I'm using a NAT instance to connect instances to the internet in an Amazon Virtual Private Cloud (VPC) subnet. However, the instances have intermittent connection issues.
Short Description
The intermittent connection issues might be caused by the following:
- Port exhaustion on the source.
- Network access control list (network ACL) rules.
- Network connection issues.
Resolution
Reduce port exhaustion on the source
First, verify that the instances in the private subnet reached their operating system-level connection limits. To get the number of active connections, run the netstat command.
Linux:
netstat -ano | grep ESTABLISHED | wc --lnetstat -ano | grep TIME_WAIT | wc --l
Windows:
netstat -ano | find /i "estab" /cnetstat -ano | find /i "TIME_WAIT" /c
Note: If you configured the TCP parameter to reuse ports during the TIME_WAIT state, then remove TIME_WAIT from the previous commands.
If the command returns a value that is near the total allowed port range, then you might experience port exhaustion.
Next, reduce port exhaustion by increasing the operating system's ephemeral port range.
In Windows, run the following command as an administrator:
netsh int ipv4 set dynamicport tcp start=1025 num=61000
For Linux, run the following command as a root user:
echo 1024 65535 > /proc/sys/net/ipv4/ip_local_port_range
Note: Depending on your Linux distribution, set the previous parameter permanently during reboots. Or, resolve any application-level issues that use the available connections.
Verify that the network ACL rules allow traffic for the ephemeral port range
The public and private subnet network ACL must allow traffic for the ephemeral port range. For more information on setting network ACL rules, see Work with network ACLs. For information on needed port ranges for NAT gateways, see Ephemeral ports.
Check network connections
If the network performance is degraded on the source, NAT, network medium, or destination, then you will experience connection issues. To resolve this issue, see How do I troubleshoot network performance issues between EC2 Linux or Windows instances in a VPC and an on-premises host over the internet gateway?
If the network exceeds its network maximums at the instance level, then you will also experience network issues. For more information, see Monitor network performance for ENA settings on your EC2 instance.