Can’t SSH Into EC2? It Might Be the Firewall — Not What You Think

Leave a Comment / AWS

One of the more surprising EC2 issues I recently helped troubleshoot turned out to be a local firewall misconfiguration — not memory, not the instance crashing, and not AWS limits.

At first, it seemed like the usual “can’t SSH into EC2” situation. However, what made this different was that everything else appeared fine: the security groups, key file, IP address, and even the instance’s health status. Let’s look at how I figured it out — and how you can fix it too.

The Situation: EC2 Instance Running, but SSH Failing

A friend reached out after suddenly losing SSH access to their previously working EC2 instance. They tried:

ssh -i my-key.pem ec2-user@ec2-xx-xx-xx-xx.compute-1.amazonaws.com

There was no response at all.

They had:

The correct key
 The right public IP
 Port 22 open in the security group
 An instance marked as running

Everything should’ve worked, right?

First Checks (That Didn’t Solve It)

Naturally, we worked through the standard checklist:

Inbound port 22 open in the EC2 security group
Correct key and username
Correct IP address

We even tried EC2 Instance Connect — still failed. The AWS Console showed the instance as healthy. So what was wrong?

The Discovery: It Was UFW (Uncomplicated Firewall)

Digging deeper, I asked, “Have you configured any firewall or security software inside the instance?”

That’s when it clicked. The user had enabled UFW (a popular firewall tool on Ubuntu) during recent security hardening — but didn’t configure it to allow SSH. As a result, port 22 was blocked inside the server.

The Fix: Reset the Firewall Rules

Since AWS security groups couldn’t override the internal block, the instance became unreachable externally. Here’s how we fixed it:

1️⃣ Stop the EC2 Instance
Stop it via AWS Console (don’t terminate!).

2️⃣ Detach the Root Volume
In EBS, detach the volume from the instance.

3️⃣ Attach to Another Instance
Attach the volume to a working EC2 as a secondary disk (e.g., /dev/xvdf).

4️⃣ Mount the Volume

 
sudo mkdir /mnt/recovery sudo mount /dev/xvdf1 /mnt/recovery

5️⃣ Edit UFW Rules

sudo chroot /mnt/recovery ufw allow ssh ufw disable # or correct the rules exit

6️⃣ Unmount & Reattach

sudo umount /mnt/recovery

Detach from the temporary instance and reattach to the original.

7️⃣ Start the Instance
Boot it up and SSH access should work!

Lessons Learned

AWS security groups manage external access, but internal firewalls like UFW can block you from the inside.
Always whitelist SSH (port 22) before enabling firewalls on remote servers.
 Back up the instance or create an AMI snapshot prior to making security changes.

Preventive Tip: Configure UFW Properly First

 
sudo ufw allow ssh sudo ufw enable

 

Conclusion

SSH issues on EC2 aren’t always about AWS — sometimes it’s your own internal firewall.

Related reads:

Other Topics:

External resources:

Leave a Comment

Your email address will not be published. Required fields are marked *