Can’t connect to Elastic Beanstalk instance using SSH? We can help you.

Here, at Bobcares, we assist our customers with several AWS queries as part of our AWS Support Services.

Today, let us see how we can troubleshoot this issue.

Can’t connect to Elastic Beanstalk instance using SSH

In order to troubleshoot, our Support Techs recommend confirming the following before we connect to the instance using SSH.

1. The Amazon EC2 instance is in a public subnet and has a public IP address.
2. We have an inbound rule on port 22 on the security group that allows the IP addresses to connect to the instance.

In addition, we need to verify that we meet the following general prerequisites.

• Get information about your instance

a) Initially, we need to get the ID of the instance.

b) Get the public DNS name of the instance.

c) (IPv6 only) Get the IPv6 address of the instance.

d) Get the user name for the instance.

We can use the user name for the user account or the default user name for the AMI that we used to launch your instance.

e) Get the user name for the user account.

f) Get the default user name for the AMI that we used to launch the instance:

Amazon Linux 2 or the Amazon Linux AMI - ec2-user.
CentOS AMI - centos or ec2-user.
Debian AMI - admin.
Fedora AMI - fedora or ec2-user.
RHEL AMI - ec2-user or root.
SUSE AMI - ec2-user or root.
Ubuntu AMI - ubuntu.
Oracle AMI - ec2-user.
Bitnami AMI - bitnami.

Otherwise, our Support Techs recommend checking with the AMI provider.

• Enable inbound traffic to your instance

We need to make sure that the associating security group of the instance allows incoming SSH traffic from our IP address.

The default security group for the VPC does not allow incoming SSH traffic by default.

However, the security group created by the launch instance wizard enables SSH traffic by default.

• Locate the private key and set the permissions

We need the fully qualified path to the location of the .pem file for the key pair that we specify.

In case we use an SSH client on a macOS or Linux computer to connect to the instance, we use the below command.

chmod 400 my-key-pair.pem

This will set the permissions of the private key file so that only we can read it.

If we don’t set them, we cannot connect to the instance using this key pair.

• (Optional) Get the instance fingerprint

Our Support Techs recommend this a good practice to protect ourselves from man-in-the-middle attacks.

We can verify the RSA key fingerprint when we connect to the instance.

Generally, it is useful if we launch the instance from a public AMI from a third party.

To obtain the fingerprint, on the local computer, we use the following AWS CLI command:

aws ec2 get-console-output --instance-id instance_id --output text

For example, our output will be similar to the following.

However, it can vary depending on the operating system, AMI version, and whether we created the AWS key.

ec2: #############################################################
ec2: -----BEGIN SSH HOST KEY FINGERPRINTS-----
ec2: 1024 SHA256:7HItIgTONZ/b0CH9c5Dq1ijgqQ6kFn86uQhQ5E/F9pU root@ip-10-0-2-182 (DSA)
ec2: 256 SHA256:l4UB/neBad9tvkgJf1QZWxheQmR59WgrgzEimCG6kZY root@ip-10-0-2-182 (ECDSA)
ec2: 256 SHA256:kpEa+rw/Uq3zxaYZN8KT501iBtJOIdHG52dFi66EEfQ no comment (ED25519)
ec2: 2048 SHA256:L8l6pepcA7iqW/jBecQjVZClUrKY+o2cHLI0iHerbVc root@ip-10-0-2-182 (RSA)
ec2: -----END SSH HOST KEY FINGERPRINTS-----
ec2: #############################################################

In addition, timeout issues or connection failures may continue due to high memory utilization.

Conclusion

In short, we saw how our Support Techs troubleshoot the Elastic Beanstalk error.