Posted On: Nov 20, 2023
Today, AWS announced a new EC2 capability to configure idle timeouts for instance connection tracking. This will allow customers to manage their instance’s connection tracking resources and providing them the ability to configure optimal timeouts to manage connection scale. EC2 utilizes Connection Tracking (conntrack) to implement Security Groups and to enforce rules. With this new feature, idle timeouts for connections in the TCP Established, UDP stream and UDP unidirectional sessions on EC2 instances are now configurable on a per Elastic Network Interface (ENI) basis and can be edited from their default timeout settings. Prior to today, all idle connections in TCP and UDP states were tracked for a pre-defined default period or until they were closed.
Often times, customer workloads utilize their connection tracking allowance on EC2 inefficiently because they have a high number of orphaned or idle connections. For TCP connections, if an EC2 instance does not send or receive a FIN or RST, the connections can stay idle for up to 5 days. Similarly for DNS heavy workloads using UDP streams, customers can prevent connecting tracking exhaustion by configuring shorter idle timeouts. By specifying ‘tcp-established’, ‘udp-stream’, ‘udp-timeout’ timeout values for the ENIs attached to an instance, EC2 will now purge these sessions at the specified timeout value.
EC2 Configurable Idle Timeout feature is available in all AWS Commercial Regions for Nitro based instances only. This feature is included as part EC2 instance connection tracking.
To learn more, review the latest EC2 Documentation.