Debugging a VPC: Security Groups, Network ACLs, and Routing Tables
Configuring a VPC (Virtual Private Cloud) and firewalls (Security Groups and Network ACLs) is tricky. What to do when you cannot find the cause for a
connection refused or
connection timed out error when connecting to an EC2 instance, RDS database instance, or ALB load balancer?
The following checklist helps to solve the connectivity issue.
- Check the security group’s inbound rules of the target.
- Check the security group’s outbound rules of the source.
- Inspect the inbound and outbound rules of the Network ACLs.
- Verify that there is an entry in the routing table for the source and target.
Sometimes, it is hard to find the problem - even with that checklist.
But there is hope. AWS provides two tools allowing you to debug connectivity issues with ease.
By enabling flow logs for a VPC, you get access to information about the IP traffic going to and from network interfaces. Analyzing flow logs to debug connectivity issues works best with CloudWatch Insights.
2 123456789010 eni-1235b8ca123456789 172.31.16.139 172.31.16.21 20641 22 6 20 4249 1418530010 1418530070 ACCEPT OK
AWS announced the VPC Reachability Analyzer in December 2020. You specify the source and target of a connection, and the VPC Reachability Analyzer checks your network for any misconfigurations. The tool even provides hints on how to solve the problem.
Watch the following video to learn more.