0

I have a strange problem wherein I am able to connect to an EC2 instance in a public subnet in AWS VPC using RDP and HTTP. However after successfully connecting to the instance through RDP, i am not able to connect to Internet (from the instance).

a) I created a non-default AWS VPC and associated an IGW to it. The address range of VPC is 10.0.0.0/16. A subnet with the address space 10.0.5.0/24 was created

c) In order to make the subnet public, i decided to retain the Main Route Table as it is and created an additional Route table with the following entries

10.0.0.0/16 local 0.0.0.0/0 igw

d) This route table was associated with the subnet 10.0.5.0/24. This makes it a public subnet

e) The NACL is set to allow: INBOUND traffic HTTP(80),HTTPS(80),SSH(22), RDP(3389) for IPV4 and NACL outbound traffic ALL TRAFFIC ALL PROTOCOL ALL PORT Range Destination 0.0.0.0/0

f) The security group settings are:

Inbound All traffic All All 0.0.0.0/0 Outbound All traffic All All 0.0.0.0/0

g) I created a single EC2 instance in the public subnet and assigned a Elastic EIP to it. I am able to connect to this using RDP and able to access the IIS Welcome page by typing the public DNS name of the EC2 in my local browser. However, from the instance when i open IE and try accessing any popular websites i am not able to access the Internet. I always get a 'Can't reach this page'

h) I disabled Windows Firewall and tried accessing Internet. But still it didnt work.

i) The tracert output just shows Request timed Out in all the lines.

Any help would be appreciated.

Thanks and Regards Govind

Govindarajan
  • 33
  • 5

2 Answers2

0

First, verify that the following conditions are met:

The route table in the instance’s subnet has a default route to an internet gateway. The security group attached to the instance’s elastic network interface must allow outbound traffic on the following ports: Port 80 for HTTP traffic Port 443 for HTTPs traffic Identify the network access control lists (ACLs) that are associated with the subnet that the instance is located on. These network ACLs must have rules to allow inbound and outbound traffic on ports 80 and 443.

You don't need to open all the ports to enable outgoing web traffic.

https://aws.amazon.com/premiumsupport/knowledge-center/ec2-connect-internet-gateway/

Arun Kamalanathan
  • 8,107
  • 4
  • 23
  • 39
  • Thanks for following up. What i am seeing here is the difference between where the request is originating: Please correct me if my understanding is wrong. – Govindarajan Dec 25 '19 at 17:55
  • My understanding is that browser is making use of ephemeral ports to send requests to remote server listening on port 80/443. So these ephemeral ports used by the browser in EC2 should also be opened in NACL and SG. – Govindarajan Dec 25 '19 at 18:13
  • Arun K i tried out those steps. Thanks. However it did not work. As mentioned earlier firewall was not an issue. As i mentioned in this thread i suspect the ephemeral ports used by browser to be getting blocked by NACL. – Govindarajan Dec 25 '19 at 18:16
  • glad that you got this sorted – Arun Kamalanathan Dec 25 '19 at 18:53
-1

Finally i was able to fix this issue. I added

ALL TCP TCP (6) 0 - 65535 0.0.0.0/0 ALLOW

as an INBOUND rule in NACL. Immediately i was able to access the Internet from the browser in Ec2 instance.

However i am not convinced that all the ports should be opened to use browser on an EC2 instance in the public subnet. Is there a better way to do this ?

Can i consider setting up a Forward Proxy server as a solution for browser based outgoing traffic as in this case ? Please suggest

Govindarajan
  • 33
  • 5