Why can’t clients connect to my ELB load balancer?

Short description

Common causes of load balancer connectivity issues include:

• No listener is configured for the load balancer port where clients are trying to connect.
• The load balancer security group doesn’t allow traffic for the listener.
• The target security group doesn’t allow traffic for the target port and load balancer health check port.
• The network access control list (network ACL) for a load balancer in an Amazon Virtual Private Cloud (Amazon VPC) doesn’t allow the necessary traffic.
• Route table rules are blocking or improperly routed requests.

Resolution

Note: If you receive errors when running AWS Command Line Interface (AWS CLI) commands, make sure that you’re using the most recent AWS CLI version.

Check your port listener

Verify that you've configured the appropriate listeners for your load balancer port:

• Listeners for your Application Load Balancers
• Listeners for your Classic Load Balancer
• Listeners for your Network Load Balancers

Check the security group for your target instances

Check the settings of the security group for the instances behind your load balancer. For each subnet that is attached to your load balancer, confirm that traffic is allowed in both directions for the listener and health check ports:

• Security groups for your Application Load Balancer
• Configure security groups for your Classic Load Balancer
• Register targets with your target group (Network Load Balancer)

Check your network ACLs (for load balancers in a VPC)

Confirm that the network ACLs for your VPC allow traffic in both directions on the listener port and health check port for each subnet attached to your VPC:

• Custom network ACLs
• Network ACLs for load balancers in a VPC (Classic Load Balancers)

Check your route tables

Confirm that the route tables for the attached subnets of your load balancer allow load balancer connections using a default route that points to an internet gateway.

To verify connectivity to your load balancer from an Amazon Elastic Compute Cloud (Amazon EC2) instance:

1.    Connect to your Amazon EC2 instance (see steps for Linux instances or Windows instances).

2.    Verify that either netcat (nc) or telnet is installed on your instance.

3.    If you have a public load balancer, verify that your instance has internet connectivity. To confirm internet connectivity, use an internet gateway or network address translation (NAT) gateway.

4.    Verify that your Amazon EC2 instance security group allows outbound connections to the internet. Then, confirm that the network ACL attached to the subnet where your instance is running allows inbound and outbound traffic.

5.    Run one of the following commands, based on your configuration:

nc –v elb.ip.address port

telnet elb.ip.address port

6.    Review the output. Verify that the route table rules designate an internet gateway to the subnet for your load balancer.

Note: If connectivity testing returns an HTTP 503 or HTTP 504 error, see:

• The load balancer generates an HTTP error (Application Load Balancers)
• Troubleshoot a Classic Load Balancer: HTTP errors

7.    From an external client, run the traceroute (Linux clients) or tracert (Windows clients) utility to your load balancer listener's IP address.

8.    Review the output.

Note: If you receive other error codes from a Classic Load Balancer or Application Load Balancer, see:

• Troubleshoot your Application Load Balancers
• Troubleshoot your Classic Load Balancer

Check for load or capacity issues

Sporadic connectivity issues might indicate load- or capacity-related issues. For troubleshooting steps, see How do I troubleshoot Classic Load Balancer capacity issues in ELB?

Related information

How Elastic Load Balancing works