I have a single VPC with one internet gateway and some subnets that are shared across multiple AWS Organization accounts using RAM. The VPC is protected with a Security Group that is managed by Firewall Manager to ensure it is replicated to all of the accounts that are granted access to the shared subnets. And, the subnets are protected by NACLs. The NACLs and SGs are configured to allow bi-directional communication on ports 80, 443, 22, and some ICMP ports. This all appears to be working normally.
But, when I go into an account that the subnets are shared with and launch an ec2 instance into a shared subnet that has a route to the internet gateway (public subnet), I simply can't ssh into the ec2 instance and I'm looking for some suggestions as to what I may be doing wrong.
So far I've:
- confirmed that the NACLs permit bi-directional TCP connections on port 22
- confirmed that security group permits TCP connections on port 22
- confirmed that the public subnet the instance is attached to has a route to the internet gateway
- confirmed that the instance has a public IP address associated with a network interface
- confirmed that the OS of the instance isn't the cause of the problem. I launch the exact same image and configuration to another VPC and subnet, that aren't shared, and was able to SSH into it.
- run network analyzer to confirm that a path exists between the internet gateway and the network interface of the instance
- pinged the instance on its public IP from outside of the network
- run nmap on the port and public IP, from outside the network - which shows it as filtered
Does anyone have experience with subnet sharing in AWS and have some suggestions as to why ec2 instances on shared subnets might not accept ssh connections? Thanks in advance.
