Debugging a VPC: Security Groups, Network ACLs, and Routing Tables
Configuring a VPC (Virtual Private Cloud) and firewalls (Security Groups and Network ACLs) is tricky. What to do when you cannot find the cause for a
connection refused or
connection timed out error when connecting to an EC2 instance, RDS database instance, or ALB load balancer?
The following checklist helps to solve the connectivity issue.
- Check the security group’s inbound rules of the target.
- Check the security group’s outbound rules of the source.
- Inspect the inbound and outbound rules of the Network ACLs.
- Verify that there is an entry in the routing table for the source and target.
Sometimes, it is hard to find the problem - even with that checklist.
Please support our work!
We have published 327 articles, 41 podcast episodes, and 15 videos. It's all free and means a lot of work in our spare time.
Thanks to Alan Leech, Alex DeBrie, e9e4e5f0faef, Goran Opacic, jhoadley, Shawn Tolidano, Thorsten Hoeger, Todd Valentine, Vince Fulco, and all anonymous supporters for your help! We also want to thank all supporters who purchased a cloudonaut t-shirt. It gives us great pleasure to send our t-shirts all over the world.
With your help, we can continue to produce independent & high-quality content focused on AWS. Please support us!Support us
But there is hope. AWS provides two tools allowing you to debug connectivity issues with ease.
By enabling flow logs for a VPC, you get access to information about the IP traffic going to and from network interfaces. Analyzing flow logs to debug connectivity issues works best with CloudWatch Insights.
2 123456789010 eni-1235b8ca123456789 172.31.16.139 172.31.16.21 20641 22 6 20 4249 1418530010 1418530070 ACCEPT OK
AWS announced the VPC Reachability Analyzer in December 2020. You specify the source and target of a connection, and the VPC Reachability Analyzer checks your network for any misconfigurations. The tool even provides hints on how to solve the problem.
Watch the following video to learn more.