How do I troubleshoot connectivity timeout issues when traffic is initiated from Amazon VPC?

3 minute read

I want to troubleshoot connectivity timeout issues when traffic is initiated from Amazon Virtual Private Cloud (Amazon VPC).


To troubleshoot Amazon VPC connectivity issues, check your configurations and connectivity. Also, use tools such as, Amazon VPC Reachability Analyzer and Amazon VPC Flow Logs. 

Security group configurations

To check your security group configurations, see Security group rules.

Network ACL configurations

To check network access control list (network ACL) configurations, see Network ACL rules.

Route table configurations

To check your route table configurations, see Example routing options.

DNS resolution of the destination domain

To check the DNS resolution of the destination domain, complete the following steps:

1. Run nslookup or dig based on your operating system (OS):

Note: Replace <example-domain-name> with the domain name of the destination.

(Windows) Run the nslookup command:

nslookup <example-domain-name>

(Linux) Run the dig command:

dig <example-domain-name>

2. Check if the DNS resolution fails or doesn't return the expected outputs, such as private and public IP addresses. If the expected outputs aren't returned, then run the following commands on the custom resolver or Amazon Route 53 Resolver:

Note: Replace <example-domain-name> with your domain name. Replace <example-custom-DNS-resolver> with the custom DNS IP address, or replace <example-AWS-resolver> and with the Route 53 Resolver IP address (VPC CIDR +2).

For Windows:

nslookup <example-domain-name> <example-custom-DNS-resolver> or <example-AWS-resolver>

For Linux:

nslookup <example-domain-name> @<example-custom-DNS-resolver> or <example-AWS-resolver>

Connectivity to a destination

Use OS tools to check the connectivity to a destination. Run the following commands:

Note: Replace <example-domain-name> and with the domain name of the destination, or replace <example-destination-ip-address> with the IP address of the destination. Replace <example-destination-port> with the destination port.

Test the connectivity on the destination TCP port:

telnet <example-domain-name> or <example-destination-ip-address> <example-destination-port>  

(Linux) Trace the traffic path between the source and destination:

sudo traceroute <example-domain-name> or <example-destination-IP-address>  -T -p <example-destination-port> 

(Windows) Trace the traffic path between the source and destination:

tracetcp.exe <example-domain-name> or <example-destination-IP-address>:<example-destination-port>

You can also use third-party software, such as Wireshark, to check network traffic and view captured packet details. Run the following command to capture all traffic into a test.pcap file:

sudo tcpdump -i any -w test.pcap

Amazon VPC Reachability Analyzer

Use Amazon VPC Reachability Analyzer to check for issues with configurations for security groups, network ACLs, and route tables. Also, use Reachability Analyzer to analyze paths across multiple AWS accounts in your organization. For more information, see How Reachability Analyzer works.

Amazon VPC Flow Logs

Use VPC Flow Logs to troubleshoot the network path and hops. For more information, see Flow log records and Flow log record examples.

Related information

How do I troubleshoot network performance issues between EC2 Linux or Windows instances in a VPC and an on-premises host over the internet gateway?

Wireshark on the Wireshark website

AWS OFFICIALUpdated 5 months ago