Why can't I connect to an endpoint service from my interface endpoint in an Amazon VPC?

2 minute read

I can't connect to an endpoint service from my Amazon Virtual Private Cloud (Amazon VPC) interface endpoint using AWS PrivateLink. How do I determine what's preventing me from making this connection?

Resolution

Check the following settings to troubleshoot connectivity problems between an interface VPC endpoint and an endpoint service.

Endpoint connection state

The endpoint connection must be in the Available state. If the endpoint connection is in the Pending or Rejected state, then any connection sent to the Network Load Balancer from the interface endpoint times out.

To resolve this issue, you might need to do one of the following tasks:

Grant a service consumer the permissions to create an interface endpoint to the service.
Request that the endpoint service provider accepts the endpoint connection request to activate the connection. By default, connection requests must be manually accepted. However, the service provider can configure acceptance settings so that any connection requests are automatically accepted.

Network Load Balancer response

You can simulate the request from an instance in the same VPC as the Network Load Balancer. If you don't get the expected response, then troubleshoot your Network Load Balancer.

Network Load Balancer listener port

Be sure that the interface VPC endpoint is sending traffic to the correct listener port of the Network Load Balancer. For example, you might have a Network Load Balancer with a listener configured on port 80. If the client sends traffic on port 443, the client might receive the error Connection refused.

Zonal DNS name

If the client is using a zonal DNS name for the interface VPC endpoint, then verify that the zone is responsive on the service provider's end. It's a best practice to use the Regional DNS name to verify that requests are sent to healthy zones.

Security group and network access control rules

Check the security group and network access control (ACL) rules on both the service consumer and service provider's end. Be sure to allow traffic to and from the endpoint service.

Related information

How do I troubleshoot Amazon EC2 instance connection timeout errors from the internet?

Topics

Networking & Content Delivery

Relevant content

Reducing VPC Endpoint costs - deploying an image to Amazon ECS with CodePipeline
danieljmann96
asked a year ago
How to connect a Load balancer and an Interface VPC Endpoint together using CDK?
Accepted Answer
FinneyCanHelp
asked a year ago
Amazon EC2 using an interface VPC endpoint
rePost-User-6703621
asked 10 months ago
vpn access to vpc interface endpoint configuration help
pfq
asked 4 years ago
Network ACLs settings for VPC Endpoints
Accepted Answer
AWS-User-1128711
asked a year ago
How can I troubleshoot connectivity issues over my gateway and interface VPC endpoints?
AWS OFFICIALUpdated a year ago
Why can't I connect to my S3 bucket using interface VPC endpoints?
AWS OFFICIALUpdated a year ago
Why can't I see my VPC endpoint service in the verified services list when I'm creating an interface VPC endpoint?
AWS OFFICIALUpdated a year ago
Why can't I resolve service domain names for an interface VPC endpoint?
AWS OFFICIALUpdated a year ago
Support Automation Workflow (SAW) Runbook: Analyze connectivity to an AWS service endpoint
EXPERT
Maya Karalic
published 2 months ago