Table of Contents
Arjun just joined a fast-growing fintech startup as a Cloud Security Engineer. One of his first tasks:
“Launch an EC2 instance and make sure only his IP can SSH into it. No exceptions.”
He spun up an EC2 instance (Amazon Linux 2023), created a security group, and added this inbound rule:Copy
Type: SSH
Port: 22
Source: My IP (e.g., 103.240.207.210/32)
Perfect, right?
To test access, he clicked “Connect” → “EC2 Instance Connect” on the AWS Console.
❌ “Connection Error. Try again later.”
😤 But Terminal SSH Works!
When Arjun used the .pem key and ran:Copy
ssh -i arjun-key.pem ec2-user@<public-ip>
💥 Boom! He got access. So clearly, the EC2 was healthy and his IP was correct.
What gives?
🕵️♂️ The Investigation Begins
Frustrated but curious, Arjun tried a hack:
He temporarily changed the security group rule to:Copy
Type: SSH
Port: 22
Source: 0.0.0.0/0 (Allow from anywhere)
Tried EC2 Instance Connect again…
✅ It worked.
🤯 Wait… it worked when the firewall was open to the world but not when it was restricted to his IP?
💡 The Aha Moment: EC2 Instance Connect Uses AWS IPs, Not Yours
That’s when Arjun dug into AWS documentation and found the key truth:
“EC2 Instance Connect doesn’t use your personal IP. It uses AWS-managed backend IPs to connect to the instance.”
So when you restrict SSH to your IP only, AWS’s internal systems get blocked — hence EC2 Instance Connect fails.
🔐 Why This Matters (and How to Fix It)
🚫 Problem:
- You restricted port 22 to your IP (great for security)
- EC2 Instance Connect fails because AWS connects from its own IP ranges
✅ Solution Options:
1. Temporarily Allow 0.0.0.0/0
- For testing or temporary access
- Easy, but not secure long-term
2. Allow AWS EC2 Connect IP Ranges
- Find the IP ranges used by EC2 Connect in your region:
- AWS IP Ranges JSON
- Filter by:
service:EC2_INSTANCE_CONNECTregion: your region (e.g.,ap-south-1)
- Add those IPs to your security group
3. Stick with PEM + SSH Terminal
- Your current
.pemSSH method works perfectly - Best for production and tight security setups
✅ Bonus Learnings from Arjun’s Debugging
| 🔍 What He Tried | ✅ Result | 🧠 Takeaway |
SSH from terminal using .pem | ✅ Worked | .pem method only needs your IP allowed |
| EC2 Instance Connect (My IP only) | ❌ Failed | AWS uses backend IPs, not your device IP |
| EC2 Connect (0.0.0.0/0) | ✅ Worked | Inbound SSH open to AWS IPs worked |
| Checked OS (Amazon Linux 2023) | ✅ Compatible | EC2 Connect works on AL2023 — no issue here |
🛡️ Final Thoughts from Arjun
Security is about control. But as Arjun learned, you must know who’s knocking on your EC2’s SSH port.
“You don’t just allow or block IPs — you understand the source, the behavior, and the risks.”
So next time EC2 Instance Connect fails — don’t panic. Just ask:
- Is port 22 open?
- To the right source IPs?
Now you’re thinking like a Cloud Security Engineer.
Read More About AWS VPC
- AWS VPC Explained: Build Your First Private Cloud
- Avoid Mistakes with AWS Reserved IP Addresses
- Secure Your Network with AWS VPC Route Table
- Discover AWS Hyperplane: Smart AWS Traffic Manager
- Why EC2 Instance Connect Fails Despite IP Whitelist
- Why AWS Bastion Host Are Essential for Secure SSH Access?
- 7 Proven Steps to Secure Private EC2 in AWS VPC
- Mastering AWS Security Groups vs NACLs the Right Way
I do believe all the ideas you havge offered on your post.
They arre very convincing and will certainly work.
Still, the posts are too quick for starters.
Could yyou please prolong them a little from next time?
Thank you for the post. http://Boyarka-inform.com/
Sure Odette. Will add an amazing and in-depth article on this soon. Thanks for your feedback.