Debugging a VPC: Security Groups, Network ACLs, and Routing Tables
Configuring a VPC (Virtual Private Cloud) and firewalls (Security Groups and Network ACLs) is tricky. What to do when you cannot find the cause for a
connection refused or
connection timed out error when connecting to an EC2 instance, RDS database instance, or ALB load balancer?
The following checklist helps to solve the connectivity issue.
- Check the security group’s inbound rules of the target.
- Check the security group’s outbound rules of the source.
- Inspect the inbound and outbound rules of the Network ACLs.
- Verify that there is an entry in the routing table for the source and target.
Sometimes, it is hard to find the problem - even with that checklist.
Hej, Andreas & Michael here!
We launched the cloudonaut blog in 2015. Since then, we have published 325 articles: small tips and tricks, best practices, and service reviews. We enjoy writing about all things AWS a lot.
Do you like our blog posts and podcast episodes? Have you learned something new? Consider supporting us create in-depth and independent AWS content. Please help us with a monthly or one-time payment through GitHub Sponsors.Start supporting us today!
But there is hope. AWS provides two tools allowing you to debug connectivity issues with ease.
By enabling flow logs for a VPC, you get access to information about the IP traffic going to and from network interfaces. Analyzing flow logs to debug connectivity issues works best with CloudWatch Insights.
2 123456789010 eni-1235b8ca123456789 172.31.16.139 172.31.16.21 20641 22 6 20 4249 1418530010 1418530070 ACCEPT OK
AWS announced the VPC Reachability Analyzer in December 2020. You specify the source and target of a connection, and the VPC Reachability Analyzer checks your network for any misconfigurations. The tool even provides hints on how to solve the problem.
Watch the following video to learn more.