What could prevent one Amazon EC2 instance from pinging another instance's Private IP?

Solution 1:

It turns out the problem was the Security Group settings after all.

I had been IP-restricting traffic, so only my external IP could communicate with the instances. I assumed the Security Groups didn't apply to communication between instances, but they do.

The solution was to also allow traffic from 10.0.0.0/8, which covers all possible EC2 private IPs. It would be more secure, to only allow traffic from specific private IPs, but that's a hassle since they can change.

This solves my problem for now. Probably the best solution would be to utilize Amazon's API to automatically tweak the Security Group IP-restrictions when instances are stopped and started.

Solution 2:

According to AWS FAQs as long as you don't stop your instance... your private IP will stay the same.

Q: Do I need one Elastic IP address for every instance that I have running? No. You do not need an Elastic IP address for all your instances. By default, every instance comes with a private IP address and an internet routable public IP address. The private address is associated exclusively with the instance and is only returned to Amazon EC2 when the instance is stopped or terminated. The public address is associated exclusively with the instance until it is stopped, terminated or replaced with an Elastic IP address. These IP addresses should be adequate for many applications where you do not need a long lived internet routable end point. Compute clusters, web crawling, and backend services are all examples of applications that typically do not require Elastic IP addresses.

Solution 3:

The statement "Security Group settings do not affect internal IPs " is incorrect. You have to add the inbound traffic to the security group for the private IP, just like an external IP.

I had to add entries from a specific private IP so that I could allow one instance to conenct to another using subversion, CouchDB, map a network drive, etc.

However, ping is different... Check that the security settings are set to ICMP, or just to "All Traffic".
Not just TCP. Because PING is an ICMP message. Don't think that because you turned on "All TCP" that it will work.

Hope that helps.