VPC Reachability Analyzer explanation codes
If a destination is not reachable, Reachability Analyzer provides one or more explanation codes to help you diagnose and address network misconfiguration.
Path is not reachable
If you receive one of these explanation codes, the path analysis determined that the path is not reachable.
- BAD_STATE
-
This component is not in a functional state.
- BAD_STATE_ATTACHMENT
-
The attachment between these components is not in a functional state.
- BAD_STATE_ROUTE
-
This route is not in a functional state.
- BAD_STATE_VPN
-
This VPN connection is not in a functional state.
- CANNOT_ROUTE
-
This route can't transmit traffic because its destination CIDR or prefix list does not match the destination address of the packet.
- COMPONENT_FILTER_RESTRICTION
-
The source, destination, or intermediate components specified for the path prevent some components from being used.
- ELB_ACL_RESTRICTION
-
Classic Load Balancers apply network ACLs to outbound traffic, even if it's destined for a target in the same subnet as the load balancer.
- ELB_INSTALLED_AZ_RESTRICTION
-
This load balancer can send traffic only to targets in Availability Zones that are enabled for the load balancer.
- ELB_LISTENER_PORT_RESTRICTION
-
This Classic Load Balancer listener allows only inbound traffic destined for the specified port, and outbound traffic with the specified destination port.
- ELB_LISTENERS_MISMATCH
-
This Classic Load Balancer does not have a listener that accepts the traffic.
- ELB_NOT_CROSSZONE
-
This load balancer can't send traffic to some targets because cross-zone load balancing is disabled.
- ELBV2_LISTENER_HAS_NO_TG
-
This listener is associated with target groups that have no targets.
- ELBV2_LISTENER_PORT_RESTRICTION
-
This listener does not accept traffic unless it has the specified destination port.
- ELBV2_LISTENER_REQUIRES_TG_ACCEPT
-
This listener does not have a target group that accepts the traffic.
- ELBV2_LISTENERS_MISMATCH
-
This load balancer does not have a listener that accepts the traffic.
- ELBV2_SOURCE_ADDRESS_PRESERVATION
-
If source address preservation is enabled, the outgoing source address is unaltered while traversing the Network Load Balancer.
- ENI_ADDRESS_RESTRICTION
-
This network interface does not allow inbound or outbound traffic unless the source or destination address matches its private IP address.
- ENI_SG_RULES_MISMATCH
-
This security group has no inbound or outbound rules that apply.
- ENI_SOURCE_DEST_CHECK_RESTRICTION
-
Network interfaces with source/destination check enabled reject inbound traffic if the destination address does not match one of its private IP addresses, and reject outbound traffic if the source address does not match one of their private IP addresses.
- GATEWAY_REJECTS_SPOOFED_TRAFFIC
-
Gateways reject traffic from network interfaces if the source IP address is not a public IP address associated with the network interface.
- GATEWAY_REQUIRES_ENI_WITH_PUBLIC_IP
-
The gateway drops traffic unless the network interface has a private IP address with an associated public IP address.
- IGW_DESTINATION_ADDRESS_IN_VPC_CIDRS
-
Internet gateways accept traffic only if the destination address is within the VPC CIDR block.
- IGW_DESTINATION_ADDRESS_NOT_IN_RFC1918_EGRESS
-
Internet gateways reject outbound traffic with destination addresses in the private IP address range (see RFC1918
). - IGW_NAT_REFLECTION
-
Internet gateways do not model NAT reflection. Without NAT reflection, traffic originating in a VPC and destined for the public IP address of an instance in the same VPC cannot be redirected back to the VPC.
- IGW_PRIVATE_IP_ASSOCIATION_FOR_INGRESS
-
Internet gateways reject inbound traffic with a destination address that is not the public IP address of a network interface in the VPC.
- IGW_PUBLIC_IP_ASSOCIATION_FOR_EGRESS
-
Traffic cannot reach the internet through the internet gateway if the source address is not paired with a public IP address.
