We may have faced this issue on connecting to the Amazon repo to download/install packages, like Mysql, Apache, Nginx, etc.
We may get a connection time-out error when we run the sudo apt install mysql-server command. The error can occur for any package, in our example, we are installing a MySQL server.
Error
root@ip-10-9-9-58:/home/ubuntu# sudo apt install mysql-server
Could not connect to us-east-1.ec2.archive.ubuntu.com:80 (52.91.65.63), connection timed out Could not connect to us-east-1.ec2.archive.ubuntu.com:80 (52.207.133.243), connection timed out Could not connect to us-east-1.ec2.archive.ubuntu.com:80 (54.87.19.168), connection timed out Could not connect to us-east-1.ec2.archive.ubuntu.com:80 (54.165.17.230), connection timed out Could not connect to us-east-1.ec2.archive.ubuntu.com:80 (3.87.126.146), connection timed out Could not connect to us-east-1.ec2.archive.ubuntu.com:80 (3.209.10.109), connection timed out Could not connect to us-east-1.ec2.archive.ubuntu.com:80 (18.232.150.247), connection timed out Could not connect to us-east-1.ec2.archive.ubuntu.com:80 (34.201.250.36), connection timed out Could not connect to us-east-1.ec2.archive.ubuntu.com:80 (34.237.137.22), connection timed out Could not connect to us-east-1.ec2.archive.ubuntu.com:80 (52.73.36.184), connection timed outThe issue may occur in private or public instances. The most common solution is to first check the security groups assigned to your instance.
Steps
Login to your AWS console > EC2 > Security Groups,
Click on the Edit Outbound rules tab, then on Edit outbound rules.
Ensure we have HTTP TCP protocol for port 80 opened on outbound rules of the assigned security group.
If the rule for HTTP TCP Port 80 is missing, add the new rules in the similar format specified in the above image and save the changes.
Now, try to install the package, it should connect over the internet and install the package successfully.
Restricted Outbound Access
To solve the issue, above we have allowed all outbound traffic, in some cases due to security restrictions the organization may not allow you to open outbound traffic to all IP ranges.
The best practice says we should have minimum permissions.
To accomplish our security goals, we can restrict the outbound traffic to a certain Amazon repo mirrors IPs.
As we saw in the above error, Amazon tries to hit several of its mirrors to download and install the package. We need to copy any of these mirror IP addresses and use them to restrict outbound traffic in our security group.
root@ip-10-9-9-58:/home/ubuntu# sudo apt install mysql-server
Could not connect to us-east-1.ec2.archive.ubuntu.com:80 (52.91.65.63), connection timed outIn this example, we will open outbound only for IP 52.91.65.63.
Login to your AWS console > EC2 > Security Groups, select the assigned security group, and click on the Edit Outbound rules tab, then on Edit outbound rules.
Select the HTTP TCP port 80 rule and change 0.0.0.0/0 to 52.91.65.63/32. Save the changes, this will restrict the outbound rule for HTTP TCP port 80 to only one IP address, 52.91.65.63.
Note: We need to add a CIDR range even when we have one single IP address, Security Group does not allow us to add just a single IP address without a CIDR range. Even for a single IP address, we are required to add a CIDR block.
In our example for our single IP address, we have added a CIDR range /32.
You can change the CIDR block range based on your IP requirements.