2

All my ec2 instances are in us-east-1. All are managed by the system manager, except one (a pfsense machine).

When I try to give a "curl" command from any machine to "https://ec2.us-east-1.amazonaws.com" I get a "connection refused - timeout".

If I curl to "https://ec2.us-west-2.amazonaws.com" (or any other region) it works.

When I do the same operation from my pfsense machine curl works correctly.

I've already created new instances in the same subnet as my pfsense machine, same security group too and it still doesn't work.

As the connection to ec2.us-east-1.amazonaws.com doesn't work I'm having problems with my EKS. As a palliative I had to change the /etc/hosts of the machines, with this it works, but this is horrible.

Has anyone had this kind of problem?

FixSyntax
  • 33
  • 1
  • 4
  • You are literally running `curl https://ec2.us-east-1.amazonaws.com`? I'd expect that to yield a 301 redirect. – jarmod Mar 10 '22 at 14:57
  • Yes, for any region other than "us-east-1" I get a 301, for us-east-1 I get time out. curl -v https://ec2.us-east-1.amazonaws.com * Trying 172.26.1.74:443... * connect to 172.26.1.74 port 443 failed: Connection timed out -------- curl -v https://ec2.us-west-2.amazonaws.com * Trying 52.94.214.88:443... * Connected to ec2.us-west-2.amazonaws.com (52.94.214.88) port 443 (#0) – FixSyntax Mar 10 '22 at 15:02
  • Ah, it looks like you have some local DNS override that resolves ec2.us-east-1.amazonaws.com to 172.26.1.74. – jarmod Mar 10 '22 at 15:09
  • thanks @jarmod actually I had a dns endpoint that pointed to this IP that returned in the curl command. When taking the subnet from this endpoint, I now get a * Closing connection 0 curl: (6) Could not resolve host: ec2.us-east-1.amazonaws.com – FixSyntax Mar 10 '22 at 15:48
  • OK, sounds like you're using a VPC Endpoint to the EC2 service? That would resolve EC2 API endpoints to an in-VPC IP address. So maybe your [Endpoint policy](https://docs.aws.amazon.com/vpc/latest/privatelink/vpc-endpoints-access.html#vpc-endpoint-policies) is wrong? – jarmod Mar 10 '22 at 16:04
  • @jarmod You were right! I made a new endpoint, with a new configuration of policy, subnets and security groups and now it is working correctly through the endpoint. Thank you so much for the help, really I was lost in the situation. – FixSyntax Mar 10 '22 at 16:52

1 Answers1

2

It looks like the EC2 endpoint for us-east-1 is being DNS-resolved to an IP address (172.26.1.74) that is inside your VPC. The other regional EC2 endpoints are resolving to their usual public IPs (e.g. us-west-2 resolving to 52.94.214.8).

That suggests that you are using VPC Endpoints, specifically for access to the EC2 service. That is what causes DNS to resolve ec2.us-east-1.amazonaws.com to a 172 address inside your VPC (it's actually the IP address associated with the VPC Endpoint).

So, review and correct your VPC Endpoint policy to allow the relevant traffic.

jarmod
  • 71,565
  • 16
  • 115
  • 122
  • For me, the VPC endpoint was the issue, but in my case, the security group attached to that endpoint needed to be adjusted (with an additional inbound rule) and not the endpoint policy. – neuquen Apr 14 '23 at 14:37