Why can’t clients connect to my ELB load balancer?

Last updated: 2020-11-24

Clients can’t connect to my Application Load Balancer, Classic Load Balancer, or Network Load Balancer. How do I troubleshoot why clients can't connect to my Elastic Load Balancing (ELB) load balancer?

Short description

Common causes of load balancer connectivity issues include:

  • No listener is configured for the load balancer port where clients are trying to connect.
  • The load balancer security group doesn’t allow traffic for the listener.
  • The target security group doesn’t allow traffic for the target port and load balancer health check port.
  • The network access control list (network ACL) for a load balancer in an Amazon Virtual Private Cloud (Amazon VPC) doesn’t allow the necessary traffic.
  • Route table rules are blocking or improperly routed requests.

Resolution

Note: If you receive errors when running AWS Command Line Interface (AWS CLI) commands, make sure that you’re using the most recent AWS CLI version.

Check your port listener

Verify that you've configured the appropriate listeners for your load balancer port:

Check the security group for your target instances

Check the settings of the security group for the instances behind your load balancer. For each subnet that is attached to your load balancer, confirm that traffic is allowed in both directions for the listener and health check ports:

Check your network ACLs (for load balancers in a VPC)

Confirm that the network ACLs for your VPC allow traffic in both directions on the listener port and health check port for each subnet attached to your VPC:

Check your route tables

Confirm that the route tables for the attached subnets of your load balancer allow load balancer connections using a default route that points to an internet gateway.

To verify connectivity to your load balancer from an Amazon Elastic Compute Cloud (Amazon EC2) instance:

1.    Connect to your Amazon EC2 instance (see steps for Linux instances or Windows instances).

2.    Verify that either netcat (nc) or telnet is installed on your instance.

3.    If you have a public load balancer, verify that your instance has internet connectivity. To confirm internet connectivity, use an internet gateway or network address translation (NAT) gateway.

4.    Verify that your Amazon EC2 instance security group allows outbound connections to the internet. Then, confirm that the network ACL attached to the subnet where your instance is running allows inbound and outbound traffic.

5.    Run one of the following commands, based on your configuration:

nc –v elb.ip.address port
telnet elb.ip.address port

6.    Review the output. Verify that the route table rules designate an internet gateway to the subnet for your load balancer.

Note: If connectivity testing returns an HTTP 503 or HTTP 504 error, see:

7.    From an external client, run the traceroute (Linux clients) or tracert (Windows clients) utility to your load balancer listener's IP address.

8.    Review the output.

Note: If you receive other error codes from a Classic Load Balancer or Application Load Balancer, see:

Check for load or capacity issues

Sporadic connectivity issues might indicate load- or capacity-related issues. For troubleshooting steps, see How do I troubleshoot Classic Load Balancer capacity issues in ELB?


Did this article help?


Do you need billing or technical support?