2 AWS instances, in the same region but different availability zones, one is in regular EC2 and the other is in VPC, both have an Elastic IP, both are 64bit Amazon Linux AMI 2014.03.1.

Both are running munin-node.

The instance in the VPC is running munin-cron.

I have added incoming TCP and UDP port 4949 to the security groups of both instances.

On the munin node, I added an allow-line with the IP address (regular expression) of the munin server to /etc/munin/munin-node.conf. I bind munin-node to any interface using host *. Then I did sudo service munin-node restart. Then I ran netstat.

$ sudo netstat -at | grep munin
tcp        0      0 *:munin             *:*                         LISTEN

So the port is open there.

On the munin server AND on the munin node:

$ nmap AMAZON-IP -p 80,4949 | grep tcp
80/tcp   open   http
4949/tcp closed munin

On the munin node:

$ nmap localhost -p 80,4949 | grep tcp
80/tcp   open  http
4949/tcp open  munin

So from the outside, the http port is open (Apache is running) but the munin port is closed. The node can't even reach the munin port on it's own public IP address, but it can on localhost. I added port 80 as a sanity check, to be sure that there is network connectivity at all.

So what am I overlooking here?