I have an AMI and security group that I’ve been starting instances from, using our VPC and a subnet we’ve had defined, for a long time. Once such instances start, I’m able to SSH to them.

So far so good.

Lately we started getting error messages about Amazon not having enough capacity in our zone, so I wanted to try a new zone.

In order to do this, I created a new subnet and specified a different zone. I can still get an instance started in that zone but can no longer SSH to it (error: connection timeout) even though nothing has changed except for the zone and subnet (I’ve marked the subnet to grant public IP’s to hosts)

Any ideas what the problem could be?

If you create a subnet without using the wizard, its routine table defaults to the “main routing table” which has no entry for the VPC’s gateway, which means your hosts on that subnet cannot access the internet. The solution is to either a) modify your subnet(s) so that the use one of your existing routing tables which does have an entry for your VPC’s gateway, or create a new custom routing table for your subnet and make an entry in there mentioning your VPC’s gateway.

Once I changed my new hand-created subnets to use a pre-existing routing table (which has an entry for my VPC’s gateway) then I was able to SSH to the instance just fine.