I have an Amazon EC2 instance running Linux/UNIX. I have installed Ignition 8.1.47 on it. I am having trouble accessing the gateway webpage from outside the EC2 instance. I can ping the EC2 instance however navigating to the address http://[ip-address]:8088 never gets resolved.
The Ignition-Gateway.service is running on the EC2 instance.
[ec2-user@ip-address ignition]$ systemctl --type=service --state=running
...
UNIT LOAD ACTIVE SUB DESCRIPTION
Ignition-Gateway.service loaded active running Ignition-Gateway
...
The path to the gateway appears to respond from inside the EC2 instance.
[ec2-user@ip-address ignition]$ curl -v http://[ip-address]:8088
* Trying [ip-address]:8088...
* Connected to ip-address (ip-address) port 8088
> GET / HTTP/1.1
> Host: [ip-address]:8088
> User-Agent: curl/8.5.0
> Accept: */*
>
< HTTP/1.1 302 Found
< Date: Fri, 28 Mar 2025 13:42:20 GMT
< Referrer-Policy: strict-origin-when-cross-origin
< X-Content-Type-Options: nosniff
< X-Frame-Options: SAMEORIGIN
< X-XSS-Protection: 1; mode=block
< Location: http://[ip-address]:8088/welcome
< Content-Length: 0
<
* Connection #0 to host [ip-address] left intact
And externally it appears I can telnet into that specific port...
So any ideas about what I am missing here are appreciated. The firewall rules on the EC2 instance appear to allow traffic from anywhere and I explicitly defined a rule to allow my IP address on the inbound and outbound.
Do you have a security group defined and assigned to this EC2 instance?
What does it look like?
I'm assuming you haven't installed a software firewall on your Linux instance (it wouldn't be activated by default on either Amazon Linux 2 or Ubuntu Server).
If this is deployed to a public subnet of your VPC, you'll have a network ACL (at the VPC level, defaults to allow inbound access) and route table[s] associated with your subnets (likely with a default route pointing to an Internet Gateway (IGW)).
I'd start with inspecting the security group associated with the instance (as @Kevin.Herron mentioned) and then walking back from there.
EDIT: re-reading your initial post, perhaps you do indeed have a software firewall and weren't referring to the security group--in that case hopefully you're now close to a solution 
There are 2 security groups defined for this particular EC2 instance.
Looking at the security group hidden in red I see the following.
Inbound Rules:
Outbound Rules:
Obligatory out of band note that exposing HTTP/port 8088 to the wide open internet is big scary 
2 Likes
This looks like you've deployed to a private subnet, not a public subnet...
It is a private subnet; sorry for not clarifying earlier. They do not want this to be public.
I am using a VPN to access their network.
From the VPN I should be able to access port 8088 on this particular EC2 instance. I can ping the EC2 instance while connected to the VPN.
Customer is claiming port 8088 is not listening for requests and no firewall rules are holding me back so I get the honor to prove it one way or another. They sounded convincing so I was hoping I had just installed Ignition wrong.
1 Like
I think you've already verified that Ignition is listening on port 8088, though perhaps you could verify that it is indeed bound to all interfaces (* or 0.0.0.0), i.e.:
$ sudo lsof -nP -iTCP -sTCP:LISTEN
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
...
java 895 ignition 165u IPv6 7913 0t0 TCP *:8088 (LISTEN)
,,,
If this is a custom image, perhaps it does have a software firewall--you didn't mention whether it was Amazon Linux 2 or Ubuntu Server or ______. On Ubuntu, you'd likely check with sudo ufw status. Amazon Linux 2 I think uses firewalld, maybe firewall-cmd --state?
Past that, you'll likely need to change your inbound security group rule. Specifically, you may need to account for wherever the VPN traffic is originating. You could start with setting your inbound rule for 8088/tcp to allow source 10.0.0.0/8 (presumably your private subnet CIDR?)? Also, you shouldn't need to have an outbound rule in your SG.
Actually, it looks like your inbound rules on your SG already permits all traffic, so anything else there is irrelevant. If you don't have a software firewall buggering things up, this is likely to end up further up in your VPC networking configuration.
1 Like
Customer confirmed this morning it was a firewall rule elsewhere holding things up and opened up port 8088. Success!
1 Like
