Debugging a VPC: Security Groups, Network ACLs, and Routing Tables

Michael Wittig – 27 Jan 2021

Configuring a VPC (Virtual Private Cloud) and firewalls (Security Groups and Network ACLs) is tricky. What to do when you cannot find the cause for a connection refused or connection timed out error when connecting to an EC2 instance, RDS database instance, or ALB load balancer?

Debugging a VPC

The following checklist helps to solve the connectivity issue.

  1. Check the security group’s inbound rules of the target.
  2. Check the security group’s outbound rules of the source.
  3. Inspect the inbound and outbound rules of the Network ACLs.
  4. Verify that there is an entry in the routing table for the source and target.

Sometimes, it is hard to find the problem - even with that checklist.

But there is hope. AWS provides two tools allowing you to debug connectivity issues with ease.

VPC Flow Logs

By enabling flow logs for a VPC, you get access to information about the IP traffic going to and from network interfaces. Analyzing flow logs to debug connectivity issues works best with CloudWatch Insights.

2 123456789010 eni-1235b8ca123456789 172.31.16.139 172.31.16.21 20641 22 6 20 4249 1418530010 1418530070 ACCEPT OK
2 123456789010 eni-1235b8ca123456789 172.31.9.69 172.31.9.12 49761 3389 6 20 4249 1418530010 1418530070 REJECT OK

VPC Reachability Analyzer

AWS announced the VPC Reachability Analyzer in December 2020. You specify the source and target of a connection, and the VPC Reachability Analyzer checks your network for any misconfigurations. The tool even provides hints on how to solve the problem.

Learn more

Watch the following video to learn more.

Already a cloudonaut plus subscriber? Watch the full video and join the discussion.

Michael Wittig

Michael Wittig

I'm an independent consultant, technical writer, and programming founder. All these activities have to do with AWS. I'm writing this blog and all other projects together with my brother Andreas.

In 2009, we joined the same company as software developers. Three years later, we were looking for a way to deploy our software—an online banking platform—in an agile way. We got excited about the possibilities in the cloud and the DevOps movement. It’s no wonder we ended up migrating the whole infrastructure of Tullius Walden Bank to AWS. This was a first in the finance industry, at least in Germany! Since 2015, we have accelerated the cloud journeys of startups, mid-sized companies, and enterprises. We have penned books like Amazon Web Services in Action and Rapid Docker on AWS, we regularly update our blog, and we are contributing to the Open Source community. Besides running a 2-headed consultancy, we are entrepreneurs building Software-as-a-Service products.

We are available for projects.

You can contact me via Email, Twitter, and LinkedIn.

Briefcase icon
Hire me