What causes AWS EC2 Instance Unreachable — SSH/RDP Connection Refused?

Security Group inbound rule missing for SSH (22) or RDP (3389) from source IP • Network ACL denying inbound or outbound on the port • Instance in private subnet with no NAT, VPN or bastion route • OS firewall (iptables/Windows Firewall) blocking connection • Wrong key pair used or instance launched without key pair • Instance CPU/memory exhausted — OS unresponsive but running

How do I resolve AWS EC2 Instance Unreachable — SSH/RDP Connection Refused?

Add/fix Security Group inbound rule for your source IP — most common fix • Fix NACL to allow both inbound port AND outbound ephemeral return traffic • Use Session Manager (no port 22) for OS-level diagnosis without network changes • Detach and reattach OS volume to a recovery instance if OS is unresponsive • Migrate to Session Manager long-term to remove public SSH/RDP exposure

How do I prevent AWS EC2 Instance Unreachable — SSH/RDP Connection Refused?

Use AWS Systems Manager Session Manager instead of open SSH/RDP ports • Never open 0.0.0.0/0 on port 22 or 3389 in production Security Groups • Enable VPC Flow Logs to diagnose future connectivity issues with packet-level evidence

P2 · Cloud & Hybrid Infrastructure

AWS EC2 Instance Unreachable — SSH/RDP Connection Refused

An EC2 instance is unreachable via SSH or RDP. Common causes include Security Group or NACL rules blocking the port, instance in stopped/terminated state, OS-level firewall, wrong key pair or password, or the instance being in a private subnet with no routing to the bastion/VPN.

Indicators

ssh: connect to host <ip> port 22: Connection timed out
EC2 Instance Connect or Session Manager also fails
Instance shows 'running' in console but no response
Status checks passing (2/2) but port unreachable
RDP returns 'Remote Desktop can't connect' or times out

Likely causes

Security Group inbound rule missing for SSH (22) or RDP (3389) from source IP
Network ACL denying inbound or outbound on the port
Instance in private subnet with no NAT, VPN or bastion route
OS firewall (iptables/Windows Firewall) blocking connection
Wrong key pair used or instance launched without key pair
Instance CPU/memory exhausted — OS unresponsive but running

Diagnostic steps

EC2 Console > Instance > Security tab — verify inbound Security Group rule allows port 22/3389 from your IP or 0.0.0.0/0 for testing
Check Network ACLs on the subnet: VPC > Subnets > select subnet > Network ACL tab — verify inbound and outbound rules allow the port and ephemeral return traffic (1024-65535)
Verify route table: does the subnet have a route to an IGW (public) or is it private requiring VPN/bastion access?
Use EC2 Serial Console or EC2 Instance Connect (browser-based) to get OS-level access without SSH — diagnose firewall rules and sshd status
Check system log: EC2 Console > Actions > Monitor and troubleshoot > Get system log — verify OS booted cleanly
If CPU credit exhausted (T-series): check CloudWatch CPUCreditBalance metric — burst credit depletion causes severe throttling

Resolution path

Add/fix Security Group inbound rule for your source IP — most common fix
Fix NACL to allow both inbound port AND outbound ephemeral return traffic
Use Session Manager (no port 22) for OS-level diagnosis without network changes
Detach and reattach OS volume to a recovery instance if OS is unresponsive
Migrate to Session Manager long-term to remove public SSH/RDP exposure

Prevention

Use AWS Systems Manager Session Manager instead of open SSH/RDP ports
Never open 0.0.0.0/0 on port 22 or 3389 in production Security Groups
Enable VPC Flow Logs to diagnose future connectivity issues with packet-level evidence

Tools

EC2 Console — Security Groups, Network ACLs, Instance Connect
EC2 Serial Console
AWS VPC Reachability Analyzer
CloudWatch — CPU, network metrics
AWS Systems Manager Session Manager (no port 22 needed)

awsec2sshrdpsecurity-groupnaclvpccloud