All posts
September 15, 20252 min read

The port was wrong. Everything broke.

Working with AWS CLI should feel clean, sharp, predictable. But the moment you need to connect to an internal port—whether for debugging, tunneling, or testing—a simple slip in configuration turns into hours of frustration. Internal ports on AWS can be invisible landmines. They are often tightly bound to security groups, VPC rules, and service-level defaults that don’t shout their restrictions until you’re knee-deep in failed requests. The AWS CLI gives you raw power, but it also expects precis

Free White Paper

Everything: The Complete Guide

Architecture patterns, implementation strategies, and security best practices. Delivered to your inbox.

Free. No spam. Unsubscribe anytime.
Andrios Robert

Working with AWS CLI should feel clean, sharp, predictable. But the moment you need to connect to an internal port—whether for debugging, tunneling, or testing—a simple slip in configuration turns into hours of frustration. Internal ports on AWS can be invisible landmines. They are often tightly bound to security groups, VPC rules, and service-level defaults that don’t shout their restrictions until you’re knee-deep in failed requests.

The AWS CLI gives you raw power, but it also expects precision. Internal ports are not just numbers; they’re access points in a private network space. If you’re connecting to an EC2 instance, forwarding a local development port to a remote target, or hitting a container endpoint inside ECS, you need to configure the correct bind address and confirm the security group inbound rules. A mismatch there will block your connection silently.

To check and use an AWS CLI internal port, start with your security group rules. Make sure you allow inbound traffic for the private IP and desired port. Use:

aws ec2 describe-security-groups --group-ids sg-xxxxxxxx

Then verify the private DNS or IP you’re targeting. If you’re leveraging Session Manager for port forwarding:

Continue reading? Get the full guide.

Everything: Architecture Patterns & Best Practices

Free. No spam. Unsubscribe anytime.
aws ssm start-session \
 --target i-xxxxxxxxxxxxxxxxx \
 --document-name AWS-StartPortForwardingSession \
 --parameters "portNumber=[REMOTE_PORT],localPortNumber=[LOCAL_PORT]"

That command moves traffic from your local port directly to the internal port on the remote instance without exposing it to the public internet. This keeps connections secure while bypassing the need for public endpoints.

When working with ECS, check the task’s container port mappings in the task definition. The internal containerPort must map correctly to the host port, and both should align with the service-level load balancer or network configuration. If you miss that, your CLI tests will fail even though the container is running.

Common pitfalls:

  • Forgetting to set --region for resources outside your default.
  • Overlooking NACL rules that block the port at the subnet level.
  • Misusing localhost when the target expects a VPC IP.

Internal ports on AWS are not magic. They respond to grounded, exact configurations. AWS CLI is only as effective as the instructions you give it. Once you get the mapping right, the connection is instant and stable.

If you want to see this kind of setup running without wrestling with security groups or manual mapping, try hoop.dev. It lets you spin up secure, private, internal port access in minutes. You get the same reliability without the manual AWS CLI grind. See it live, get connected, and move on to building instead of debugging.

Get started

See hoop.dev in action

One gateway for every database, container, and AI agent. Deploy in minutes.

Get a demoMore posts