How do I troubleshoot connectivity issues that I'm experiencing while using an Amazon VPC?

Short description

To troubleshoot VPC connectivity issues, use the AWSSupport-ConnectivityTroubleshooter automation document to check for common issues with:

• Security group configurations
• Network access control list (network ACL) configurations
• Route table configurations

Note: If you receive errors when you run AWS Command Line Interface (AWS CLI) commands, then see Troubleshoot AWS CLI errors. Also, make sure that you're using the most recent AWS CLI version.

Resolution

Confirm that you have the required AWS Identity and Access Management (IAM) permissions to run the automation document. See the Required IAM permissions section of AWSSupport-ConnectivityTroubleshooter for the full list of permissions. 

To run the document from the AWS Management Console:

1. Open the document in the AWS Systems Manager console. Be sure to open the document in the Region where your resources are located.
2. For SourceIP, enter the private IP address of the VPC resource.
3. For DestinationIP, enter the destination server IP address.
4. For DestinationPort, enter the destination server port.
5. Choose Execute.
6. Monitor the progress of the document's execution. If the document status is Success, the automation didn't find any misconfigurations. If the document status is Failed, check the step that failed for details to resolve the issue.

To run the document from the AWS Command Line Interface (AWS CLI), run a command similar to the following. This example diagnoses connectivity issues from 172.31.2.7 to 172.31.2.8 on port 443 in an Amazon VPC:

aws ssm start-automation-execution --document-name "AWSSupport-ConnectivityTroubleshooter" --parameters "SourceIP=172.31.2.7,DestinationIP=172.31.2.8,DestinationPort=443" --region <region>