VPC Reachability Analyzer explanation codes - Amazon Virtual Private Cloud

VPC Reachability Analyzer explanation codes

If a destination is not reachable, Reachability Analyzer provides one or more explanation codes to help you diagnose and address network misconfiguration.

Path is not reachable

If you receive one of these explanation codes, the path analysis determined that the path is not reachable.

BAD_STATE

This component is not in a functional state.

BAD_STATE_ATTACHMENT

The attachment between these components is not in a functional state.

BAD_STATE_ROUTE

This route is not in a functional state.

BAD_STATE_VPN

This VPN connection is not in a functional state.

CANNOT_ROUTE

This route can't transmit traffic because its destination CIDR or prefix list does not match the destination address of the packet.

COMPONENT_FILTER_RESTRICTION

The source, destination, or intermediate components specified for the path prevent some components from being used.

ELB_ACL_RESTRICTION

Classic Load Balancers apply network ACLs to outbound traffic, even if it's destined for a target in the same subnet as the load balancer.

ELB_INSTALLED_AZ_RESTRICTION

This load balancer can send traffic only to targets in Availability Zones that are enabled for the load balancer.

ELB_LISTENER_PORT_RESTRICTION

This Classic Load Balancer listener allows only inbound traffic destined for the specified port, and outbound traffic with the specified destination port.

ELB_LISTENERS_MISMATCH

This Classic Load Balancer does not have a listener that accepts the traffic.

ELB_NOT_CROSSZONE

This load balancer can't send traffic to some targets because cross-zone load balancing is disabled.

ELBV2_LISTENER_HAS_NO_TG

This listener is associated with target groups that have no targets.

ELBV2_LISTENER_PORT_RESTRICTION

This listener does not accept traffic unless it has the specified destination port.

ELBV2_LISTENER_REQUIRES_TG_ACCEPT

This listener does not have a target group that accepts the traffic.

ELBV2_LISTENERS_MISMATCH

This load balancer does not have a listener that accepts the traffic.

ELBV2_SOURCE_ADDRESS_PRESERVATION

If source address preservation is enabled, the outgoing source address is unaltered while traversing the Network Load Balancer.

ENI_ADDRESS_RESTRICTION

This network interface does not allow inbound or outbound traffic unless the source or destination address matches its private IP address.

ENI_SG_RULES_MISMATCH

This security group has no inbound or outbound rules that apply.

ENI_SOURCE_DEST_CHECK_RESTRICTION

Network interfaces with source/destination check enabled reject inbound traffic if the destination address does not match one of its private IP addresses, and reject outbound traffic if the source address does not match one of their private IP addresses.

GATEWAY_REJECTS_SPOOFED_TRAFFIC

Gateways reject traffic from network interfaces if the source IP address is not a public IP address associated with the network interface.

GATEWAY_REQUIRES_ENI_WITH_PUBLIC_IP

The gateway drops traffic unless the network interface has a private IP address with an associated public IP address.

HIGHER_PRIORITY_ROUTE

This route table contains a route to the destination that cannot be used because there is a higher priority route with the same destination CIDR.

IGW_DESTINATION_ADDRESS_IN_VPC_CIDRS

Internet gateways accept traffic only if the destination address is within the VPC CIDR block.

IGW_DESTINATION_ADDRESS_NOT_IN_RFC1918_EGRESS

Internet gateways reject outbound traffic with destination addresses in the private IP address range (see RFC1918).

IGW_NAT_REFLECTION

Internet gateways do not model NAT reflection. Without NAT reflection, traffic originating in a VPC and destined for the public IP address of an instance in the same VPC cannot be redirected back to the VPC.

IGW_PRIVATE_IP_ASSOCIATION_FOR_INGRESS

Internet gateways reject inbound traffic with a destination address that is not the public IP address of a network interface in the VPC.

IGW_PUBLIC_IP_ASSOCIATION_FOR_EGRESS

Traffic cannot reach the internet through the internet gateway if the source address is not paired with a public IP address.

IGW_SOURCE_ADDRESS_NOT_IN_RFC1918_INGRESS

Internet gateways reject inbound traffic with source addresses in the private IP address range (see RFC1918).

INGRESS_RTB_NO_PUBLIC_IP

A middlebox appliance can't receive traffic from the internet through an ingress route table if it does not have a public IP address.

INGRESS_RTB_NO_ROUTE_TO_GATEWAY

Bidirectional traffic between the gateway and the middlebox appliance requires a route to the gateway in the route table for the subnet of the middlebox appliance.

INGRESS_RTB_TRAFFIC_REDIRECTION

Subnets whose traffic is redirected to a middlebox appliance can't use a direct route to the internet gateway even when the subnet route table provides one.

MORE_SPECIFIC_ROUTE

The specified route can't be used to transmit traffic because there is a more specific route that matches.

