Support Automation Workflow (SAW) Runbook: Analyze connectivity to an AWS service endpoint

In this article, I will show you how to use the AWSSupport-AnalyzeAWSEndpointReachabilityFromEC2, AWS Systems Manager automation runbook, to troubleshoot the network connectivity from an an Amazon Elastic Compute Cloud (EC2) instance or an Elastic Network Interface (ENI) to an AWS service endpoint.

Learn more about Support Automation Workflows >>

How it works?

When running the AWSSupport-AnalyzeAWSEndpointReachabilityFromEC2 automation, the runbook uses the value you specify for the ServiceEndpoint parameter to analyze connectivity to the AWS service endpoint. If an AWS PrivateLink endpoint can't be found in your Amazon Virtual Private Cloud (VPC), the runbook uses a public IP address for the service in the current AWS Region. This automation uses Reachability Analyzer from VPC. For more information, see What is Reachability Analyzer?, in Reachability Analyzer documentation.

This runbook performs following checks:

• Checks whether your VPC is configured to use the Amazon provided DNS server.
• Checks whether an AWS PrivateLink exists in the VPC for the given AWS service. If an endpoint is found, the automation verifies if the privateDns attribute is turned on.
• Checks if the AWS PrivateLink endpoint is using default endpoint policy.

Consideration

• IPv6 is not supported.
• You are charged per analysis run between a source and destination. For more information, see Amazon VPC Pricing.
• During the automation, a network insights path and network insights analysis are created. The runbook deletes these resources if the automation completes successfully. If the cleanup step fails, the network insights path is not deleted by the runbook and you will need to delete it manually. If you don't delete the network insights path manually it continues to count towards the quota for your AWS account. For more information about quotas for Reachability Analyzer, see Quotas for Reachability Analyzer in Reachability Analyzer documentation.
• OS level configurations like the use of a proxy, local DNS resolver, or hosts file can affect connectivity even if the reachability analyzer returns PASSED.
• Review the evaluation of all checks performed by the analyzer. If any of the checks return with a status of FAILED, that might affect connectivity even if the overall reachability check returns with a status of PASSED.

Prerequisites

Before running the automation make sure your IAM user or the role has the permissions listed in the Required IAM permissions section.

Instructions

1. Navigate to the AWSSupport-AnalyzeAWSEndpointReachabilityFromEC2 in the AWS Systems Manager console.
2. Click on Execute automation.
3. For the input parameters enter the following:
   • AutomationAssumeRole (optional): This is the Amazon Resource Name (ARN) of the AWS Identity and Access Management (IAM) role that allows Systems Manager Automation to perform the actions on your behalf. If no role is specified, Systems Manager Automation will use the permissions of the user that starts this runbook.
   • Source (required): The ID of the Amazon EC2 instance or the network interface from which you want to analyze reachability ( e.g. i-abcdef123, eni-123xyz ).
   • ServiceEndpoint (required): The hostname of the service endpoint that you want to analyze reachability to (e.g. ec2.us-east-1.amazonaws.com)
   • RetainVpcReachabilityAnalysis (optional): Determines whether the network insight path and related analysis created are retained. By default, the resources used for analyze reachability are deleted after successful analysis. If you choose to retain the analysis, the runbook does not delete the analysis and you can visualize it in the Amazon VPC console. A console link is available in the automation output.

The following example demonstrates how to use the AWSSupport-AnalyzeAWSEndpointReachabilityFromEC2 automation runbook to troubleshoot the network connectivity from your EC2 instance or ENI to a target AWS service endpoint.

4. Click on Execute.
5. You should see that the automation has been initiated.
6. Document will perform the following steps:

• aws:executeScript: Validates the service endpoint by attempting to resolve the hostname.
• aws:executeScript: Gathers details about the VPC and subnet.
• aws:executeScript: Evaluates the DNS configuration of the VPC.
• aws:executeScript: Evaluates the VPC endpoint checks.
• aws:executeScript: Locates an internet gateway to connect to the public service endpoint.
• aws:executeScript: Determines the destination to be used for reachability analysis.
• aws:executeScript: Analyzes the reachability from source to the endpoint using Reachability Analyzer and cleans up the resources if the analysis is successful.
• aws:executeScript: Generates a reachability evaluation report.
• aws:executeScript: Generates the output in JSON.*

7. Once completed, you can review the Outputs section for the detailed results of the execution:

• generateReport.EvalReport - The results of the checks performed by the automation in text format.
• generateJsonOutput.Output - A minimal version of the results in JSON format.

Conclusion

In this article, I demonstrated how to troubleshoot connectivity issues from an EC2 instance or ENI to the AWS service endpoint using the automation runbook AWSSupport-AnalyzeAWSEndpointReachabilityFromEC2, available in the AWS System Manager.

References

Systems Manager Automation

Run this Automation (console)

Running a simple automation: https://docs.aws.amazon.com/systems-manager/latest/userguide/automation-working-executing.html

Setting up Automation: https://docs.aws.amazon.com/systems-manager/latest/userguide/automation-setup.html

Documentation related to the AWS service

For more information how to run this runbook, please see the AWS public document: AWSSupport-AnalyzeAWSEndpointReachabilityFromEC2.

To help you troubleshoot, remediate, manage, and reduce costs on your AWS resources, AWS Support maintains a subset of the AWS provided predefined runbooks . These runbooks are prefixed with “AWSSupport-“ or “AWSPremiumSupport-“.