I cannot connect to my Instance using SSH after attaching it to a Private Network with a Public Gateway
Reviewed on 05 May 2025 • Published on 26 May 2021
You are unable to successfully connect to your Instance via SSH, when the Instance is attached to a Private Network which is receiving a default route advertisement from a Public Gateway. You may be experiencing connection timeouts or other error messages.
This troubleshooting guide applies to you if:
- Your Instance is attached to a Private Network which has an attached Public Gateway, AND
- The gateway is set to advertise a default route (true by default), AND
- The Private Network(s) attached to your Instance have DHCP enabled
It may also apply if:
- Your Instance is attached to a Private Network which is set to receive all default route advertisements from the VPC, AND
- There is a Public Gateway in the VPC which is advertising a default route, AND
- The Private Network(s) attached to your Instance have DHCP enabled
If neither of the above scenarios applies, there may be other factors impacting SSH connection to your Instance, like one of your Instances running a DHCP server. Try disconnecting and reconnecting the Instance from the Private Network.
If one of the above scenario applies, not being able to connect to your Instance via SSH is expected behavior. The Public Gateway’s default route advertisement takes priority over the default route through a resource’s public interface. All the traffic towards your Instance now goes through the Public Gateway.
To access your Instance using SSH in this scenario, the recommended solution is to use SSH bastion.
ImportantSSH bastion is the recommended solution. For advanced users only, another manual workaround is to create a static NAT association between a port of your Public Gateway (e.g. 2222) and the private IP assigned to your Instance, on the SSH port (22 by default). Then, SSH to the Public Gateway’s IP on port 2222.