I have an aws ec2 machine (172.18.18.133) on subnetwork with CidrBlock 172.18.18.0/23.
Have secureshell ingress ip open for 10.0.0.0/8 and 172.23.0.0/18 (ignore "0.0.0.0/0" in firewall as I'm playing with it because specific source CidrBlock did not work)
aws ec2 describe-security-groups --group-ids sg-659fd31p --profile aws-federated --region us-west-2
{
"SecurityGroups": [
{
"IpPermissionsEgress": [
{
"IpProtocol": "-1",
"PrefixListIds": [],
"IpRanges": [
{
"CidrIp": "0.0.0.0/0"
}
],
"UserIdGroupPairs": [],
"Ipv6Ranges": []
}
],
"Description": "VPC Security Group",
"Tags": [
{
"Value": "restapi-dev",
"Key": "elasticbeanstalk:environment-name"
},
{
"Value": "awseb-e-8gx8kmq9dj-stack",
"Key": "aws:cloudformation:stack-name"
},
{
"Value": "AWSEBSecurityGroup",
"Key": "aws:cloudformation:logical-id"
},
{
"Value": "restapi-dev",
"Key": "Name"
},
{
"Value": "arn:aws:cloudformation:us-west-2:033814027302:stack/awseb-e-8gx8kmq9dj-stack/605642e0-3eb8-11e7-a388-503ac9ec2499",
"Key": "aws:cloudformation:stack-id"
},
{
"Value": "e-8gx8kmq9dj",
"Key": "elasticbeanstalk:environment-id"
}
],
"IpPermissions": [
{
"PrefixListIds": [],
"FromPort": 80,
"IpRanges": [],
"ToPort": 80,
"IpProtocol": "tcp",
"UserIdGroupPairs": [
{
"UserId": "033814027302",
"GroupId": "sg-ee81cd95"
}
],
"Ipv6Ranges": []
},
{
"PrefixListIds": [],
"FromPort": 22,
"IpRanges": [
{
"CidrIp": "10.0.0.0/8"
},
{
"CidrIp": "0.0.0.0/0"
},
{
"CidrIp": "172.23.0.0/18"
}
],
"ToPort": 22,
"IpProtocol": "tcp",
"UserIdGroupPairs": [],
"Ipv6Ranges": []
}
],
"GroupName": "awseb-e-8gx8kmq9dj-stack-AWSEBSecurityGroup-4J0FPNXL840U",
"VpcId": "vpc-5374e434",
"OwnerId": "033814027302",
"GroupId": "sg-659fd31p"
}
]
}
I want to secureshell connect to above machine from another machine which is on different VPC and CidrBlock 172.23.0.0/18.
But I can not connect from ec2 machine with Ip address 172.23.38.167
to above target machine.
[ec2-user@ip-172-23-38-167 ~]$ ssh -v -i /home/ec2-user/.ssh/staging-api.pem ec2-user@172.18.18.133
OpenSSH_6.6.1, OpenSSL 1.0.1e-fips 11 Feb 2013
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 56: Applying options for *
debug1: Connecting to 172.18.18.133 [172.18.18.133] port 22.
debug1: connect to address 172.18.18.133 port 22: Connection timed out
ssh: connect to host 172.18.18.133 port 22: Connection timed out
I do have .pem file ~/.ssh
[ec2-user@ip-172-23-38-167 ~]$ ll ~/.ssh/
total 20
-rw-------. 1 ec2-user ec2-user 1675 May 24 02:45 staging-api.pem
-rw-------. 1 ec2-user ec2-user 398 Apr 8 21:29 authorized_keys
-rw-------. 1 root root 1766 Apr 23 20:06 gitkey_rsa
-rw-r--r--. 1 root root 386 Apr 23 20:06 gitkey_rsa.pub
-rw-r--r--. 1 ec2-user ec2-user 413 May 20 21:02 known_hosts
Note: I have few ec2 VMs in the same subnet and I can do secureshell between them.
Target/Source VPC config
Not sure but the problem could be with the routing table on the VPC.
The routing table config of the VPC with target machine which I want secureshell into is below. Don't know the purpose of all these 6/7 routes but understand NAT gateway to enable VMs in a private subnet to connect to the Internet or other AWS services.
