Cannot ping AWS EC2 instance with public IP

Question

I cannot ping my EC2 instance with which has a public IP associated with it. Before posting here, I read Cannot ping AWS EC2 instance. It didn't help:

Here's how I have things set up:

I created a new Amazon Linux t2.micro instance using all the defaults.

After creation, it didn't have an IPv4 Public IP in the EC2 | INSTANCES | Instances.

So I went to EC2 | NETWORK & SECURITY | Elastic IPs, and clicked the Allocate Elastic IP address button. After the Public IPv4 address column showed an address, I clicked Actions | Associate Elastic IP address.

I went back to EC2 | INSTANCES | Instances, and the IPv4 Public IP column shows the address I just created.

Still cannot ping.

So I went to EC2 | NETWORK & SECURITY | Security Groups, clicked the link for the security group associated with the instance and added an inbound and outbound rule like so:

All traffic          All        All       0.0.0.0/0 
All ICMP - IPv4      ICMP       All       0.0.0.0/0

Still cannot ping.

So I went to VPC | Internet Gateways, clicked the Create internet gateway button, selected the defaults, and then attached the internet gateway to the VPC which is associated with the instance.

Still cannot ping.

So I went to VPC | SECURITY | Network ACLs, Edit Inbound and Edit Outbound rules. This is what I have for both:

Rule #   Type              Protocol       Port Range      Source       Allow / Deny
100      ALL Traffic       ALL            ALL             0.0.0.0/0    ALLOW
101      All ICMP - IPv4   ICMP (1)       ALL             0.0.0.0/0    ALLOW

Still cannot ping.

What else is missing to be able to ping? Yes, I can ping other hosts on my network... just not to AWS and the public IP address listed for that EC2 instance.

Answer 1

First, it is worth mentioning that there should generally be no need to every modify the Network ACLs. They can be used for special purposes (eg creating a network DMZ), but otherwise just leave them at their default values.

I should also mention that using PING generally isn't worthwhile because it can be blocked by many network configurations. Rather than trying to get Ping to work, you should try to get whatever it is that you actually want to work, to work. For example, if you wish to SSH into the instance or use it as a web server, try to get them working rather than Ping.

Here are the things that would be necessary to get PING to work:

• The EC2 instance is launched in a public subnet. This is defined as:
  • A subnet that has a Route Table entry that directs 0.0.0.0/0 to an Internet Gateway (You did not mention the Route Table in your Question.)
• A public IP address associated with the instance (either at launch, or by adding an Elastic IP address afterwards, as you did)
• A security group that permits inbound ICMP traffic from your address (or wider, such as 0.0.0.0/0)
• An operating system on the instance that is configured to respond to PINGs (this will typically be on by default, but it is the OS that responds to the request)
• A network from which you request the Ping that also permits such traffic to flow. (Some corporate networks block such traffic, so you could try it from an alternate network such as home, work or via a tethered phone.)

So, based on the information you have provided, you should confirm that the subnet has a Route Table that points to the Internet Gateway.

Answer 2

• Go to Network ACL, add inbound rule for ICMP IPv4 - allow 0.0.0.0
• Go to Security Group. Pick the SG name you created for your EC2 instance (mine is launch-wizard-1). Add inbound rule for ICMP IPv4 - allow 0.0.0.0

Vwa-lah, I can ping.

Note: I'm using Amazon Linux (free tier t2.micro)