Unable to access AWS endpoints in the Bahrain region.

Ongoing Regional Disruption

Even if configured correctly, there is currently a major infrastructure event in me-south-1. As of March 2026, AWS has confirmed significant API error rates and connectivity issues in Bahrain due to physical data center disruptions.

see->

Operational issue - Multiple services (Bahrain)

Increased Connectivity Issues and API Error Rates

Mar 03 8:40 AM PST We are providing an update on the ongoing service disruptions affecting the AWS Middle East (Bahrain) Region (ME-SOUTH-1). We continue to make progress on recovery efforts across multiple workstreams. With the immediate phase of this event now better understood, we are moving to a more targeted communication model. Going forward, updates will be delivered directly to affected customers through the AWS Personal Health Dashboard. Customers who require assistance with this event are encouraged to contact AWS Support through the AWS Management Console or the AWS Support Center.

source: https://health.aws.amazon.com/health/status

To rule out common configuration errors, please check the following:

Ensure that DNS resolution for VPC Interface Endpoints (AWS PrivateLink) works correctly, you need to configure specific VPC attributes and endpoint settings.

VPC Attributes: AWS requires these two attributes to be set to true so that the internal VPC/DNS Resolver can function within your network:

• enableDnsSupport: Allows the VPC to use the built-in AWS DNS server.
• enableDnsHostnames: Required for AWS to assign public and private DNS hostnames. This is a prerequisite for the "Private DNS" feature on endpoints.

When you create the Interface Endpoint (or in its settings afterwards), you must check the box for Enable Private DNS names.

How it works: When enabled, AWS creates a managed Private Hosted Zone. This zone intercepts requests to the standard service URL (e.g., s3.me-south-1.amazonaws.com) and resolves them to the private IP addresses of your endpoint instead of the public internet IPs.

• Endpoint Policy: Make sure that the endpoint policy is configured to allow the necessary access (see example):

{
    "Statement": [
        {
            "Action": "*",
            "Effect": "Allow",
            "Resource": "*",
            "Principal": "*"
        }
    ]
}

• Security Groups: Verify that the security groups associated with the interface endpoint permit inbound traffic (typically on port 443)

To get more visibility into this, you can run a connectivity test using SSM:

Deploy three VPC Interface Endpoints in the me-south-1 (Bahrain) region: ssm, ssmmessages, and ec2messages. These are required for the EC2 instances to securely communicate with the Systems Manager API without traversing the public internet. Please verify that the VPC attributes enableDnsSupport and enableDnsHostnames are active to support the Private DNS resolution for these endpoints

To enable Systems Manager (SSM) access without internet connectivity, you need to create the following Interface Endpoints within the me-south-1 region:

• com.amazonaws.me-south-1.ssm
• com.amazonaws.me-south-1.ssmmessages
• com.amazonaws.me-south-1.ec2messages

Next Step, please ensure a Test EC2 instance (Amazon Linux 2 !!!) is launched with an IAM Instance Profile containing the AmazonSSMManagedInstanceCore managed policy. This is a prerequisite for the SSM Agent to establish a secure connection with the Systems Manager service via the VPC Interface Endpoints.

Please note that if you modify the policy for a running instance, it may take several minutes for the changes to take effect and for the agent to check in. You might want to test this on a test EC2 instance running Amazon Linux 2 to enforce the changes.

Based on the standard AWS endpoint configuration, the endpoints you're trying to access are correctly formatted and should be operational:

• EC2 endpoint: ec2.me-south-1.amazonaws.com (HTTPS protocol)
• Management Console endpoint: me-south-1.console.aws.amazon.com (HTTPS protocol)

These are the official endpoints for the Middle East (Bahrain) region. The fact that your TCP connection establishes but the TLS handshake hangs after Client Hello suggests a network-level issue rather than an endpoint availability problem.

Since you've tested from multiple ISPs in your location with the same result, and other AWS regions work normally, this points to potential network routing or filtering issues specific to traffic destined for the me-south-1 region from your geographic location.

I recommend:

1. Checking if there are any local network policies or firewall rules blocking TLS connections to this specific region
2. Verifying that your network allows outbound HTTPS traffic on port 443 to AWS IP ranges for me-south-1
3. Testing with a VPN connection through a different geographic region to rule out local network restrictions
4. Contacting AWS Support directly to report the connectivity issue, as they can investigate potential routing problems or regional network issues

The endpoints themselves are standard and operational according to AWS documentation, so the issue appears to be related to network connectivity rather than endpoint availability.
Sources
AWS Management Console endpoints and quotas - AWS General Reference
Amazon EC2 service endpoints - Amazon Elastic Compute Cloud

In case you are not aware, there is a war going on in middle east and both me-central-1 (UAE) and me-south-1 (Bahrain) is impacted. Details are available in AWS health page - https://health.aws.amazon.com/health/status . You can filter by region and service to get details.