How do I troubleshoot connectivity issues with my gateway Amazon VPC endpoints?

Short description

Gateway VPC endpoints allow you to privately connect to Amazon Simple Storage Service (Amazon S3) and Amazon DynamoDB from your Amazon VPC. Gateway VPC endpoint connectivity issues might be because of network access or security rules that allow the connection.

To troubleshoot connectivity issues, use Reachability Analyzer. Also, check the following configurations:

• AWS Region configurations
• The DNS resolution
• The subnet route table settings
• Security groups
• The network access control lists (network ACL) rules
• The Amazon VPC endpoint policy
• The Amazon S3 bucket policy
• The AWS Identity and Access Management (IAM) policy
• The traffic flow over the gateway endpoint

Resolution

Note: If you receive errors when you run AWS Command Line Interface (AWS CLI) commands, then see Troubleshoot AWS CLI errors. Also, make sure that you're using the most recent AWS CLI version.

Use Reachability Analyzer

Use Reachability Analyzer to troubleshoot connectivity issues between the source and gateway endpoint. For more information, see How do I use Amazon VPC Reachability Analyzer to troubleshoot connectivity issues with an Amazon VPC resource?

Check the Region configurations

Gateway endpoints are available only in the Region that they are created. Make sure to create your gateway endpoint in the same Region as your Amazon S3 buckets or DynamoDB tables. To find the Region of your bucket, run the get-bucket-location AWS CLI command.

Also, when you use an SDK to access a service from the gateway endpoint, confirm the Region. Make sure that the Region is configured to the same location as the service resources. For example, use the Config object for Boto3 and aws configure for the AWS CLI.

Note: Requests that are sent to an incorrect Region might cause timeouts or access to the service over the internet. This depends on the route table that's configured on the source subnet.

Check the DNS resolution

Check the DNS settings in your Amazon VPC. You must activate the DNS resolution in your Amazon VPC. If you use your own DNS server, then make sure that DNS requests to AWS services resolve to the IP addresses that AWS maintains.

Check the subnet route table settings

Check the route table settings. Confirm that there's a route to Amazon S3 and DynamoDB that uses the gateway VPC endpoint.

Check the security groups

Check the security groups that are associated with the source that initiates the connections to Amazon S3 and DynamoDB. Confirm that the available outbound rules allow traffic to Amazon S3 or DynamoDB. If the security group has more restrictive rules than the default outbound rules, then confirm one of the following:

• There's an outbound rule that allows traffic to the ID of the prefix list that's associated with the gateway Amazon VPC endpoint.
• There's a service-specific CIDR block (IP address range) in the destination. If there isn't a service-specific CIDR block, then you can't add a service-specific CIDR block. It's a best practice to use the prefix list ID that the service provides because AWS manages prefix list IP address ranges.

To view the public IP CIDRs for Amazon S3 and DynamoDB in a specific Region, run the describe-prefix-lists AWS CLI command. Replace example-Region with your Region:

aws ec2 describe-prefix-lists --region <example-Region>

Check the network ACL rules

Subnet network ACLs must allow inbound and outbound TCP connections to Amazon S3 or DynamoDB service CIDRs within the Region. Check the network ACL rules and confirm the following:

• In the Inbound Rules view, confirm that the rules allow inbound return traffic from the service that you're trying to access on ephemeral TCP ports 1024-65535.
• In the Outbound Rules view, confirm that the rules allow traffic to the service CIDR block (IP address range) at HTTPS.

Note: By default, network ACLs allow all inbound and outbound IPv4 and IPv6 traffic. If your network ACL rules restrict traffic, then specify the CIDR block for the service that the gateway endpoint was created for. It's a best practice to set notifications for when service IP addresses change, and use scripts to automatically update the network ACL rules. For more information, see How can I get notifications to check for Amazon S3 IP address changes?

Check the Amazon VPC endpoint policy

Review the Amazon VPC endpoint policy. When you use a custom endpoint policy, confirm that the policy that's associated with the endpoint allows access to perform actions against the service. The default endpoint policy allows full access to the service. For more information, see Control access to VPC endpoints using endpoint policies.

Check the Amazon S3 bucket policy

Review the Amazon S3 bucket policy and confirm that the bucket policy allows access from the gateway Amazon VPC endpoint and the Amazon VPC. For more information, see Control access using bucket policies.

Note: Your bucket policy can restrict access only from a specific public or elastic IP address that's associated with an instance in an Amazon VPC. Your bucket policy can restrict access based on private IP addresses that are associated with instances. For more information, see Managing access based on specific IP addresses.

If you use a proxy server, then confirm that your Amazon VPC connections are allowed through the server. If you don't use a proxy server for Amazon S3, then run the following command to bypass the proxy server when you access your bucket. Replace example-Region with your Region:

export no_proxy = mybucket.s3.<example-Region>.amazonaws.com

Check the IAM policy

Check the IAM policy and confirm that the associated users of the IAM user or role have the required permissions to access Amazon S3. For more information, see How to restrict Amazon S3 bucket access to a specific IAM role and Controlling access to a bucket with user policies.

Check the traffic flow over a gateway endpoint

To check if traffic is going through a gateway endpoint or interface endpoint, see How do I check if my Amazon S3 traffic is going through a gateway VPC endpoint or an interface VPC endpoint?

Related information

Access management for AWS resources