I have created a new EC2 instance api1-new in the same subnet, same VPC and using the same security groups as an old instance api1-old. api1-new was created from an Ubuntu Linux AMI that already has several users pre-configured, and additionally, I launched it with an Amazon key pair.
I cannot connect by
ssh -vvv -p Y my_aliasnorssh -vvv -p Y X.X.X.Xfrom my bastion server, which is in a different subnet from the api1 instances. The first and only error message in the ssh output is:debug1: connect to address X.X.X.X port Y: Connection refused
I can connect to
api1-oldfrom the same bastion server using the same port, logged in as the same user as in 1.I can connect to
api1-newfrom my gitlab runner, which is in a third subnet, logged in as the same user as in 1.I can connect from the same bastion server, logged in as the same user, to an instance launched (some time ago, by a colleague) from the same AMI as
api1-newinto the third subnet.I have placed default ACLs (all traffic allowed) on all three subnets involved, but still cannot connect.
When I add a ping security group to
api1-new, I can ping to it from the bastion server, logged in as the same user as in 1.The
$HOMEfolder,$HOME/.sshfolder and$HOME/.ssh/authorized-keysare rigorously the same (permissions and content) onapi1-new,api1-oldand on the server mentioned in 4.I cannot connect from the bastion server to
api1-newusing the Amazon key pair I created for launchingapi1-new, whether connecting as ubuntu or as my normal user. The MD5 fingerprint of the private key on the bastion server is identical to what I see in the system log ofapi1-new.
The api1 instances don't have public IP addresses.
I feel I am missing some part of the puzzle in addition to security groups, ACLs and authorized_keys.
I wonder if there is some way to log refused SSH connections on api1-new to get the reason why the connection was refused.
Thanks to wesleywh for the suggestion to look at /etc/ssh/sshd_config!