How do I troubleshoot connectivity issues that I'm experiencing while using an Amazon VPC?

2 minute read
1

I'm unable to connect to my destination server using an Amazon Virtual Private Cloud (Amazon VPC) resource as the source.

Resolution

To troubleshoot VPC connectivity issues, use the AWSSupport-ConnectivityTroubleshooter automation document to check for common issues with:

  • Security group configurations
  • Network access control list (network ACL) configurations
  • Route table configurations

Confirm that you have the required permissions to run the automation document

The following AWS Identity and Access Management (IAM) permissions are required to run the automation document:

  • ec2:DescribeNetworkInterfaces
  • ec2:DescribeRouteTables
  • ec2:DescribeSecurityGroups
  • ec2:DescribeNetworkAcls
  • ec2:DescribeNatGateways
  • ec2:DescribeVpcPeeringConnections

Run the automation document

From the AWS Management Console:

  1. Open the document in the AWS Systems Manager console. Be sure to open the document in the Region where your resources are located.
  2. For SourceIP, enter the private IP address of the VPC resource.
  3. For DestinationIP, enter the destination server IP address.
  4. For DestinationPort, enter the destination server port.
  5. Choose Execute.
  6. Monitor the progress of the document's execution. If the document status is Success, the automation didn't find any misconfigurations. If the document status is Failed, check the step that failed for details to resolve the issue.

From the AWS Command Line Interface (AWS CLI):

Note: If you receive errors when running AWS CLI commands, make sure that you’re using the most recent version of the AWS CLI.

For example, to diagnose connectivity issues from 172.31.2.7 to 172.31.2.8 on port 443 in an Amazon VPC:

aws ssm start-automation-execution --document-name "AWSSupport-ConnectivityTroubleshooter" --parameters "SourceIP=172.31.2.7,DestinationIP=172.31.2.8,DestinationPort=443" --region <region>