One specific EC2 instance not receiving inbound connections from the Internet

• Launching an Linux or Windows Server instance with multiple network interfaces automatically configures interfaces, private IPv4 addresses, and route tables on the operating system of the instance.

• You can specify multiple private IPv4 and IPv6 addresses for your instances.

• The number of network interfaces and private IPv4 and IPv6 addresses that you can specify for an instance depends on the instance type.

• You associate security groups with network interfaces, not individual IP addresses.

  • Therefore, each IP address you specify in a network interface is subject to the security group of its network interface.

• You can create a primary network interface (eth0) on the instance that handles public traffic and the secondary network interface (eth1) handles backend management traffic and is connected to a separate subnet in your VPC that has more restrictive access controls.

• Public interface (may or may not be behind an ELB) has an associated security group that allows access to the server from the internet (for example, allow TCP port 80 and 443 from 0.0.0.0/0, or from the load balancer).

• Private facing interface has an associated security group allowing SSH access only from an allowed range of IP addresses either within the VPC or from the Internet, a private subnet within the VPC or a virtual private gateway.

• Hence, to troubleshoot one specific EC2 instance in a subnet not receiving inbound connections from the Internet, do the following:

  • Check if the correct ENI of the defective instance is properly mapped to the proper security group and not to another ENI.

  • Check if the instance is registered as a target in the Application Load Balancer.

  • You would not need to check a NAT Gateway because only one instance in the subnet is experiencing the issue.