I receive the following error when I use Amazon Elastic Compute Cloud (Amazon EC2) Instance Connect to connect to my Amazon EC2 instance: "There was a problem setting up the instance connectionLog in failed. If this instance has just started up, try again in a minute or two."
Short description
The following are common reasons why you might receive an error when you use EC2 Instance Connect to connect to your instance:
- EC2 Instance Connect doesn't support the operating system (OS) distribution.
- The EC2 Instance Connect package isn't installed on the instance.
- There are missing or incorrect AWS Identity and Access Management (IAM) policies or permissions.
- Security groups that are associated with the instance don't list EC2 Instance Connect service IP addresses.
- The network access or configuration is incorrect.
If your instance doesn't have a public IP address, then you must establish private network connectivity to your virtual private cloud (VPC). To establish private network connectivity to your VPC, use AWS Direct Connect, AWS Site-to-Site VPN, or VPC peering.
If your instance doesn't have a public IPv4 address, and your VPC doesn't have a private network connectivity configuration, then use EC2 Instance Connect Endpoint.
Note: If you turned on the EC2 serial console for Linux instances, then use the serial console to troubleshoot Nitro-based instance types. To access the serial console, use either the Amazon EC2 console or the AWS Command Line Interface (AWS CLI).
If you can't reach your instance and you didn't configure access to the serial console, then see Configure access to the EC2 serial console.
Note: If you receive errors when you run AWS CLI commands, then see Troubleshoot AWS CLI errors. Also, make sure that you're using the most recent AWS CLI version.
Resolution
To troubleshoot issues when you connect to your EC2 instance, confirm the following configurations:
- EC2 Instance Connect supports your instance's Linux distribution.
- Your supported instance has the EC2 Instance Connect package installed.
- The IAM user that wants to use EC2 Instance Connect has permission to push the public key to the instance.
- The instance's security group rules list the EC2 Instance Connect IP addresses.
- You have network access to your instance.
Use browser-based SSH connections
Browser-based SSH connections require that your instance's security group inbound rules allow EC2 Instance Connect access to SSH on TCP port 22.
EC2 Instance Connect uses specific IP address ranges for browser-based SSH connections to your instance. These AWS IP address ranges differ between AWS Regions. To find the IP address range for EC2 Instance Connect in a specific Region, run the following commands.
Note: In the following commands, replace us-east-1 with the Region that your instance is in. Be sure your instance is in a Region that EC2 Instance Connect supports.
The following Windows command requires Windows PowerShell for AWS:
PS C:\> Get-AWSPublicIpAddressRange -Region us-east-1 -ServiceKey EC2_INSTANCE_CONNECT | select IpPrefix
The following Linux command requires curl and jq:
$ curl -s https://ip-ranges.amazonaws.com/ip-ranges.json| jq -r '.prefixes[] | select(.region=="us-east-1") | select(.service=="EC2_INSTANCE_CONNECT") | .ip_prefix'
Update your security group inbound rules to allow TCP port 22 access from the IP address range that the preceding commands return.
Use EC2 Instance Connect CLI connection
Update your security group inbound rules to allow TCP port 22 access from your IP address.
Related information
Connect to your Linux instance with EC2 Instance Connect
How can I connect to my Amazon EC2 instance if I lost my SSH key pair after its initial launch?
How can I troubleshoot connecting to my Amazon EC2 Linux instance using SSH?