We come across the EC2 yum error: Connection timed out XXXX milliseconds when we use yum on Amazon EC2 instance running Amazon Linux 1 or Amazon Linux 2.
Here, at Bobcares, we assist our customers with several AWS queries as part of our AWS Support Services.
Today, let us see how to fix this error.
EC2 yum error: Connection timed out XXXX milliseconds
1. First and foremost, we verify that the security group allows outbound http/https traffic.
2. Then we verify the network ACLs associated with the EC2 instance’s subnet allows outbound http/https traffic through NACLs.
For example, here, we can see a custom network ACL that allows outbound traffic on ports 80 and 443:
Inbound rules Rule# Type Protocol Port Range Source Allow/Deny 100 Custom TCP Rule TCP (6) 1024-65535 0.0.0.0/0 ALLOW 101 Custom TCP Rule TCP (6) 1024-65535 ::/0 ALLOW * ALL Traffic ALL ALL ::/0 DENY * ALL Traffic ALL ALL 0.0.0.0/0 DENY
Outbound rules Rule # Type Protocol Port Range Source Allow/Deny 100 HTTP (80) TCP (6) 80 0.0.0.0/0 ALLOW 101 HTTPS (443) TCP (6) 443 0.0.0.0/0 ALLOW 102 HTTP (80) TCP (6) 80 ::/0 ALLOW 103 HTTPS (443) TCP (6) 443 ::/0 ALLOW * ALL Traffic ALL ALL ::/0 DENY * ALL Traffic ALL ALL 0.0.0.0/0 DENY
3. After that, we verify that the EC2 instance has access to Amazon Linux repositories.
To check that, our Support Techs recommend either of the following methods.
1. Instance in a public subnet with an Internet Gateway
To enable access to or from the internet for instances in a subnet in a VPC, we:
- Create an internet gateway and attach it to the VPC.
- Add a route to the subnet’s route table that directs internet-bound traffic to the internet gateway.
- Make sure instances in the subnet have a globally unique IP address.
- Ensure that the network access control lists and security group rules allow the relevant traffic.
2. Instance in a private subnet with a NAT Gateway.
To connect to services outside the VPC we use a NAT gateway for instances in a private subnet. However, external services cannot initiate a connection with those instances.
To do so, we follow the steps below.
- Initially, we open the Amazon VPC console.
- In the navigation pane, we select NAT Gateways.
- Then we select Create NAT Gateway and perform the below tasks:
- We specify a name for the NAT gateway if necessary.
- Select the subnet in which to create the NAT gateway.
- To create a private NAT gateway, we select Private or Public to create a public NAT gateway for Connectivity type.
- In the case of Public, for Elastic IP allocation ID, select an Elastic IP address.
- Finally, we select Create a NAT Gateway.
- Once the status of the NAT gateway change from Pending to Available, it is ready to use.
3. Instance in a private subnet with a NAT Instance
To set up the VPC and NAT instance using the console, our Support Techs recommend these steps:
1. Initially, we create a VPC with two subnets.
- After creating, we attach an Internet gateway to the VPC
- Then we create a custom route table to send traffic destined outside the VPC to the internet gateway, and then associate it with one subnet, making it a public subnet.
2. Next, we create the NATSG security group.
3. To run as a NAT instance, we launch an instance into the public subnet from an AMI.
- Open the Amazon EC2 console.
- On the dashboard, we select the Launch Instance button, and complete the wizard as follows:
- On the Choose an Amazon Machine Image (AMI) page, we set the filter to Owned by me, then select the AMI.
- Then on the Choose an Instance Type page > select instance type > Configure Instance Details.
- On the Configure Instance Details page, select the VPC and select the public subnet.
- We can also add storage to the instance, and add tags. Once done, we select Next: Configure Security Group.
- Here, we select the Select an existing security group option, and select the NATSG security group > Review and Launch.
- Once done, review and make changes, and then select Launch.
4. Then we go ahead and disable the SrcDestCheck attribute for the NAT instance
5. Suppose we didn’t assign a public IP address to the NAT instance during launch. In that case, we associate an Elastic IP address with it.
- To do so, we open the Amazon VPC console.
- In the navigation pane > Elastic IPs > Allocate new address.
- After that, select the Elastic IP address from the list > Actions > Associate address.
- We select the network interface resource, then select the network interface for the NAT instance. Select the address to associate the Elastic IP with from the Private IP list > Associate.
- Then we update the main route table to send traffic to the NAT instance.
4. Instance in a private subnet with a proxy
We modify the /etc/yum.conf file to configure yum to use a proxy:
proxy=http://proxy-server-IP-address:proxy_port proxy_username=proxy-user-name proxy_password=proxy-password
4. Once we configure the instance using one of the preceding options, to confirm that the instance can access the repository we run:
Amazon Linux 1:
telnet repo.us-east-1.amazonaws.com 80
Amazon Linux 2:
telnet amazonlinux.us-east-1.amazonaws.com 80
Here, ensure to replace us-east-1 with the instance’s region.
[Need help with the fix? We’d be happy to assist you]
In short, we saw how our Support Techs fix the EC2 yum error for our customers.