| Issue | Primary Cause | Resolution |
|---|---|---|
| Connection Timeout | Missing Inbound Rule | Add rule for specific port (e.g., 22, 80, 443) and Source IP. |
| Connection Refused | Service not running or Port mismatch | Verify service status and ensure Security Group matches application port. |
| Unreachable Instance | Misconfigured Source IP (0.0.0.0/0 vs specific IP) | Update rule to allow “My IP” or specific CIDR block. |
What is an EC2 Security Group Blocking Connection?
An EC2 Security Group acts as a virtual firewall for your instance to control incoming and outgoing traffic. By default, Security Groups are “deny-all,” meaning they block all inbound traffic unless you explicitly create an allow rule.
When you encounter a “Connection Timed Out” error, it usually indicates that the Security Group is silently dropping the packets. Unlike a “Connection Refused” error, which often happens at the OS level, a timeout is a classic sign of a network-level block by AWS infrastructure.
Security groups are stateful. This means if you allow an inbound request, the outbound response is automatically allowed, regardless of outbound rules. Understanding this helps narrow down the troubleshooting process to the inbound configuration.
Step-by-Step Solutions
1. Identify the Correct Security Group
First, ensure you are editing the right group. Log into the AWS Management Console, navigate to the EC2 Dashboard, and select your instance. Look at the “Security” tab to find the Security Group ID associated with the interface.
2. Verify Inbound Rules
Check the inbound rules to ensure the port your application uses is open. For example, if you are trying to SSH, you must have an entry for Port 22. If it’s a web server, you need Port 80 or 443.
# Example: Checking Security Group rules via AWS CLI
aws ec2 describe-security-groups --group-ids sg-0123456789abcdef03. Check the Source IP Address
Many users set their source to “My IP.” If your local ISP has changed your public IP address, the Security Group will block you. Update the rule to your current public IP address using a CIDR suffix (e.g., /32).
4. Validate Network ACLs (NACLs)
While Security Groups are stateful, Network ACLs are stateless. If your Security Group is configured correctly but traffic is still blocked, check the Subnet’s NACL. Ensure both Inbound and Outbound rules allow the traffic, as NACLs require explicit rules for the return traffic on ephemeral ports.
5. Use AWS Reachability Analyzer
AWS provides a tool called “VPC Reachability Analyzer.” This tool performs a dry run of the path between your source (e.g., an Internet Gateway) and the destination (your EC2 instance). It will explicitly tell you if a Security Group is the blocking component.
# Test connectivity from your local machine
nc -zv 22 By systematically checking the inbound rules, verifying your current IP, and utilizing AWS diagnostic tools, you can quickly resolve connectivity issues and restore access to your EC2 instances.