Why can't I connect to an endpoint service from my interface endpoint in an Amazon VPC?

2 minute read

I can't connect to an endpoint service from my Amazon Virtual Private Cloud (Amazon VPC) interface endpoint using AWS PrivateLink. How do I determine what's preventing me from making this connection?


Check the following settings to troubleshoot connectivity problems between an interface VPC endpoint and an endpoint service.

Endpoint connection state

The endpoint connection must be in the Available state. If the endpoint connection is in the Pending or Rejected state, then any connection sent to the Network Load Balancer from the interface endpoint times out.

To resolve this issue, you might need to do one of the following tasks:

Network Load Balancer response

You can simulate the request from an instance in the same VPC as the Network Load Balancer. If you don't get the expected response, then troubleshoot your Network Load Balancer.

Network Load Balancer listener port

Be sure that the interface VPC endpoint is sending traffic to the correct listener port of the Network Load Balancer. For example, you might have a Network Load Balancer with a listener configured on port 80. If the client sends traffic on port 443, the client might receive the error Connection refused.

Zonal DNS name

If the client is using a zonal DNS name for the interface VPC endpoint, then verify that the zone is responsive on the service provider's end. It's a best practice to use the Regional DNS name to verify that requests are sent to healthy zones.

Security group and network access control rules

Check the security group and network access control (ACL) rules on both the service consumer and service provider's end. Be sure to allow traffic to and from the endpoint service.

Related information

How do I troubleshoot Amazon EC2 instance connection timeout errors from the internet?

AWS OFFICIALUpdated 9 months ago