Arjun just joined a fast-growing fintech startup as a Cloud Security Engineer. One of his first tasks:
“Launch an EC2 instance and make sure only his IP can SSH into it. No exceptions.”
He spun up an EC2 instance (Amazon Linux 2023), created a security group, and added this inbound rule:Copy
Type: SSH
Port: 22
Source: My IP (e.g., 103.240.207.210/32)
Perfect, right?
To test access, he clicked “Connect” → “EC2 Instance Connect” on the AWS Console.
❌ “Connection Error. Try again later.”
😤 But Terminal SSH Works!
When Arjun used the .pem key and ran:Copy
ssh -i arjun-key.pem ec2-user@<public-ip>
💥 Boom! He got access. So clearly, the EC2 was healthy and his IP was correct.
What gives?
🕵️♂️ The Investigation Begins
Frustrated but curious, Arjun tried a hack:
He temporarily changed the security group rule to:Copy
Type: SSH
Port: 22
Source: 0.0.0.0/0 (Allow from anywhere)
Tried EC2 Instance Connect again…
✅ It worked.
🤯 Wait… it worked when the firewall was open to the world but not when it was restricted to his IP?
💡 The Aha Moment: EC2 Instance Connect Uses AWS IPs, Not Yours
That’s when Arjun dug into AWS documentation and found the key truth:
“EC2 Instance Connect doesn’t use your personal IP. It uses AWS-managed backend IPs to connect to the instance.”
So when you restrict SSH to your IP only, AWS’s internal systems get blocked — hence EC2 Instance Connect fails.
🔐 Why This Matters (and How to Fix It)
🚫 Problem:
- You restricted port 22 to your IP (great for security)
- EC2 Instance Connect fails because AWS connects from its own IP ranges
✅ Solution Options:
1. Temporarily Allow 0.0.0.0/0
- For testing or temporary access
- Easy, but not secure long-term
2. Allow AWS EC2 Connect IP Ranges
- Find the IP ranges used by EC2 Connect in your region:
- AWS IP Ranges JSON
- Filter by:
service:EC2_INSTANCE_CONNECTregion: your region (e.g.,ap-south-1)
- Add those IPs to your security group
3. Stick with PEM + SSH Terminal
- Your current
.pemSSH method works perfectly - Best for production and tight security setups
✅ Bonus Learnings from Arjun’s Debugging
| 🔍 What He Tried | ✅ Result | 🧠 Takeaway |
SSH from terminal using .pem | ✅ Worked | .pem method only needs your IP allowed |
| EC2 Instance Connect (My IP only) | ❌ Failed | AWS uses backend IPs, not your device IP |
| EC2 Connect (0.0.0.0/0) | ✅ Worked | Inbound SSH open to AWS IPs worked |
| Checked OS (Amazon Linux 2023) | ✅ Compatible | EC2 Connect works on AL2023 — no issue here |
🛡️ Final Thoughts from Arjun
Security is about control. But as Arjun learned, you must know who’s knocking on your EC2’s SSH port.
“You don’t just allow or block IPs — you understand the source, the behavior, and the risks.”
So next time EC2 Instance Connect fails — don’t panic. Just ask:
- Is port 22 open?
- To the right source IPs?
Now you’re thinking like a Cloud Security Engineer.
