Get Hands-on with Amazon EKS - Workshop Event Series

Whether you're taking your first steps with Kubernetes or you're an experienced practitioner looking to sharpen your skills, our Amazon EKS workshop series delivers practical, real-world experience that moves you forward. Learn directly from AWS solutions architects and EKS specialists through hands-on sessions designed to build your confidence with Kubernetes. Register now and start building with Amazon EKS!

How do I troubleshoot connectivity issues between an interface Amazon VPC endpoint and a customer managed endpoint service?

4 minute read

I want to troubleshoot connectivity issues between an Amazon Virtual Private Cloud (Amazon VPC) endpoint and an endpoint service that a customer manages.

Short description

To troubleshoot connectivity issues between an interface Amazon VPC endpoint and an endpoint service that a customer manages, check the following configurations:

Endpoint connection state
Availability Zone mapping
Availability Zone independence
Network Load Balancer response
Network Load Balancer listener port
Network Load Balancer security group
Zonal DNS name
Security group and the network access control list (network ACL) rules

Resolution

Troubleshoot connectivity issues with Amazon VPC Reachability Analyzer

Use Amazon VPC Reachability Analyzer to analyze the path between client and the endpoint service. For more information, see How Reachability Analyzer works.

Note: To analyze paths across multiple AWS accounts, activate trusted access for Reachability Analyzer with your organization from AWS Organizations. Amazon VPC Reachability Analyzer supports cross-account analysis for only the accounts inside your organization.

Check the interface endpoint's connection state

Verify that the endpoint connection is in the Available state. If the endpoint connection is in the Pending or Rejected state, then the connections that the endpoint sends to the Network Load Balancer time out.

Complete the following steps:

Grant a service consumer the permissions to create an interface endpoint to the service.
Accept the connection request. If you don't accept the connection request, then the service consumer can't access your endpoint service.
Request that your endpoint service provider accepts the endpoint connection request to activate the connection.
Note: By default, the endpoint service provider must manually accept the connection requests. The endpoint service provider can configure the acceptance settings to automatically accept connection requests.

Check the Availability Zone mapping

To resolve or prevent issues with Availability Zone mapping, make sure that you use AZ ID when you create resources. For more information, see How do I resolve the "endpoint does not support the Availability Zone" error when I try to map an Amazon VPC endpoint?

Check the Availability Zone independence

If the service provider's Network Load Balancer has an unhealthy Zone target, then turn on cross-zone load balancing.

Check the Network Load Balancer's response

Connect to an Amazon Elastic Compute Cloud (Amazon EC2) instance in the same Amazon VPC as the Network Load Balancer. Then, run one of the following commands to simulate a connection request:

TCP:

telnet example-nlb-dns-name example-port

HTTP:

curl -v http://example-nlb-dns-name : example-port

HTTPS:
```
curl -v https://example-nlb-dns-name : example-port
```
Note: Replace example-nlb-dns-name with your Network Load Balancer's DNS name. Replace example-port with the port number that you configured your Network Load Balancer to listen on.

If you don't receive the response that you expect, then troubleshoot your Network Load Balancer.

Check the Network Load Balancer's listener port

If you receive a "Connection refused" error, then verify that the interface Amazon VPC endpoint sends traffic to the Network Load Balancer's listener port.

Check the Network Load Balancer's security group

Verify that your Network Load Balancer’s security group allows inbound traffic from the client's IP addresses. You can also deactivate inbound security group rule evaluations for traffic through AWS PrivateLink.

Check the Zonal DNS name

If you use a Zonal DNS name for the interface Amazon VPC endpoint, then check the Availability Zone's responsiveness on the service provider's end.

Note: It's a best practice to use the AWS Regional DNS name to verify that AWS sends requests to healthy Availability Zones.

Troubleshoot connectivity issues with the service consumer interface endpoint

Make sure that the security group and network ACL rules allow traffic to and from the endpoint service. For more information, see How do I troubleshoot connectivity issues with my Amazon VPC interface endpoints?

Topics: Networking & Content Delivery
Tags: Amazon VPC
Language: English

AWS OFFICIALUpdated 6 months ago

No comments

Relevant content

Interface endpoints for S3 connection timeout
RB
asked 2 years ago
Difference between VPC Endpoints
nishan
asked 3 years ago
Access S3 VPC Endpoint Interface through custom domain
Accepted Answer
Vitor
asked 6 months ago
How to access S3 interface endpoint from on-premises using Direct Connect?
mwhf
asked 2 years ago
Which connection method when using SageMaker Notebook through VPC Interface Endpoint?
Accepted Answer
EXPERT
Olivier_CR
asked 7 years ago
How do I troubleshoot connectivity issues with my Amazon VPC interface endpoints?
AWS OFFICIALUpdated 2 years ago
How do I troubleshoot connectivity issues when I use interface VPC endpoints to connect to my Amazon S3 bucket?
AWS OFFICIALUpdated 2 years ago
Why can't I see my VPC endpoint service in the verified services list after I create an interface VPC endpoint?
AWS OFFICIALUpdated a year ago
How do I troubleshoot connectivity issues between two endpoints in VPC?
AWS OFFICIALUpdated 4 months ago
Support Automation Workflow (SAW) Runbook: Analyze connectivity to an AWS service endpoint
EXPERT
Maya Karalic
published 3 years ago