- IGW_SOURCE_ADDRESS_NOT_IN_RFC1918_INGRESS
-
Internet gateways reject inbound traffic with source addresses in the private IP address range (see RFC1918
). - INGRESS_RTB_NO_PUBLIC_IP
-
A middlebox appliance can't receive traffic from the internet through an ingress route table if it does not have a public IP address.
- INGRESS_RTB_NO_ROUTE_TO_GATEWAY
-
Bidirectional traffic between the gateway and the middlebox appliance requires a route to the gateway in the route table for the subnet of the middlebox appliance.
- INGRESS_RTB_TRAFFIC_REDIRECTION
-
Subnets whose traffic is redirected to a middlebox appliance can't use a direct route to the internet gateway even when the subnet route table provides one.
- MORE_SPECIFIC_ROUTE
-
The specified route can't be used to transmit traffic because there is a more specific route that matches.
- NGW_DEST_ADDRESS_PRESERVATION
-
NAT gateways do not alter destination addresses.
- NGW_REQUIRES_SOURCE_IN_VPC
-
NAT gateways can only transmit traffic that originates from network interfaces within the same VPC. NAT gateways cannot transmit traffic that originates from peering connections, VPN connections, or AWS Direct Connect.
- NGW_SOURCE_ADDRESS_REASSIGN
-
NAT gateways transform the source's addresses in outbound traffic to match its private IP address.
- NO_ROUTE_TO_DESTINATION
-
The route table does not have an applicable route to the destination resource.
- PATH_THROUGH_TGW_UNSUPPORTED
-
Reachability Analyzer does not support transit gateways as intermediate components, only as a source or destination. Use Route Analyzer instead.
- PCX_REQUIRES_ADDRESS_IN_VPC_CIDR
-
Traffic can traverse this peering connection only if the destination or source address is within the CIDR block of the destination VPC.
- PROTOCOL_RESTRICTION
-
This component only accepts traffic with specific protocols.
- REMAP_EPHEMERAL_PORT
-
Outbound traffic from a NAT gateway or load balancer has the source port remapped to an ephemeral port in the range [1024–65535].
- RTB_ACL_ROUTE_RESTRICTION
-
Packets using routes to network interfaces (or to components with attached network interfaces) must be allowed by the ACL of the network interface subnet.
- RTB_ACL_SUBNET_RESTRICTION
-
This network ACL does not allow traffic, so traffic cannot ingress from the route table to a destination subnet.
- SG_HAS_NO_RULES
-
This security group has no inbound or outbound rules.
- SUBNET_ACL_RESTRICTION
-
Inbound or outbound traffic for a subnet must be admitted by the network ACL for the subnet.
- TARGET_ADDRESS_RESTRICTION
-
This target group can only emit packets that are destined for the target address.
- TARGET_PORT_RESTRICTION
-
This target group can only route traffic that's destined for the target port.
- TGW_ROUTE_AZ_RESTRICTION
-
This transit gateway is not registered in the Availability Zone where the traffic originates.
- VGW_PRIVATE_IP_ASSOCIATION_FOR_INGRESS
-
Virtual private gateways can't accept inbound traffic if the destination address is not the private IP address of a component in the VPC.
- VPC_LOCAL_ROUTE_CIDR_RESTRICTION
-
Local routes apply only to packets with a destination address within the VPC CIDR block.
- VPCE_GATEWAY_EGRESS_SOURCE_ADDRESS_RESTRICTION
-
VPC gateway endpoints emit only traffic with source addresses within the CIDRs of their corresponding prefix lists.
- VPCE_GATEWAY_PROTOCOL_RESTRICTION
-
VPC gateway endpoints accept only TCP or ICMP ECHO traffic, and emit only TCP or ICMP ECHO reply traffic.
Request not valid codes
If you receive one of these explanation codes, the specified request is not valid and no path is possible.
- DISCONNECTED_VPCS
-
The source and destination are in separate VPCs with no peering connection.
- NO_PATH
-
There is no path from the source to the destination.
- NO_SOURCE_OR_DESTINATION
-
The source or destination resource does not exist.
- UNASSOCIATED_COMPONENT
-
The component is not associated with any VPC in your account.
- UNSUPPORTED_COMPONENT
-
This component is not supported by Reachability Analyzer.