Here are some of the most common reasons you cannot ping AWS EC2 instance and how to fix them.
Quick Fix: The most common issue when you cannot ping your ec2 instance is you haven’t opened ICMP inbound in your security group. Continue reading below for more reasons you can’t ping your AWS EC2 instance and how to fix them.
Before we get into the issue it’s important to understand what ping is. Ping does not use any port, ping actually uses a separate layer 3 protocol called ICMP, layer 3 being the same layer used by UDP and TCP. The big things to look for when troubleshooting why you can’t ping your EC2 instance are Security Groups, Firewalls, and NACLs not letting ICMP through.
1: ICMP Isn’t Open Inbound in the Security Group
This is the most likely issue. You must go to the AWS security group and open up ICMP inbound to the EC2 instance’s security group.
How to tell if you can’t ping your AWS EC2 instance because of the security group
- Go to the EC2 console and select the instance
- Click on the security tab
- Click on the security group or read the summary displayed on this tab
- Check the inbound rules to see if ICMP is allowed
The Image below shows only 443 inbound allowed. In this case, I can’t ping my EC2 instance.
How to fix not being able to ping your EC2 instance because of the security group
It’s a very simple fix. You just need to allow ICMP inbound.
- In the console, go to the security group
- Click the Edit inbound rules button
- Click Add rule
- Select the drop down which says Custom TCP and change it to All ICMP – IPv4
- Select the drop down for source, which says Custom, and change it to Anywhere-IPv4
- Click Save rules
2: The EC2 Instance Doesn’t Have a Public IP
Another reason you are not able to ping ec2 instance could be the public IP, you may have created your EC2 instance with only a local IP. If this is the case, the IP you have found is probably a local IP, that won’t work. Verify you are using the public IP of the instance with the steps and image below:
- Select the instance you are trying to ping in the console
- Check the Details tab and make sure there is a Public IPv4 address and that is the one you are using.
- You will not be able to ping the Private IPv4 address from your local machine
How to fix when you cannot ping ec2 instance due to no public IP
As long as the EC2 instance is in a public subnet this will be possible. You must create an elastic IP and assign it to the instance. If your instance is in a private subnet then you won’t be able to strait away add an elastic IP, first you will need to attach an internet gateway to the subnet.
Follow this guide from AWS to add an elastic IP to your instance: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/elastic-ip-addresses-eip.html#working-with-eips
3: The NACL (Network ACL) Doesn’t Allow ICMP
By default, everything is allowed in and out through the ACL. This is likley not the problem but it is worth checking, since it will only take a second.
- In the EC2 console click through to the subnet the EC2 instance is in
- Select the Subnet and go to the Network ACL tab
- Verify that all traffic is allowed through as shown in the image below
- If all traffic is not allowed through, you must add a rul explicitly allowing ICMP
4: The OS Firewall isn’t allowing ICMP Through
How to resolve this to fix being unable to ping aws ec2 instance will depend on your OS. Here is an article I wrote on how to allow ping through Windows firewall.
There are a plethora of firewalls you may be using on Linux, if this is the issue it will take a bit of troubleshooting. UFW is going to be the most common firewall you may have enabled. Here is a YouTube video guide going over the details. You can use this to check if you have UFW configured and learn how to open up ICMP.
Did this article help you? If so please leave a nice comment. 🙂
Think of any other reasons why you might not be able to ping an EC2 instance?
If so, please leave a comment below.