How do I troubleshoot connectivity issues between an interface Amazon VPC endpoint and an endpoint service?

3 minute read
0

I want to troubleshoot connectivity issues between an Amazon Virtual Private Cloud (Amazon VPC) endpoint and an endpoint service.

Short description

To troubleshoot connectivity issues between an interface Amazon VPC endpoint and an endpoint service, check the following configurations:

  • Endpoint connection state
  • Availability Zone mapping
  • Availability Zone independence
  • Network Load Balancer response
  • Network Load Balancer listener port
  • Zonal DNS name
  • Security group and the network access control list (network ACL) rules

Resolution

Check the endpoint connection state

The endpoint connection must be in the Available state. If the endpoint connection is in the Pending or Rejected state, then connections that are sent to the Network Load Balancer from the interface endpoint time out.

To resolve this issue, take one of the following actions:

  • Grant a service consumer the permissions to create an interface endpoint to the service. For more information, see Manage permissions.
  • Check that you accepted the connection request. If you don't accept the connection request, then the service consumer can't access your endpoint service.
  • Request that the endpoint service provider accepts the endpoint connection request to activate the connection. By default, the endpoint service provider must manually accept the connection requests. Also, the endpoint service provider can configure the acceptance settings to automatically accept connection requests.

Check the Availability Zone mapping

To resolve or prevent issues with Availability Zone mapping, make sure that you use AZ ID when you create resources. For more information, see How do I resolve the "endpoint does not support the Availability Zone" error when I try to map an Amazon VPC endpoint?

Check the Availability Zone independence

If the service provider's Network Load Balancer has an unhealthy zone target, then turn on cross-zone load balancing. This allows requests to be sent to healthy zones behind the load balancer regardless of the consumer's endpoint zone. 

Check the Network Load Balancer response

You can simulate a connection request from an instance in the same Amazon VPC as the Network Load Balancer. If you don't receive the expected response, then troubleshoot your Network Load Balancer.

Check the Network Load Balancer listener port

Check that the interface Amazon VPC endpoint sends traffic to the correct listener port of the Network Load Balancer. For example, if your listener port is configured for port 80 and traffic is sent on port 443, then a Connection refused error appears.

Check the zonal DNS name

If you use a zonal DNS name for the interface Amazon VPC endpoint, then check for zone responsiveness on the service provider's end. It's a best practice to use the AWS Regional DNS name to confirm that requests are sent to healthy zones.

Troubleshoot connectivity issues with the service consumer interface endpoint

Make sure that the security group and network ACL rules allow traffic to and from the endpoint service. For more information, see How do I troubleshoot connectivity issues with my Amazon VPC interface endpoints?

AWS OFFICIAL
AWS OFFICIALUpdated 4 months ago