Guides
All guides
VPN & Firewall
FortiGate IPsec VPNPalo Alto VPNCisco ASA VPNJuniper SRX VPNSonicWall VPN
Switching & Routing
Catalyst high CPUNexus vPCOSPF ExStartBGP Active/Idle
Load Balancing
F5 pool member down
Servers & Virtualization
Linux high loadWindows high memoryESXi disconnectedProxmox node offline
Containers
K8s CrashLoopDocker exit 137
Databases
MySQL replication lagPostgreSQL connsOracle ORA-12541
Cloud
AWS no internetAzure VPN gateway
Backup
Veeam job failed
Web & App
Nginx 502
Compare
Marvis alternativeChatGPT vs TM
Home / Troubleshoot / AWS EC2 No Internet
AWS · VPC Connectivity

AWS EC2 Instance Has No Internet: How to Fix It

By the Tech Matrix engineering team · Updated June 2026

When an EC2 instance can't reach the internet, it's one of five things in the VPC path. Work them in order — the answer is almost always a missing route, a missing public IP, or a NAT gateway.

Public subnet checklist

  • Route to the Internet Gateway: the subnet's route table must have 0.0.0.0/0 → igw-xxxx, and the IGW must be attached to the VPC.
  • Public IP / Elastic IP: the instance needs a public IPv4 or an EIP. A private-only instance in a public subnet still can't reach the internet directly.
  • Security group egress: the SG must allow outbound (default allows all; a locked-down SG may not).
  • Network ACL: the subnet NACL must allow outbound and the return traffic (NACLs are stateless — allow ephemeral ports inbound for replies).

Private subnet

An instance in a private subnet reaches the internet through a NAT gateway, not an IGW. Confirm: a NAT gateway exists in a public subnet, and the private subnet's route table points 0.0.0.0/0 → nat-xxxx.

How to diagnose fast

Use VPC Reachability Analyzer (source = instance ENI, destination = an internet IP) — it pinpoints the exact hop that blocks the path. Or check, in order: route table → IGW/NAT → public IP → SG → NACL.

The fix

Add the missing 0.0.0.0/0 route (to the IGW for public, NAT for private), assign a public IP/EIP, open SG egress, and fix the NACL (remember the stateless return rule). Re-test from the instance.

How Tech Matrix solves this in ~60 seconds

The VPC path has five places to break and the console makes you click through all of them. Tech Matrix checks the route table, IGW/NAT, public IP, security group and NACL together, names the exact blocking hop, and gives the fix — with your approval on any change.

Create free account →See how it works

Frequently asked questions

Why can't my EC2 instance reach the internet?

One of: no 0.0.0.0/0 route to an Internet Gateway, no public IP/EIP, blocked security-group egress, a NACL blocking outbound or return traffic, or (private subnet) no NAT gateway route.

Do private subnet instances need a NAT gateway?

Yes. Private subnets reach the internet through a NAT gateway in a public subnet, with the private route table pointing 0.0.0.0/0 to the NAT gateway.

How do I troubleshoot AWS VPC connectivity?

Use VPC Reachability Analyzer to find the blocking hop, or check route table, IGW/NAT, public IP, security group, and NACL in order.