Troubleshooting "Network is unreachable" from within an Amazon VPC

networking amazon-ec2 firewall amazon-web-services nat
6,809

The EC2 Instance in question had no public IPv4 address ergo could not participate in The Internet.

Simply assign a public IP address to the instance, and:

[ec2-user@nat1 ~]$ curl -v wikipedia.org/
*   Trying 208.80.154.224...
* Connected to wikipedia.org (208.80.154.224) port 80 (#0)
Share:
6,809

Related videos on Youtube

Charney Kaye
Author by

Charney Kaye

I’m a lifelong artist, musician, and hacker— the beneficial type, building machines passionately to solve problems, connecting software with media. Media is a portal to comedy, adventure, enlightenment, or propaganda, transmitting an entire ideology, or compelling the audience to take action. As technology integrates with each new surface of our lives, we’re impacted by the quality of its development. At once, I’m obsessional about technical detail and tenacious about capturing value, seeking always to understand software and media in the context of our society, focusing efforts where our impact is greatest. Professionally, I’ve built an arsenal of skills ranging from typography to Java and honed my design thinking over hundreds of projects. I’m both a seasoned veteran and a contemporary student of human-machine interaction, from R&D to implementation. Most excitingly, I invented this entirely new medium for collaborative composition of ambient music. Here’s my resume.

Updated on September 18, 2022

Comments

  • Charney Kaye
    Charney Kaye over 1 year

    An EC2 instance is running Amazon Linux in a public subnet in a VPC.

    Here are the outbound rules for its security group:

    ALLOW TCP on port 80 to 0.0.0.0/0
ALLOW TCP on port 443 to 0.0.0.0/0
ALLOW ICMP to 0.0.0.0/0

    First I SSH into the instance. Then, I attempt to make a simple request to the outside internet: 

    [ec2-user@nat1 ~]$ curl -v wikipedia.org/
*   Trying 208.80.154.224...
*   Trying 2620:0:861:ed1a::1...
* Immediate connect fail for 2620:0:861:ed1a::1: Network is unreachable

    Note that DNS is being resolved by my own AWS Route 53 dns server within the VPC, so that does not prove outside connectivity.

    I see Trying 208.80.154.224... followed by no details about failure- any way to get more info right there?

    The next step looks like a malformed attempt to translate that address to IPv6. Is this a clue? Or just the automatic recourse when IPv4 fails?

    The ultimate error "Network is unreachable" seems likely to be referring to overall failure of the IPv6 network- which is fine for my purposes now. So that still leaves me looking for more details about the first failure to try the correct IPv4 address.

    And now here's the entry in the subnet flow log for the network interface of this EC2 instance, filtered to only the IP address 208.80.154.224. All the lines I see end in ACCEPT OK like this:

    Event Data
2 027141088039 eni-66c1933c 10.0.17.220 208.80.154.224 60761 80 6 2 120 1436199193 1436199253 ACCEPT OK
    • Charney Kaye
      Charney Kaye about 4 years
      Curious why the community believes this question doesn't belong here.

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

FTP - 500 I won't open a connection to xx.xx.xx.xx
How do I keep my Amazon Linux EC2 instance /var/log/messages from being filled with dhclient and ec2net messages?
Finding my network's public IP address range
FileZilla FTP to AWS EC2 Windows Server 2012 Instance: Failed to retrieve directory listing
How can I do DNAT and SNAT on Windows 7?
Complete masquerading NAT example using nftables on Linux?
Unable to mount Elastic File System on EC2 (mount.nfs4: Connection timed out)
NAT and NGINX on the same server
Cisco ASA Implicit rule dropping traffic
can't connect aws VPC private instance to internet through NAT