Why can't I connect to a website that is hosted on my EC2 instance?

8 minute read

I can't connect to a public website that is hosted on my Amazon Elastic Compute Cloud (Amazon EC2) instance.

Short description

Websites running on an EC2 instance might become unreachable for multiple reasons. To resolve this issue, confirm that the configuration settings on your EC2 instance are correct. For example, if your instance isn't booting correctly or doesn't have the right DNS configurations, you can't connect to any website hosted on that instance.

Use the following steps to check the configuration settings of your EC2 instance and find the root cause of this issue.

Resolution

Note: If you receive errors when you run AWS Command Line Interface (AWS CLI) commands, then see Troubleshoot AWS CLI errors. Also, make sure that you're using the most recent AWS CLI version.

Use the EC2 Serial Console for Linux to troubleshoot Nitro-based instance types

If you turned on EC2 Serial Console for Linux, you can use it to troubleshoot supported Nitro-based instance types. You can access the serial console using the serial console or the AWS CLI. You don't need a working connection to connect to your instance when you use the EC2 Serial console.

Before you use the serial console to troubleshoot, complete the following steps:

Grant access to the serial console at the account level
Create AWS Identity and Access Management (IAM) policies granting access to your IAM users
Check that your instance includes at least on password-based user

Check that the instance is running and passing both status checks

Make sure that the instance is listed as running in the Amazon EC2 console. If your instance isn't running or you have another status check issue, follow the steps in Why is my EC2 Linux instance unreachable and failing its status checks?

Check that the instance boots correctly

Check the instance's system logs for boot errors.

If you see a kernel panic error, see Why do I see a "Kernel panic" error after I upgrade the kernel or reboot my EC2 Linux instance?
For other operating system errors, see How do I troubleshoot an EC2 Linux instance that failed the instance status check due to operating system issues?

Check the instance's security group and network ACL configuration

Make sure that the instance's associated security group and network ACL allow traffic on port 80 and 443.
Make sure that the route table in the instance's subnet has a default route to an internet gateway.

Check that the instance has the correct DNS configuration

If your website uses Route 53 DNS service, check that you've configured the DNS records correctly.
Make sure that the instance has an Elastic IP address assigned to it. If you stop and start your instance, the Elastic IP address is still associated with the instance.
Make sure to map the public IP address or Elastic IP address to an A-record.

Check that the web server is running and that there are no OS-level firewalls blocking access to ports

Network ports are the communication endpoints that various services send requests to. These requests include users' website connection requests. Web servers listen on port 80 for HTTP traffic and use port 443 for traffic encrypted with TLS/SSL. If the web server isn't running or firewalls block these ports, then users can't connect to your website.

To check if the website is running locally, run the following command from within the EC2 instance hosting website:

curl https://localhost

-or-

curl http://localhost:443

Remotely connect to the instance through SSH.

Check the web server status.
For RHEL or CentOS systems, use the command systemctl status httpd to check the web server's status. The command returns information that the web server is inactive:

$ sudo systemctl status httpd
httpd.service - The Apache HTTP Server
Loaded: loaded (/usr/lib/systemd/system/httpd.service; disabled; vendor preset: disabled)
Active: inactive (dead)

For Debian or Ubuntu systems, the use command systemctl status httpd to check the web server's status. The web server must be listening on port 80 or 443. The command returns information that the web server is inactive:

$ sudo systemctl status apache2
apache2.service - The Apache HTTP Server
Loaded: loaded (/lib/systemd/system/apache2.service; enabled; vendor preset: enabled)
Active: inactive (dead)

To restart the web server, run the following command.
For REHL or CentOS systems:

$ sudo systemctl restart httpd

For Debian or Ubuntu systems, run the following command:

$ sudo systemctl restart apache2

Verify that the web server is now running:
For REHL or CentOS systems, run the following command:

$ sudo systemctl status httpd
httpd.service - The Apache HTTP Server
Loaded: loaded (/usr/lib/systemd/system/httpd.service; disabled; vendor preset: disabled)
Active: active (running) since Thu 2020-11-19 14:40:15 UTC; 42s ago

For Debian or Ubuntu systems, run the following command:

$ sudo systemctl status apache2
apache2.service - The Apache HTTP Server
Loaded: loaded (/lib/systemd/system/apache2.service; enabled; vendor preset: enabled)
Active: active (running)

Note: For older Linux systems running SystemV, run the following command to check the web server status.
For Debian or Ubuntu systems, you must replace httpd with apache2:

$ sudo service httpd status
httpd is stopped

To restart a stopped web server on SystemV, run the following command:

$ sudo service httpd restart
Stopping httpd:                                            [FAILED]
Starting httpd:                                            [  OK  ]

Run the following command to confirm that the web server is listening on port 80 or 443 for incoming connection requests from users:
For REHL or CentOS systems, run the following command:

$ sudo netstat -tulpn | grep httpd
tcp        0      0 :::80                       :::*                        LISTEN      2961/httpd

For Debian or Ubuntu systems, run the following command:

$ sudo netstat -tulpn | grep apache2
tcp6       0      0 :::80                   :::*                    LISTEN      2741/apache2

Verify the status of OS-level firewalls. If you find an active firewall, make sure that it allows requests on ports 80 and 443.
Note: If there are multiple interfaces running, confirm that the web server is listening on all IPs by running the following command:
```
cat /etc/httpd/conf/httpd.conf  | grep Listen
```
The following are examples of successful outputs:
```
Listen *:80
```
-or-
```
Listen *:443
```

Amazon Linux, CentOS, and RHEL

Run the following command to check that the iptables rules block incoming requests on ports 80 and 443:

$ sudo iptables -nvL
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination

Run the following command to allow port 80 to accept incoming HTTP connection requests:

$ sudo iptables -A INPUT -p tcp --dport 80 --syn -m conntrack --ctstate NEW -j ACCEPT

Run the following command to allow port 443 to accept incoming HTTPS connection requests:

$ sudo iptables -A INPUT -p tcp --dport 443 --syn -m conntrack --ctstate NEW -j ACCEPT

Amazon Linux 2023, Amazon Linux 2 and RHEL 7 and above

Run the following command to check that firewalld is running:

$ sudo firewall-cmd --state
running

If firewalld is running, then run the following commands to configure it to allow connections on ports 80 and 443. The last command in the following example reloads the service so that the new rules take effect:

$ sudo firewall-cmd --add-service=http --permanent
success
$ sudo firewall-cmd --add-service=https --permanent
success
$ sudo firewall-cmd --reload
success

Debian and Ubuntu servers

Run the following command to check for a UFW firewall:

$ sudo ufw status verbose
Status: active

If UFW is running, use the following command to allow incoming connection requests on ports 80 and port 443:

$ sudo ufw allow in 80/tcp
Rule added
Rule added (v6)
$ sudo ufw allow 443/tcp
Rule added
Rule added (v6)

Check your web server access error logs for issues. Web server logs are located at /var/log. This location might change, depending on your server configuration. The following are the default web server log locations:

Amazon Linux and RHEL: /var/log/httpd
Debian and Ubuntu: /var/log/apache2