Search code examples
amazon-web-servicesamazon-ec2emramazon-emr

ssh: connect to host ec2-xxxxxxxx.compute-1.amazonaws.com port 22: Connection refused

I first list emr cluster:

✗ aws emr list-clusters
{
    "Clusters": [
        {
            "Id": "j-MQIKB378OARL",
            "Name": "Spark cluster",
            "Status": {
                "State": "WAITING",
                "StateChangeReason": {
                    "Message": "Cluster ready after last step failed."
                },
                "Timeline": {
                    "CreationDateTime": 1524200251.319,
                    "ReadyDateTime": 1524201100.225
                }
            },
            "NormalizedInstanceHours": 6
        },

Then I try to connect:

✗ aws emr ssh --cluster-id j-MQIKB378OARL --key-pair-file ~/.ssh/keys/key-pair.pem
ssh -o StrictHostKeyChecking=no -o ServerAliveInterval=10 -i /Users/myuser/.ssh/keys/key-pair.pem [email protected] -t
ssh: connect to host ec2-xxxxxxxxxx.compute-1.amazonaws.com port 22: Connection refused

Am I missing something?

Solution

  • It seems that the security group of your instance does not allow incoming ssh traffic.

    From AWS Documentation

    Security groups enable you to control traffic to your instance, including the kind of traffic that can reach your instance. For example, you can allow computers from only your home network to access your instance using SSH. If your instance is a web server, you can allow all IP addresses to access your instance using HTTP or HTTPS, so that external users can browse the content on your web server.

    To add a rule to a security group for inbound SSH traffic over IPv4 using the console:

    1. In the navigation pane of the Amazon EC2 console, choose Instances. Select your instance and look at the Description tab; Security groups lists the security groups that are associated with the instance. Choose view rules to display a list of the rules that are in effect for the instance.

    2. In the navigation pane, choose Security Groups. Select one of the security groups associated with your instance.

    3. In the details pane, on the Inbound tab, choose Edit. In the dialog, choose Add Rule, and then choose SSH from the Type list.

    4. In the Source field, choose My IP to automatically populate the field with the public IPv4 address of your local computer. Alternatively, choose Custom and specify the public IPv4 address of your computer or network in CIDR notation. For example, if your IPv4 address is 203.0.113.25, specify 203.0.113.25/32 to list this single IPv4 address in CIDR notation. If your company allocates addresses from a range, specify the entire range, such as 203.0.113.0/24.

    5. Choose Save.