Troubleshooting EC2 Instance Connect: Why SSH Access Fails Even with IP Whitelist
Jay TilluArjun just joined a fast-growing fintech startup as a Cloud Security Engineer. One of his first tasks:
“Launch an EC2 instance and make sure only his IP can SSH into it. No exceptions.”
He spun up an EC2 instance (Amazon Linux 2023), created a security group, and added this inbound rule:
Type: SSH
Port: 22
Source: My IP (e.g., 103.240.207.210/32)
Perfect, right?
To test access, he clicked “Connect” → “EC2 Instance Connect” on the AWS Console.
❌ “Connection Error. Try again later.”
😤 But Terminal SSH Works!
When Arjun used the .pem key and ran:
ssh -i arjun-key.pem ec2-user@<public-ip>
💥 Boom! He got access. So clearly, the EC2 was healthy and his IP was correct.
What gives?
🕵️♂️ The Investigation Begins
Frustrated but curious, Arjun tried a hack:
He temporarily changed the security group rule to:
Type: SSH
Port: 22
Source: 0.0.0.0/0 (Allow from anywhere)
Tried EC2 Instance Connect again...
✅ It worked.
🤯 Wait… it worked when the firewall was open to the world but not when it was restricted to his IP?
💡 The Aha Moment: EC2 Instance Connect Uses AWS IPs, Not Yours
That’s when Arjun dug into AWS documentation and found the key truth:
“EC2 Instance Connect doesn't use your personal IP. It uses AWS-managed backend IPs to connect to the instance.”
So when you restrict SSH to your IP only, AWS’s internal systems get blocked — hence EC2 Instance Connect fails.
🔐 Why This Matters (and How to Fix It)
🚫 Problem:
You restricted port 22 to your IP (great for security)
EC2 Instance Connect fails because AWS connects from its own IP ranges
✅ Solution Options:
1. Temporarily Allow 0.0.0.0/0
For testing or temporary access
Easy, but not secure long-term
2. Allow AWS EC2 Connect IP Ranges
Find the IP ranges used by EC2 Connect in your region:
Filter by:
service:EC2_INSTANCE_CONNECTregion: your region (e.g.,ap-south-1)
Add those IPs to your security group
3. Stick with PEM + SSH Terminal
Your current
.pemSSH method works perfectlyBest for production and tight security setups
✅ Bonus Learnings from Arjun’s Debugging
| 🔍 What He Tried | ✅ Result | 🧠 Takeaway |
SSH from terminal using .pem | ✅ Worked | .pem method only needs your IP allowed |
| EC2 Instance Connect (My IP only) | ❌ Failed | AWS uses backend IPs, not your device IP |
| EC2 Connect (0.0.0.0/0) | ✅ Worked | Inbound SSH open to AWS IPs worked |
| Checked OS (Amazon Linux 2023) | ✅ Compatible | EC2 Connect works on AL2023 — no issue here |
🛡️ Final Thoughts from Arjun
Security is about control. But as Arjun learned, you must know who’s knocking on your EC2’s SSH port.
“You don’t just allow or block IPs — you understand the source, the behavior, and the risks.”
So next time EC2 Instance Connect fails — don’t panic. Just ask:
Is port 22 open?
To the right source IPs?
Now you're thinking like a Cloud Security Engineer.
Follow me for more such content
Subscribe to my newsletter
Read articles from Jay Tillu directly inside your inbox. Subscribe to the newsletter, and don't miss out.
Written by
Jay Tillu
Jay Tillu
Hello! I'm Jay Tillu, an Information Security Engineer at Simple2Call. I have expertise in security frameworks and compliance, including NIST, ISO 27001, and ISO 27701. My specialities include Vulnerability Management, Threat Analysis, and Incident Response. I have also earned certifications in Google Cybersecurity and Microsoft Azure. I’m always eager to connect and discuss cybersecurity—let's get in touch!