Problem scenario: You have two AWS instances in the same security group. The Security Group has rules for "All TCP" associated with both the public IP address (visible in the EC2 portion of the AWS Console) and the private IP address (found when you issue an "ifconfig" at the OS level of the server). You find that the servers cannot ping each other. You cannot SSH from one to the other either.
How do you get AWS instances to be able to ping each other?
Root cause: The AWS Security Group rules are not properly configured for the servers to communicate with each other. There is a difference between "All traffic" and "All TCP." The "Type" options "All TCP" and/or "TCP" will not allow pings to work. Pings are ICMP echo requests.
Solution
Do the following:
- Find the IP address of each server at the OS level (e.g., with an "ifconfig" command).
- Go to "Security Groups" in the AWS Console.
- Click on the radio button for the security group that governs the instances (this step will not apply if you only have one security group).
- Go to the "Inbound" tab near the bottom then click the "Edit" button.
- Create a rule with Type "All traffic", and for the field with the IP address, use one of the IP addresses above with a "/32" at the end. The result should be like this: x.x.x.x/32
- Create a rule with Type "All traffic", and for the field with the IP address, use the other IP address from above with a "/32" at the end. The result should be like this: x.x.x.x/32
- Click save.
Relevant parting tips:
To have a more secure Security Group and have pings work without other communication working, for "Type" use "All ICMP - IPv4" (instead of "All Traffic"). Remember that SSH will not work when you have hardened your Security Group with such a configuration.
The Public IP address is usually not relevant for configuring AWS Security Groups for the purposes of allowing TCP/IP networking between instances.
Optional reading: You may want to view this article on troubleshooting network problems.