Why does my Amazon VPC internet connectivity fail when I attach BYOIP to my resources?

3 minute read

I want to troubleshoot internet connectivity issues that begin after I assign a bring your own IP (BYOIP) address to resources in my Amazon Virtual Private Cloud (Amazon VPC).

Resolution

Note: If you receive errors when you run AWS Command Line Interface (AWS CLI) commands, then see Troubleshooting errors for the AWS CLI. Also, make sure that you're using the most recent AWS CLI version.

Troubleshoot Amazon VPC connectivity issues with Reachability Analyzer

Use Amazon VPC Reachability Analyzer to check for security group, network access control list (network ACL), and route table configurations that might cause connection issues. You can also use Reachability Analyzer to analyze paths across multiple AWS accounts in your organization. For more information, see How Reachability Analyzer works.

Troubleshoot your BYOP CIDR range

Complete the following steps:

Run the following describe-byoip-cidrs AWS CLI command to review your BYOIP configuration:

aws ec2 describe-byoip-cidrs --max-results 5 --region example-region

Note: Replace example-region with your AWS Region.
-or-
Review your BYOIP configuration in the Amazon EC2 Console.

Check that you correctly configured your Route Origin Authorization (ROA) and certificate. Verify that your BYOIP address range is in the Provisioned state. If your BYOIP range isn't provisioned, then provision it.

Run the following advertise-byoip-cidr command to advertise your address range:

aws ec2 advertise-byoip-cidr --cidr example-address-range --region example-region

Note: Replace example-address-range with your address range and example-region with your Region.

In the output, verify that your address range is in the Advertised state. Your BYOIP CIDR block must be in an Advertised state to connect to resources on the internet.

Be sure not to advertise any portion of your address range from other Regions. You can run the withdraw-byoip-cidr command to stop advertising your address range:

aws ec2 withdraw-byoip-cidr --cidr example-address-range --region example-region

Note: Replace example-address-range with your address range, and example-region with your Region.

Manually troubleshoot Amazon VPC connectivity issues

Verify that you configured your VPC's route tables to direct traffic destined for the internet through an Internet Gateway or a NAT Gateway. Then, make sure that your security groups and network ACLs allow the necessary inbound and outbound traffic to and from the internet.

For more information, see How do I troubleshoot connectivity issues between two endpoints in VPC?

Topics: Networking & Content Delivery
Tags: Amazon VPC
Language: English

AWS OFFICIALUpdated 4 months ago

No comments

Relevant content

Using byoip address with a Lightsail instance?
Accepted Answer
rbdii
asked 2 years ago
For BYOIP, does AWS advertise the entire range or the Elastic IPs assigned from it ?
Sohaib
asked a year ago
Requirements for BYOIP in Amazon EC2
Accepted Answer
AWS-User-2370406
asked 4 years ago
Who is listed as the abuse contact for my IP address after I import it with BYOIP?
pablothethird
asked a year ago
BYOIP Public Address- Individual IP allocation
Accepted Answer
rePost-User-7133563
asked 3 years ago
How do I troubleshoot common BYOIP configuration errors in my VPC?
AWS OFFICIALUpdated 2 years ago
How do I move my BYOIP CIDR from one account to another account using IPAM?
AWS OFFICIALUpdated 2 years ago
How can I fix the connection to my Amazon EC2 instance or elastic network interface that has an attached Elastic IP address?
AWS OFFICIALUpdated 2 months ago
How do I troubleshoot Amazon EC2 instance connection timeout errors from the internet?
AWS OFFICIALUpdated 3 months ago
Creating a Site-to-Site VPN with Public IPv4 Encryption Domain Using AWS Bring Your Own IP Address (BYOIP) feature
EXPERT
Mandar Alankar
published 3 months ago