Introduction

EC2 instance reachability check failed means AWS can still see the hypervisor and the instance host, but it cannot successfully reach the guest operating system over the expected network path. That usually points to a broken network stack inside the instance, a boot problem that leaves the OS unresponsive, or a route and ENI issue that prevents the instance from answering health checks.

Symptoms

  • The EC2 console shows Reachability check failed
  • The instance remains running, but SSH or RDP does not respond
  • System status checks may still pass while instance status checks fail
  • Reboots sometimes help temporarily, then the issue returns

Common Causes

  • The guest OS network stack did not come up correctly after boot
  • A route, firewall rule, or ENI attachment drift blocked normal reachability
  • The instance is stuck during boot, filesystem recovery, or kernel initialization
  • CPU or memory pressure made the OS too unhealthy to answer checks in time

Step-by-Step Fix

  1. 1.Confirm the exact failing status checks
  2. 2.Separate instance reachability from system reachability before deciding on the recovery path.
bash
aws ec2 describe-instance-status --instance-ids i-1234567890abcdef0 \
  --include-all-instances
  1. 1.Pull the console output and recent system logs
  2. 2.Reachability failures often leave evidence in boot logs before SSH becomes available.
bash
aws ec2 get-console-output --instance-id i-1234567890abcdef0 --latest
  1. 1.Check networking around the instance
  2. 2.Validate subnet route tables, security groups, NACLs, and the current ENI attachment.
bash
aws ec2 describe-instances --instance-ids i-1234567890abcdef0
aws ec2 describe-network-interfaces --filters Name=attachment.instance-id,Values=i-1234567890abcdef0
  1. 1.Use reboot or rescue only after confirming the likely layer
  2. 2.If the instance is not reachable because the guest is stuck, reboot may help. If disk or boot state is broken, move to rescue workflow instead of blind retries.
bash
aws ec2 reboot-instances --instance-ids i-1234567890abcdef0

Prevention

  • Alert separately on system status checks and instance reachability checks
  • Keep console log collection and rescue procedures documented for critical EC2 roles
  • Review route, NACL, security group, and ENI changes together during incident windows
  • Bake health and boot validation into AMI and instance rollout checks