Why can't I connect to an endpoint service from my interface endpoint in an Amazon VPC?
Last updated: 2019-04-09
I can't connect to an endpoint service from my Amazon Virtual Private Cloud (Amazon VPC) interface endpoint (AWS PrivateLink). How do I determine what's preventing me from making this connection?
Endpoint connection state
The endpoint connection must be in the Available state. If the connection to the endpoint service is in the Pending or Rejected state, any connection sent by the Network Load Balancer from the interface endpoint times out. You might need to:
- Grant a service consumer the permissions to create an interface endpoint to the service.
- Request that the endpoint service provider accepts the endpoint connection request to activate the connection. By default, connection requests must be manually accepted. However, the service provider can configure acceptance settings so that any connection requests are automatically accepted.
Network Load Balancer response
You can simulate the request from an instance in the same VPC as the Network Load Balancer. If you don't get the expected response, troubleshoot your network load balancer.
Zonal DNS name
If the client is using a zonal DNS name for the interface VPC endpoint, verify that the zone is responsive on the service provider's end. It's a best practice to use the regional DNS name to verify that requests are sent to healthy zones.
Network Load Balancer listener port
Be sure that the interface VPC endpoint is sending traffic to the correct listener port of the Network Load Balancer. For example, you might have a Network Load Balancer with a listener configured on port 80. If the client sends traffic on port 443, the client might receive the error Connection refused.
Security group and network access control rules