How do I resolve the "ErrorPortAllocation" error on my NAT gateway in Amazon VPC?

3 minute read
1

I want to resolve the "ErrorPortAllocation" error on my Network Address Translation (NAT) gateway in Amazon Virtual Private Cloud (Amazon VPC).

Short description

NAT gateways support up to 55,000 simultaneous connections to each destination. When this threshold is reached, new connections to the destination fail and the ErrorPortAllocation metric for the NAT gateway increases in Amazon CloudWatch.

Before you begin to resolve your ErrorPortAllocation error, complete these tasks:

  • Make sure that the VPC flow log is activated at the Amazon VPC level or to the subnets where the NAT gateway is used.
  • Make sure that the VPC flow log is configured to deliver to CloudWatch.

To resolve your ErrorPortAllocation error, complete these steps:

  1. Find the source clients and their connection destinations.
  2. Use best practices to resolve port allocation errors

Resolution

Find the source clients and their connection destinations

1.    Open the CloudWatch console.

2.    In the navigation pane, choose Insights.

3.    For Log group, choose the log group where the flow logs are recorded.

4.    Identify the destination IP address of traffic that has the most number of responses during the time period that you received the port allocation errors:

Note: Replace example-NAT-gateway-private-IP with the private IP address of the NAT gateway that you want to locate the destination of traffic for. Replace example-y.y with the first two octets of the Amazon VPC CIDR range.

filter (srcAddr like example-NAT-gateway-private-IP and dstAddr not like example-y.y)
| stats count(*) as numaccept by dstAddr
| sort numaccept desc
| limit 10

5.    Identify the source clients that send traffic to the destination IP address:

Note: Replace example-destination-IP with the preceding destination IP address from step 4. Replace example-y.y with the first two octets of the Amazon VPC CIDR range.

filter (dstAddr like example-destination-IP and srcAddr like example-y.y) 
| stats sum(bytes) as bytesTransferred by srcAddr, dstAddr
| sort bytesTransferred desc
| limit 10

Use best practices to resolve port allocation errors

To resolve port allocation errors, use these best practices:

  • Associate secondary IPv4 addresses to increase the number of available ports and increase the limit of concurrent connections that your workloads can establish. A maximum of eight IPv4 addresses can be associated to your NAT gateways (1 primary IPv4 address and 7 secondary IPv4 addresses).
  • Create a NAT gateway in each Availability Zone and distribute your clients across multiple Availability Zones. Use a NAT gateway to route traffic in the same Availability Zone as your client. This helps to reduce cross-Availability Zone data charges.
  • If there's an increase in the IdleTimeoutCount metric in CloudWatch, then configure your application or private instance to close idle connections. This allows the NAT gateway to allocate the source port to new connections.
  • Limit the number of connections that your clients can make to a single destination.
  • If traffic traverses Amazon Simple Storage Service (Amazon S3) or Amazon DynamoDB public IP address in the same AWS Region, then use a gateway endpoint. When you use a gateway Amazon VPC endpoint, there are no data charges.

Related information

Sample queries

Monitor NAT gateways with Amazon CloudWatch

Edit secondary IP address associations

AWS OFFICIAL
AWS OFFICIALUpdated 5 months ago
2 Comments

you can also increase the number of available tuples by adding multiple (E)IPs to the NAT gateway.

AWS
EXPERT
Scott
replied 7 months ago

Thank you for your comment. We'll review and update the Knowledge Center article as needed.

profile pictureAWS
MODERATOR
replied 7 months ago