Got a noob question about security settings on AWS ec2 instance. I've set up an instance with Tomcat7 ( ami-95da17fc ) and I have a little issue.

If I ssh into the instance and do ping -c 2 -p 80 localhost I get 0 packet loss if I ping my elastic ip I get 100% pocket loss, same thing with the long.winded.aws.dns.name

if I simply try to ping the site from terminal (not logged into the instance) I also get 100% pocket loss.

My default security group has the following settings:

0 - 65535 sg-07787e6e (default)

80 (HTTP) 0.0.0.0/0

8080 (HTTP*) 0.0.0.0/0

22 (SSH) 70.126.98.72/32

I'd be most grateful if anyone can shed some light on what I'm missing.


... hm, I get 404 with curl, sudo netstat -lp gives me:

Active Internet connections (only servers) Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 *:ssh : LISTEN 841/sshd
tcp 0 0 localhost:smtp : LISTEN 868/sendmail: accep tcp 0 0 *:webcache : LISTEN 981/java
tcp 0 0 *:http : LISTEN 948/httpd
tcp 0 0 *:ssh : LISTEN 841/sshd
tcp 0 0 localhost:8005 : LISTEN 981/java
tcp 0 0 *:8009 : LISTEN 981/java
udp 0 0 *:bootpc : 734/dhclient
udp 0 0 domU-12-31-39-09-A6:ntp : 852/ntpd
udp 0 0 localhost:ntp : 852/ntpd
udp 0 0 *:ntp : 852/ntpd
udp 0 0 fe80::1031:39ff:fe0:ntp : 852/ntpd
udp 0 0 localhost:ntp : 852/ntpd
udp 0 0 *:ntp : 852/ntpd
Active UNIX domain sockets (only servers) Proto RefCnt Flags Type State I-Node PID/Program name Path unix 2 [ ACC ] STREAM LISTENING 1954 922/gam_server @/tmp/fam-root- unix 2 [ ACC ] STREAM LISTENING 1967 927/bluepilld: host /var/bluepill/socks/hostmanager.sock

... and I've not changed anything in iptables


Ping uses the ICMP protocol - the security groups in AWS Console default to the TCP protocol. If you wish to be able to ping your instance from 'the outside', you need change the security group settings to permit the ICMP protocol (Echo), using, for instance, something like the following:

ec2-authorize default -P icmp -t -1:-1 -s 0.0.0.0/0

You can also use the AWS Console to accomplish this:

  • Create a 'Custom ICMP Rule' for your security group
  • Type: Echo Request and Type: Echo Reply (both are required)
  • Source: 0.0.0.0/0

Alternatively, for the same effect as the ec2-authorize command above, you can allow 'All ICMP'

See the AWS EC2 Docs for more information, and the AWS FAQ.