` to an Internet Gateway. If the instance is in a private subnet, it requires a NAT Gateway to reach the internet.

Step 3: Inspect Network ACLs

Unlike Security Groups, Network ACLs (NACLs) are stateless. You must ensure that both inbound and outbound rules allow traffic on the ephemeral port range (1024-65535) and the specific service port.

# Check OS level firewall (if you have console access)
sudo ufw status
sudo iptables -L

Prevention

Preventing network reachability issues requires a proactive approach to infrastructure management. Use AWS Reachability Analyzer to simulate connectivity paths between your source and the EC2 instance before deployment.

Implement Infrastructure as Code (IaC) using Terraform or AWS CloudFormation. This ensures your Security Groups and Route Tables are version-controlled and consistent, reducing manual configuration errors.

Finally, enable VPC Flow Logs. This allows you to monitor the IP traffic going to and from network interfaces in your VPC, providing immediate insight into whether traffic is being “REJECTED” by a security group or NACL.

Related posts:

  1. Docker Desktop Hardware Assisted Virtualization Must Be Enabled Fix [Solved]
  2. How To Fix Docker Desktop Installation Failed Windows 10 [Solved]
  3. How To Fix Ubuntu 24.04 Black Screen After Update [Solved]
  4. How To Fix High Latency In Kubernetes Networking [Solved]