How do I troubleshoot connectivity issues with my Amazon VPC interface endpoints?

Short description

To troubleshoot connectivity issues with your interface Amazon VPC endpoints, check the following:

• DNS name resolution
• Endpoint policy
• Security group of the Amazon VPC endpoint
• Subnet network access control lists (network ACLs)
• Routing configuration
• Reachability Analyzer results
• Connectivity to the interface Amazon VPC endpoints

Resolution

DNS name resolution

When private DNS names are turned on, AWS API calls can be run against the service endpoints. These calls resolve to the private IP addresses of the interface endpoints. If private DNS names aren't turned on, then specify the Regional or zonal Amazon VPC endpoint DNS name to run the API calls.

To confirm the DNS resolution for the interface Amazon VPC endpoint name that you want to connect to, use the dig or nslookup commands.

For more information, see Why can't I resolve service domain names for an interface VPC endpoint?

Endpoint policy

The default endpoint policy allows full access to the service. When you use a custom policy, make sure that the policy has the required permissions to allow access to perform the necessary actions. For more information, see Control access to VPC endpoints using endpoint policies.

Security group of the Amazon VPC endpoint

Security groups can be associated with interface Amazon VPC endpoints to control access. Make sure that the security group inbound rules allow communication to ports and protocol based on the ports that the service accepts connections on.

Note: If you create an interface endpoint and a security group isn't selected, then the default security group is used.

Subnet network ACLs

Check that the subnet network ACLs allow inbound and outbound connections to the interface endpoint elastic network interfaces. Make sure that the connections are allowed from the source networks when you connect from outside of the Amazon VPC.

For more information, see How do I configure security groups and network ACLs when creating a VPC interface endpoint for endpoint services?

Routing configuration

Interface Amazon VPC endpoints can be used to access services privately from within AWS or from an on-premises network. When you connect from within the same Amazon VPC as the interface endpoint, the local route manages routing in the subnet route tables. Also, no additional routing configurations are needed.

If you connect to the endpoint from outside of the Amazon VPC, then make sure that connectivity can be established. Confirm connectivity between one or more source networks and the interface Amazon VPC endpoint elastic network interface subnets.

Reachability Analyzer results

Use Reachability Analyzer to troubleshoot connectivity issues between the source and interface endpoint. For more information, see How do I use Amazon VPC Reachability Analyzer to troubleshoot connectivity issues with an Amazon VPC resource?

Connectivity to the interface Amazon VPC endpoints

To check if an interface endpoint can be used to reach a service, use network connectivity tools on the appropriate ports.

If private DNS is on, then run the following command:

telnet ec2.us-east-1.amazonaws.com 443

Note: Replace <example-private-IP-interface-endpoint-ENI> with the private IP address of your interface endpoint elastic network interface.

telnet <example-private-IP-interface-endpoint-ENI> 443

If private DNS is off, then run the following command:

Note: Replace <example-vpc-endpoint-region> with the Regional or zonal DNS name of your interface endpoint.

telnet <example-vpc-endpoint-region>.amazonaws.com 443

Related information

Why can't I connect to an endpoint service from my interface endpoint in an Amazon VPC?