I deployed a new virtual server instance in our VPC yesterday and I’m unable to SSH into it from my workstation. The instance shows as running in the console, but SSH connections time out after 30 seconds. I’ve verified the floating IP is attached and reachable via ping.
I checked the security group attached to the instance and there’s an inbound rule allowing TCP port 22 from any source (0.0.0.0/0). Here’s what the rule looks like:
ibmcloud is security-group-rule-add sg-default inbound tcp \
--port-min 22 --port-max 22 --remote 0.0.0.0/0
The SSH service is running on the instance (I can see it in the serial console), and the firewall inside the OS is disabled. Other instances in the same VPC with identical security group configuration work fine. What could be blocking SSH access to this specific instance? I need to troubleshoot application deployment but can’t access the server.
Good catch on the network ACLs! I checked and the subnet has a custom ACL that was created for another project. It has inbound rules for port 22, but the outbound rules only allow ports 80 and 443. That would explain why SSH connections time out - the return traffic can’t get back to my workstation.
I’ve seen this before when there are multiple security groups attached to the instance. IBM Cloud evaluates all security groups as a logical OR, but if one group has an explicit deny or conflicting rule, it can cause unexpected behavior.
Run ibmcloud is instance INSTANCE_ID --output json and look at the network_interfaces[].security_groups[] array. If there’s more than one security group, check the rules in each one. You might have a default security group with restrictive rules that’s also attached.
When you say you can ping the floating IP, are you getting responses? Ping uses ICMP which requires a separate security group rule. If ping works, that confirms network connectivity is fine and the issue is specific to TCP port 22.
Can you share the output of ibmcloud is security-group-rules SECURITY_GROUP_ID? Sometimes multiple rules can conflict or there might be a typo in the port range.
Yes, ping responses are coming back consistently. Here’s the security group rules output - there are three inbound rules: ICMP for ping, TCP 22 for SSH, and TCP 443 for HTTPS. All show 0.0.0.0/0 as the source. The outbound rules allow all traffic. Everything looks correct to me.