$ aws ec2 describe-route-tables --route-table-ids rtb-9e0337f9 --profile aws-federated --region us-west-2
{
"RouteTables": [
{
"Associations": [
{
"SubnetId": "subnet-a1ec23e8",
"RouteTableAssociationId": "rtbassoc-d8ffbbbe",
"Main": false,
"RouteTableId": "rtb-9e0337f9"
}
],
"RouteTableId": "rtb-9e0337f9",
"VpcId": "vpc-5374e434",
"PropagatingVgws": [],
"Tags": [
{
"Value": "fff000",
"Key": "Permissions"
},
{
"Value": "us-west-2b",
"Key": "PhysicalLocation"
},
{
"Value": "InternalSubnet01AZ1RouteTable",
"Key": "aws:cloudformation:logical-id"
},
{
"Value": "fff000-vpc-nonprod-prayagupd-vpc-01-VPCTeamNestedStackTemplate-1EH2K9THBASPW",
"Key": "aws:cloudformation:stack-name"
},
{
"Value": "rtb_nonprod-prayagupd-vpc-01_internal_az1",
"Key": "Name"
},
{
"Value": "arn:aws:cloudformation:us-west-2:033814027302:stack/fff000-vpc-nonprod-prayagupd-vpc-01-VPCTeamNestedStackTemplate-1EH2K9THBASPW/f7e06c10-ee60-11e6-92e6-503a90a9c435",
"Key": "aws:cloudformation:stack-id"
},
{
"Value": "internal",
"Key": "Designation"
}
],
"Routes": [
{
"Origin": "CreateRoute",
"DestinationCidrBlock": "172.16.2.0/23",
"State": "active",
"VpcPeeringConnectionId": "pcx-c67fffaf"
},
{
"Origin": "CreateRoute",
"DestinationCidrBlock": "172.16.4.0/23",
"State": "active",
"VpcPeeringConnectionId": "pcx-c67fffaf"
},
{
"Origin": "CreateRoute",
"DestinationCidrBlock": "172.16.122.0/23",
"State": "active",
"VpcPeeringConnectionId": "pcx-f0f76299"
},
{
"Origin": "CreateRoute",
"DestinationCidrBlock": "172.16.104.0/21",
"State": "active",
"VpcPeeringConnectionId": "pcx-7483081d"
},
{
"GatewayId": "local",
"DestinationCidrBlock": "172.18.16.0/21",
"State": "active",
"Origin": "CreateRouteTable"
},
{
"GatewayId": "vgw-cb23fbd5",
"DestinationCidrBlock": "192.168.0.0/16",
"State": "active",
"Origin": "CreateRoute"
},
{
"GatewayId": "vgw-cb23fbd5",
"DestinationCidrBlock": "10.0.0.0/8",
"State": "active",
"Origin": "CreateRoute"
},
{
"Origin": "CreateRoute",
"DestinationCidrBlock": "0.0.0.0/0",
"NatGatewayId": "nat-0dbd1eca0fe1fcb8e",
"State": "active"
}
]
}
]
}
For Source VPC, Similar route config as target VPC,
{
"Origin": "CreateRoute",
"DestinationCidrBlock": "0.0.0.0/0",
"NatGatewayId": "nat-0b6d136887df6f792",
"State": "active"
}
NAT config for source VPC is
$ aws ec2 describe-nat-gateways --nat-gateway-id nat-0b6d136887df6f792 --profile aws-federated --region us-west-2
{
"NatGateways": [
{
"NatGatewayAddresses": [
{
"PublicIp": "34.208.30.85",
"NetworkInterfaceId": "eni-43d8c630",
"AllocationId": "eipalloc-d47488b2",
"PrivateIp": "172.23.248.220"
}
],
"VpcId": "vpc-a77a82c2",
"State": "available",
"NatGatewayId": "nat-0b6d136887df6f792",
"SubnetId": "subnet-b267b2d7",
"CreateTime": "2017-03-30T18:16:05.767Z"
}
]
}
Resource
Possible reasons for timeout when trying to access EC2 instance
