I noticed this when trying to launch serverB from an EC2 instance, serverA
-Allow port 22 access to security group for the security group (by default, instances in the same security group can't access each other, this allows them to)
-Group policy matches only the internal IP address.
-By trying to connect to the public_ip_address, the tcp connection egresses outside the firewall and then ingresses back so the security group sees serverA's public IP address and disallows access.
-Workaround, you can add serverA's public IP address to have access to port 22 in security group.
-However this is suboptimal because it causes excess management of security group acls
-Have test_tcp_ssh method connect to the server.dns_name which because of trick in how Amazon resolves dns inside of ec2 will resolve to the private IP address
-This allows for the group policy to match and allows access
-This also allows instances launched by knife from a non-EC2 box to resolve to the public_ip_address
The bootstrap code already uses the server.dns_name so I propose the test_tcp_ssh method use the same.
This trivial change is located here,
I've initiated a pull request to opscode/knife-ec2 already.