Login/Register
The ec2 instance can't access internet in a public subnet without a elastic ip address?
Asked Answered
amazon-web-servicesnetworkingamazon-ec2amazon-vpcelastic-ip
W

3

30

I working on aws. I created a public subnet which has a network ACL allows all net traffic, and associated with a internet gateway in the route table.

And then I create a ec2 instance without elastic ip and a ec2 instance with elastic ip in it, and the security group also allows all traffic.

I ssh to the instance which has elastic ip. It works well when I run yum update and curl www.baidu.com and so on. But I can't access internet when I ssh to the ec2 instance which has no elastic ip. anyone knows that is why?

Winnifredwinning answered 13/1, 2016 at 3:18 Comment(7)
Elastic IP is irrelevant in this case. Check the security group settings and VPC ACLs which applies on public subnet.Radicle
If the Network ACLs or security group is not correct, no matter I associate an elastic IP or not, The instance is not able to access internet. right?Winnifredwinning
For Outbound internet access, these things matter: Internet gateway, NAT instance (in case of private subnet only), Security groups, Network ACL and local operating system firewall on the instance. Elastic IP are not involved in this mix. Elastic IPs are only helpful when you want to access your instance from internet (inbound access)Radicle
Does the instance have a public ip?Poppycock
No, no public ip. is it necessary when we want to access internet in a instance which is in public subnet.Winnifredwinning
@FrederickCheung you means that it need a public IP if the instance want to access internet?Winnifredwinning
I am having the same problem. What is strange is when I associate an EIP with the instance in the public subnet I can access internet from the instance.Tanning
M
37

For accessing internet from EC2 instance in public subnet using Internet Gateway, the instance needs to have public IP address. Either one can configure the instance to have public IP address or attach EIP.

Reference: http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_Internet_Gateway.html

If you do not want to attach public IP address for instances with Internet access (consider private subnets), NAT instance and NAT gateway can help.

Reference: http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/vpc-nat.html

Magnolia answered 14/1, 2016 at 18:56 Comment(1)
This is a perfect answer and it helped me diagnose my issue that was making me go crazy! I had 2 subnets for my ASG and one of them was using NAT while the other was using Internet gateway. Whenever the Internet gateway was getting used, the instance wouldn't be able to connect to the Internet! Shifting my instances to use only the subnet that connects via NAT solved it!Eyrie
E
9

The problem lies with the gateway connected to the subnet you are using. To check the gateway you are using:

  • Go to the subnet you are using
  • Click on the Route table
  • Under Routes -> Destination look for 0.0.0.0/0 and check the gateway you have for it under Target

Here's how the gateways behave:

  • Internet Gateway (IGW) allows instances with public IPs to access the internet.
  • NAT Gateway (NGW) allows instances with no public IPs to access the internet.

This is a good article to help you understand and solve your problem: https://medium.com/awesome-cloud/aws-vpc-difference-between-internet-gateway-and-nat-gateway-c9177e710af6

Eyrie answered 8/1, 2022 at 6:58 Comment(0)
P
5

As well as being in a subnet that has a route to an Internet gateway, an instance must have a public IP address to communicate with the outside world (this is distinct from an elastic IP).

You can specify this when launching an instance, if not there is a per subnet setting that controls this. The per subnet setting defaults to false other than default subnets in your default VPC. There are more details in the aws docs.

Poppycock answered 14/1, 2016 at 8:45 Comment(0)

© 2022 - 2024 — McMap. All rights reserved.