EC2 instance with EIP in Public subnet not connecting to Internet

Question

I have a strange problem wherein I am able to connect to an EC2 instance in a public subnet in AWS VPC using RDP and HTTP. However after successfully connecting to the instance through RDP, i am not able to connect to Internet (from the instance).

a) I created a non-default AWS VPC and associated an IGW to it. The address range of VPC is 10.0.0.0/16. A subnet with the address space 10.0.5.0/24 was created

c) In order to make the subnet public, i decided to retain the Main Route Table as it is and created an additional Route table with the following entries

10.0.0.0/16 local 0.0.0.0/0 igw

d) This route table was associated with the subnet 10.0.5.0/24. This makes it a public subnet

e) The NACL is set to allow: INBOUND traffic HTTP(80),HTTPS(80),SSH(22), RDP(3389) for IPV4 and NACL outbound traffic ALL TRAFFIC ALL PROTOCOL ALL PORT Range Destination 0.0.0.0/0

f) The security group settings are:

Inbound All traffic All All 0.0.0.0/0 Outbound All traffic All All 0.0.0.0/0

g) I created a single EC2 instance in the public subnet and assigned a Elastic EIP to it. I am able to connect to this using RDP and able to access the IIS Welcome page by typing the public DNS name of the EC2 in my local browser. However, from the instance when i open IE and try accessing any popular websites i am not able to access the Internet. I always get a 'Can't reach this page'

h) I disabled Windows Firewall and tried accessing Internet. But still it didnt work.

i) The tracert output just shows Request timed Out in all the lines.

Any help would be appreciated.

Thanks and Regards Govind

Answer 1

Finally i was able to fix this issue. I added

ALL TCP TCP (6) 0 - 65535 0.0.0.0/0 ALLOW

as an INBOUND rule in NACL. Immediately i was able to access the Internet from the browser in Ec2 instance.

However i am not convinced that all the ports should be opened to use browser on an EC2 instance in the public subnet. Is there a better way to do this ?

Can i consider setting up a Forward Proxy server as a solution for browser based outgoing traffic as in this case ? Please suggest

Answer 2

First, verify that the following conditions are met:

The route table in the instance’s subnet has a default route to an internet gateway. The security group attached to the instance’s elastic network interface must allow outbound traffic on the following ports: Port 80 for HTTP traffic Port 443 for HTTPs traffic Identify the network access control lists (ACLs) that are associated with the subnet that the instance is located on. These network ACLs must have rules to allow inbound and outbound traffic on ports 80 and 443.

You don't need to open all the ports to enable outgoing web traffic.

https://aws.amazon.com/premiumsupport/knowledge-center/ec2-connect-internet-gateway/