Why am I seeing a "Connection refused" or "Connection timed out" error when connecting to my EC2 instance?
These errors occur when your SSH client cannot establish a connection with your Amazon EC2 instance. The issue is usually caused by incorrect security group settings, a stopped SSH service, or networking misconfigurations.
What are the possible reasons for this error?
- Security group rules are blocking SSH traffic
- Ensure your EC2 instance’s security group allows inbound SSH connections on port
22from your IP address.
- Ensure your EC2 instance’s security group allows inbound SSH connections on port
- The EC2 instance is unreachable
- If your instance is in a private subnet or does not have a public IP, you need a VPN, bastion host, or AWS Systems Manager Session Manager to access it.
- The SSH service is not running
- The SSH daemon (
sshd) might not be running on your instance. You can check this by connecting via EC2 Instance Connect or the AWS Systems Manager.
- The SSH daemon (
- Incorrect key pair or permissions
- Ensure you are using the correct private key (
.pemfile) and that it has the right permissions (chmod 400 key.pem).
- Ensure you are using the correct private key (
- Networking issues or VPC misconfigurations
- Your instance's subnet, route table, or internet gateway might not be set up correctly, preventing external access.
How can I fix the "Connection refused" or "Connection timed out" error?
Step 1: Check Security Group Rules
- Go to the AWS EC2 console.
- Select your instance and navigate to the Security tab.
- Click on the Security group linked to your instance.
- Ensure there is an inbound rule allowing SSH (
port 22) from your IP (0.0.0.0/0is not recommended for security reasons).
Step 2: Verify the EC2 Instance State
- In the AWS EC2 console, check that your instance is in a running state.
- If it is stopped, start it and try reconnecting.
Step 3: Restart the SSH Service
- Use EC2 Instance Connect (for Amazon Linux 2 or Ubuntu) or AWS Systems Manager Session Manager to log in.
- Run the following command to restart the SSH service:
sudo systemctl restart sshd
- If you are using an older system, try:
sudo service ssh restart
Step 4: Check Networking and Subnet Settings
- Ensure that your instance is in a public subnet with a public IPv4 address assigned.
- Go to VPC Dashboard > Route Tables and check that your route table includes a route to an Internet Gateway (
0.0.0.0/0 → igw-xxxxxxx).
Step 5: Verify the Key Pair and File Permissions
- Confirm that you are using the correct private key (
.pemfile) associated with the instance. - Ensure that the key has the correct permissions:
chmod 400 key.pem
What if I still cannot connect?
- Check EC2 system logs
- Open the AWS EC2 console, select your instance, and go to Monitor and Troubleshoot > Get system log.
- Look for any errors related to SSH.
- Use a Bastion Host or Systems Manager
- If your instance is in a private subnet, connect using a bastion host or AWS Systems Manager Session Manager instead of SSH.
- Check AWS Status Page
- If AWS is experiencing network issues, it may temporarily affect connectivity to your instances.
Final Thoughts
If you are facing "Connection refused" or "Connection timed out" errors when connecting to an EC2 instance via SSH, the issue is likely due to security groups, networking settings, or SSH service issues. By following the troubleshooting steps above, you should be able to restore connectivity.
For more details, refer to AWS documentation on troubleshooting SSH connections.
