I want to troubleshoot connectivity issues with my gateway Amazon Virtual Private Cloud (Amazon VPC) endpoints.
Resolution
Gateway VPC endpoint connectivity issues might be because of network access or security rules that allow the connection.
Note: If you receive errors when you run AWS Command Line Interface (AWS CLI) commands, then see Troubleshooting errors for the AWS CLI. Also, make sure that you're using the most recent AWS CLI version.
Use Reachability Analyzer
Use Reachability Analyzer to troubleshoot connectivity issues between the source and gateway endpoint. For more information, see How do I use Amazon VPC Reachability Analyzer to troubleshoot connectivity issues with an Amazon VPC resource?
Check the Region configurations
Gateway endpoints are available only in the Region that you create them. Make sure to create your gateway endpoint in the same Region as your Amazon Simple Storage Service (Amazon S3) buckets or Amazon DynamoDB tables. To find the Region of your bucket, run the get-bucket-location AWS CLI command.
Also, when you use an SDK to access a service from the gateway endpoint, configure the Region to the same location as the service resources. You can use the Config object for Boto3 and aws configure for the AWS CLI.
Note: Requests that you send to an incorrect Region might cause timeouts or allow access to the service over the internet. This depends on the route table that you configured on the source subnet.
Check the DNS resolution
Update the DNS attributes in your VPC to activate the DNS resolution. If you use your own DNS server, then make sure that DNS requests to AWS services resolve to the IP addresses that AWS maintains.
Check the subnet route table settings
Check the route table settings to confirm that there's a route to Amazon S3 and DynamoDB that uses the gateway VPC endpoint.
Check the security groups
Check the security groups that are associated with the source that initiates the connections to Amazon S3 and DynamoDB. Confirm that the available outbound rules allow traffic to Amazon S3 or DynamoDB. If the security group has more restrictive rules than the default outbound rules, then confirm one of the following:
- There's an outbound rule that allows traffic to the ID of the prefix list that's associated with the gateway VPC endpoint.
- There's a service-specific CIDR block (IP address range) in the destination. If there isn't a service-specific CIDR block, then you can't add one. It's a best practice to use the prefix list ID that the service provides because AWS manages prefix list IP address ranges.
To view the public IP address CIDRs for Amazon S3 and DynamoDB in a specific Region, run the describe-prefix-lists AWS CLI command:
aws ec2 describe-prefix-lists --region example-Region
Note: Replace example-Region with your Region.
Check the network ACL rules
Subnet network access control lists (network ACLs) must allow inbound and outbound TCP connections to Amazon S3 or DynamoDB service CIDRs within the Region.
Add network ACL rules that do the following:
Note: By default, network ACLs allow all inbound and outbound IPv4 and IPv6 traffic. If your network ACL rules restrict traffic, then specify the CIDR block for the service that you created the gateway endpoint for. It's a best practice to set notifications for when service IP addresses change, and use scripts to automatically update the network ACL rules. For more information, see How do I get notifications when Amazon S3 changes its IP address?
Check the VPC endpoint policy
Review the VPC endpoint policy to determine whether it's a custom policy or the default policy. A custom endpoint policy must allow access to perform actions against the service. A default endpoint policy allows complete access to the service. For more information, see Control access to VPC endpoints using endpoint policies.
Check the Amazon S3 bucket policy
Review the Amazon S3 bucket policy to confirm that the policy allows access from the gateway VPC endpoint and the VPC. For more information, see Controlling access from VPC endpoints with bucket policies.
Note: Your bucket policy can restrict access only from a specific public or elastic IP address that's associated with an instance in a VPC. The policy can restrict access based on private IP addresses that are associated with instances. For more information, see Examples of Amazon S3 bucket policies.
If you use a proxy server, then confirm that your VPC connections are allowed through the server. If you don't use a proxy server for Amazon S3, then run the following command to bypass the proxy server when you access your bucket:
export no_proxy = s3.example-Region.amazonaws.com
Note: replace example-Region with your Region.
Check the IAM policy
Check the AWS Identity and Access Management (IAM) policy to confirm that the associated users of the IAM user or role have the required permissions to access Amazon S3. For more information, see How to restrict Amazon S3 bucket access to a specific IAM role and Controlling access to a bucket with user policies.
Check the traffic flow over a gateway endpoint
To check whether traffic is going through a gateway endpoint or interface endpoint, see How do I check if my Amazon S3 traffic is going through a gateway Amazon VPC endpoint or an interface Amazon VPC endpoint?
Related information
Access management for AWS resources