You have added security group rules to a security group for a certain port for your Elastic Compute Service (ECS) instance in the ECS console, but the rules do not seem to be taking effect. Consequently, accesses to your application or service running on your ECS instance fail. This topic provides methods for troubleshooting this issue.
Causes
The issue may arise due to the following reasons:
The security group is not specified for your ECS instance.
The application or service deployed on your ECS instance is not running properly.
The port listener is not working properly.
The listener is configured to listen to only one specific IP address.
The security group rules that are configured do not match your expectations.
Due to the configurations of the system firewalls of your ECS instance, the port is not open.
Solutions
To troubleshoot this issue, try the following solutions:
Check whether the security group is specified for your ECS instance
If the security group is not specified for your ECS instance, the rules in the security group do not apply to the ECS instance.
Go to the Instance Details page and check whether the desired security group is specified for your ECS instance. For more information, see View instance information.
You can specify multiple security groups for an ECS instance. For details, see Manage ECS instances in security groups.
Check the service status and port listening status
If the service deployed on your ECS instance or the port listener is not running properly, connection requests destined for your instance cannot be responded to, leading to connection failures. For information about checking the service status and port listening status, see Check the status of the service and the listening status of the port of the service.
Check whether the port listener is configured to listen to an appropriate IP address
The IP address listened to by the port listener determines what requests your service receives:
If the port listener is configured to listen to
0.0.0.0, your service receives requests destined for any IPv4 network interfaces on your ECS instance, without limitations on the source IP address of the requests.If the port listener is configured to listen to a specific IP address, your service receives requests destined for only one specific network interface.
For example, if your ECS instance is equipped with two IP addresses, 192.168.XX.XX and 10.0.XX.XX, and the port listener is configured to listen to 192.168.XX.XX, then your service receives only requests destined for 192.168.XX.XX. Requests destined for 10.0.XX.XX or any other address are denied.
Check whether the security group rules are properly configured
Review the security group rules you configured. For details, see Check the security group rules of the ECS instance.
Ensure that the specified protocol, port, and source CIDR block parameters meet your expectations and that the rules allow requests to your service as expected.
If your ECS instance is associated with multiple security groups, check whether the desired rules conflict with any rules with higher priority in other security groups.
Refer to Security groups for different use cases for example configurations of security group rules in common service scenarios, such as providing web-based services on a website and connecting to a remote ECS instance.
For more information about security group rules, see Security group rules.
Check whether the system firewalls of your ECS instance are blocking the port
Check the configurations of the system firewalls on your ECS instance and ensure they do not conflict with the security group rules and block the port. For details, see Check the firewall settings of the ECS instance.
Consider disabling the system firewalls and relying completely on security groups. For instructions, see Enable or disable the system firewall on a Linux ECS instance.
Reference
What do I do if I cannot access a service deployed on an instance?