AWS ubuntu instance can't reach the world

Question

I created a new ubuntu instance in AWS, I can ssh connect to it successfully. However when I try to install packages using this command, it won't work :

sudo apt-get install apache2  
...
...
0% [Connecting to ap-southeast-2.ec2.archive.ubuntu.com (91.189.91.23)]^Cubuntu@ip-10-1-0-99:/etc$

This never moves forward !

I tried ping google.com.au, also no response.

Here is the VPC config of AWS:

Network ACL : 

Outbound:
Rule #  Type        Protocol    Port Range  Destination Allow / Deny
100 ALL Traffic ALL     ALL     0.0.0.0/0   ALLOW
*   ALL Traffic ALL     ALL     0.0.0.0/0   DENY

Inbound : 
Rule #  Type        Protocol    Port Range  Source  Allow / Deny
10  HTTP (80)   TCP (6) 80  0.0.0.0/0   ALLOW
120 HTTPS (443) TCP (6) 443 0.0.0.0/0   ALLOW
140 SSH (22)    TCP (6) 22  0.0.0.0/0   ALLOW
*   ALL Traffic ALL ALL 0.0.0.0/0   DENY

security Group outbound settings :

Type    Protocol    Port Range  Destination 
ALL     Traffic     ALL     ALL     0.0.0.0/0

Routing table setting:

Destination     Target      Status  Propagated
10.1.0.0/24 local       Active  No
0.0.0.0/0   igw-cfe30caa    Active  No

What could be wrong here ?

EDIT: nslookup & dig command works fine!

Thanks !

Answer 1

Your inbound network ACL is only allowing traffic addressed to inbound TCP ports 22, 80, and 443. It doesn't allow the responses for your outbound requests, on your ephemeral ports.

$ cat /proc/sys/net/ipv4/ip_local_port_range
32768   61000

You need a rule in the network ACL to allow TCP 32768 through 61000... or, better, don't use the inbound network ACL at all -- set it back to the default, to allow all.

You almost certainly don't need to use network ACLs unless you have a particularly complex network configuration. The inbound rules in the security group are usually sufficient to control access to an instance. Inbound security group rules deny by default, and unlike Network ACLs, which are stateless packet filters, security groups are stateful, TCP session-aware.

http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_Security.html#VPC_Security_Comparison

Important: do not add the ephemeral port rule discussed above to the security group inbound rules. Since security groups are stateful, you only want to "allow" traffic in the direction where you want TCP sessions to be initiated. Responses to established TCP sessions are allowed automatically by security group rules, but not network ACL rules, because they're implemented differently.

http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_ACLs.html