How do I troubleshoot connectivity timeout issues when traffic is initiated from Amazon VPC?
I want to troubleshoot connectivity timeout issues when traffic is initiated from Amazon Virtual Private Cloud (Amazon VPC).
Resolution
To troubleshoot Amazon VPC connectivity issues, check your configurations and connectivity. Also, use tools such as, Amazon VPC Reachability Analyzer and Amazon VPC Flow Logs.
Security group configurations
To check your security group configurations, see Security group rules.
Network ACL configurations
To check network access control list (network ACL) configurations, see Network ACL rules.
Route table configurations
To check your route table configurations, see Example routing options.
DNS resolution of the destination domain
To check the DNS resolution of the destination domain, complete the following steps:
1. Run nslookup or dig based on your operating system (OS):
Note: Replace <example-domain-name> with the domain name of the destination.
(Windows) Run the nslookup command:
nslookup <example-domain-name>
(Linux) Run the dig command:
dig <example-domain-name>
2. Check if the DNS resolution fails or doesn't return the expected outputs, such as private and public IP addresses. If the expected outputs aren't returned, then run the following commands on the custom resolver or Amazon Route 53 Resolver:
Note: Replace <example-domain-name> with your domain name. Replace <example-custom-DNS-resolver> with the custom DNS IP address, or replace <example-AWS-resolver> and with the Route 53 Resolver IP address (VPC CIDR +2).
For Windows:
nslookup <example-domain-name> <example-custom-DNS-resolver> or <example-AWS-resolver>
For Linux:
nslookup <example-domain-name> @<example-custom-DNS-resolver> or <example-AWS-resolver>
Connectivity to a destination
Use OS tools to check the connectivity to a destination. Run the following commands:
Note: Replace <example-domain-name> and with the domain name of the destination, or replace <example-destination-ip-address> with the IP address of the destination. Replace <example-destination-port> with the destination port.
Test the connectivity on the destination TCP port:
telnet <example-domain-name> or <example-destination-ip-address> <example-destination-port>
(Linux) Trace the traffic path between the source and destination:
sudo traceroute <example-domain-name> or <example-destination-IP-address> -T -p <example-destination-port>
(Windows) Trace the traffic path between the source and destination:
tracetcp.exe <example-domain-name> or <example-destination-IP-address>:<example-destination-port>
You can also use third-party software, such as Wireshark, to check network traffic and view captured packet details. Run the following command to capture all traffic into a test.pcap file:
sudo tcpdump -i any -w test.pcap
Amazon VPC Reachability Analyzer
Use Amazon VPC Reachability Analyzer to check for issues with configurations for security groups, network ACLs, and route tables. Also, use Reachability Analyzer to analyze paths across multiple AWS accounts in your organization. For more information, see How Reachability Analyzer works.
Amazon VPC Flow Logs
Use VPC Flow Logs to troubleshoot the network path and hops. For more information, see Flow log records and Flow log record examples.
Related information
Wireshark on the Wireshark website
Relevant content
- asked 9 days ago
- Accepted Answerasked 2 years ago
- asked 2 years ago
- AWS OFFICIALUpdated 5 months ago
- AWS OFFICIALUpdated 7 months ago
- AWS OFFICIALUpdated 7 months ago
- AWS OFFICIALUpdated 6 months ago