NGW_DEST_ADDRESS_PRESERVATION

NAT gateways do not alter destination addresses.

NGW_REQUIRES_SOURCE_IN_VPC

NAT gateways can only transmit traffic that originates from network interfaces within the same VPC. NAT gateways cannot transmit traffic that originates from peering connections, VPN connections, or AWS Direct Connect.

NGW_SOURCE_ADDRESS_REASSIGN

NAT gateways transform the source's addresses in outbound traffic to match its private IP address.

NO_ROUTE_TO_DESTINATION

The route table does not have an applicable route to the destination resource.

PATH_THROUGH_TGW_UNSUPPORTED

Reachability Analyzer does not support transit gateways as intermediate components, only as a source or destination. Use Route Analyzer instead.

PCX_REQUIRES_ADDRESS_IN_VPC_CIDR

Traffic can traverse this peering connection only if the destination or source address is within the CIDR block of the destination VPC.

PROTOCOL_RESTRICTION

This component only accepts traffic with specific protocols.

REMAP_EPHEMERAL_PORT

Outbound traffic from a NAT gateway or load balancer has the source port remapped to an ephemeral port in the range [1024–65535].

RTB_ACL_ROUTE_RESTRICTION

Packets using routes to network interfaces (or to components with attached network interfaces) must be allowed by the ACL of the network interface subnet.

RTB_ACL_SUBNET_RESTRICTION

This network ACL does not allow traffic, so traffic cannot ingress from the route table to a destination subnet.

SG_HAS_NO_RULES

This security group has no inbound or outbound rules.

SUBNET_ACL_RESTRICTION

Inbound or outbound traffic for a subnet must be admitted by the network ACL for the subnet.

TARGET_ADDRESS_RESTRICTION

This target group can only emit packets that are destined for the target address.

TARGET_PORT_RESTRICTION

This target group can only route traffic that's destined for the target port.

TGW_ATTACH_VPC_AZ_RESTRICTION

Traffic from a VPC attachment in the default mode cannot be forwarded to the network interface in this Availability Zone because it comes from an Availability Zone where the attachment has a different network interface. Traffic from a VPC attachment in appliance mode cannot be forwarded to the network interface in this Availability Zone because on the forward path it used a different Availability Zone.

TGW_BAD_STATE_VPN

This VPN connections is in a non-functional state.

TGW_RESPONSE_PATH_UNSUPPORTED

Analyzing response traffic through a transit gateway is not supported. Change the protocol from TCP to UDP.

TGW_ROUTE_AZ_RESTRICTION

This transit gateway is not registered in the Availability Zone where the traffic originates.

TGW_RTB_BAD_STATE_ROUTE

This transit gateway route table has a route to the destination that is in a bad state.

TGW_RTB_CANNOT_ROUTE

This transit gateway route table has a route to the intended destination, but the route does not match the package destination address.

TGW_RTB_HIGHER_PRIORITY_ROUTE

This transit gateway route table contains a route to the intended destination that cannot be used because there is a higher-priority route with the same destination CIDR.

TGW_RTB_MORE_SPECIFIC_ROUTE

This transit gateway route table has a route to the destination, but there is a more specific route.

TGW_RTB_NO_ROUTE_TO_TGW_ATTACHMENT

This transit gateway route table has no route to this transit gateway attachment.

TGW_RTB_ROUTES_ARE_UNKNOWN

The routes of this transit gateway route table are not known. This might be due to an internal error or because the transit gateway route table does not belong to the account running the analysis.

UNKNOWN_PEERED_SGS

One of the VPCs in the VPC peering connection is unknown. This is typically because the VPC is in a different account. Access controls referencing security groups are treated as inaccessible and deny traffic crossing this peering connection.

VGW_PRIVATE_IP_ASSOCIATION_FOR_INGRESS

Virtual private gateways can't accept inbound traffic if the destination address is not the private IP address of a component in the VPC.

VPC_LOCAL_ROUTE_CIDR_RESTRICTION

Local routes apply only to packets with a destination address within the VPC CIDR block.

VPCE_GATEWAY_EGRESS_SOURCE_ADDRESS_RESTRICTION

VPC gateway endpoints emit only traffic with source addresses within the CIDRs of their corresponding prefix lists.

VPCE_GATEWAY_PROTOCOL_RESTRICTION

VPC gateway endpoints accept only TCP or ICMP ECHO traffic, and emit only TCP or ICMP ECHO reply traffic.

Request not valid codes

If you receive one of these explanation codes, the specified request is not valid and no path is possible.

DISCONNECTED_VPCS

The source and destination are in separate VPCs with no peering connection.

NO_PATH

There is no path from the source to the destination.

NO_SOURCE_OR_DESTINATION

The source or destination resource does not exist.

UNASSOCIATED_COMPONENT

The component is not associated with any VPC in your account.

UNSUPPORTED_COMPONENT

This component is not supported by Reachability Analyzer.