VPC Reachability Analyzer explanation codes - Amazon Virtual Private Cloud

VPC Reachability Analyzer explanation codes

If a destination is not reachable, Reachability Analyzer provides one or more explanation codes to help you diagnose and address network misconfiguration.

Path is not reachable

If you receive one of these explanation codes, the path analysis determined that the path is not reachable.

BAD_STATE

This component is not in a functional state.

BAD_STATE_ATTACHMENT

The attachment between these components is not in a functional state.

BAD_STATE_ROUTE

This route is not in a functional state.

BAD_STATE_VPN

This VPN connection is not in a functional state.

CANNOT_ROUTE

This route can't transmit traffic because its destination CIDR or prefix list does not match the destination address of the packet.

COMPONENT_FILTER_RESTRICTION

The source, destination, or intermediate components specified for the path prevent some components from being used.

ELB_ACL_RESTRICTION

Classic Load Balancers apply network ACLs to outbound traffic, even if it's destined for a target in the same subnet as the load balancer.

ELB_INSTALLED_AZ_RESTRICTION

This load balancer can send traffic only to targets in Availability Zones that are enabled for the load balancer.

ELB_LISTENER_PORT_RESTRICTION

This Classic Load Balancer listener allows only inbound traffic destined for the specified port, and outbound traffic with the specified destination port.

ELB_LISTENERS_MISMATCH

This Classic Load Balancer does not have a listener that accepts the traffic.

ELB_NOT_CROSSZONE

This load balancer can't send traffic to some targets because cross-zone load balancing is disabled.

ELBV2_LISTENER_HAS_NO_TG

This listener is associated with target groups that have no targets.

ELBV2_LISTENER_PORT_RESTRICTION

This listener does not accept traffic unless it has the specified destination port.

ELBV2_LISTENER_REQUIRES_TG_ACCEPT

This listener does not have a target group that accepts the traffic.

ELBV2_LISTENERS_MISMATCH

This load balancer does not have a listener that accepts the traffic.

ELBV2_SOURCE_ADDRESS_PRESERVATION

If source address preservation is enabled, the outgoing source address is unaltered while traversing the Network Load Balancer.

ENI_ADDRESS_RESTRICTION

This network interface does not allow inbound or outbound traffic unless the source or destination address matches its private IP address.

ENI_SG_RULES_MISMATCH

This security group has no inbound or outbound rules that apply.

ENI_SOURCE_DEST_CHECK_RESTRICTION

Network interfaces with source/destination check enabled reject inbound traffic if the destination address does not match one of its private IP addresses, and reject outbound traffic if the source address does not match one of their private IP addresses.

GATEWAY_REJECTS_SPOOFED_TRAFFIC

Gateways reject traffic from network interfaces if the source IP address is not a public IP address associated with the network interface.

HIGHER_PRIORITY_ROUTE

This route table contains a route to the destination that can't be used because there is a higher priority route with the same destination CIDR.

IGW_DESTINATION_ADDRESS_IN_VPC_CIDRS

Internet gateways accept traffic only if the destination address is within the VPC CIDR block.

IGW_DESTINATION_ADDRESS_NOT_IN_RFC1918_EGRESS

Internet gateways reject outbound traffic with destination addresses in the private IP address range (see RFC1918).

IGW_NAT_REFLECTION

Internet gateways do not model NAT reflection. Without NAT reflection, traffic originating in a VPC and destined for the public IP address of an instance in the same VPC can't be redirected back to the VPC.

IGW_PRIVATE_IP_ASSOCIATION_FOR_INGRESS

Internet gateways reject inbound traffic with a destination address that is not the public IP address of a network interface in the VPC with an available attachment.

IGW_PUBLIC_IP_ASSOCIATION_FOR_EGRESS

Traffic can't reach the internet through the internet gateway if the source address is not paired with a public IP address or if the source address does not belong to a network interface in the VPC with an available attachment.

IGW_SOURCE_ADDRESS_NOT_IN_RFC1918_INGRESS

Internet gateways reject inbound traffic with source addresses in the private IP address range (see RFC1918).

INGRESS_RTB_NO_PUBLIC_IP

A middlebox appliance can't receive traffic from the internet through an ingress route table if it does not have a public IP address.

INGRESS_RTB_TRAFFIC_REDIRECTION

Subnets whose traffic is redirected to a middlebox appliance can't use a direct route to the internet gateway even when the subnet route table provides one.

MORE_SPECIFIC_ROUTE

The specified route can't be used to transmit traffic because there is a more specific route that matches. You can use filters to require that a path include a specific intermediate component.

NGW_DEST_ADDRESS_PRESERVATION

NAT gateways do not alter destination addresses.

NGW_REQUIRES_SOURCE_IN_VPC

NAT gateways can only transmit traffic that originates from network interfaces within the same VPC. NAT gateways can't transmit traffic that originates from peering connections, VPN connections, or AWS Direct Connect.

NGW_SOURCE_ADDRESS_REASSIGN

NAT gateways transform the source's addresses in outbound traffic to match its private IP address.

NO_POSSIBLE_DESTINATION

The network component can't deliver the packet to any possible destination.

NO_ROUTE_TO_DESTINATION

The route table does not have an applicable route to the destination resource.

PCX_REQUIRES_ADDRESS_IN_VPC_CIDR

Traffic can traverse this peering connection only if the destination or source address is within the CIDR block of the destination VPC.

PROTOCOL_RESTRICTION

This component only accepts traffic with specific protocols.

REMAP_EPHEMERAL_PORT

Outbound traffic from a NAT gateway or load balancer has the source port remapped to an ephemeral port in the range [1024–65535].

SG_HAS_NO_RULES

This security group has no inbound or outbound rules.

SUBNET_ACL_RESTRICTION

Inbound or outbound traffic for a subnet must be admitted by the network ACL for the subnet.

TARGET_ADDRESS_RESTRICTION

A load balancer can only route traffic that is destined for the address of one of its targets.

TARGET_PORT_RESTRICTION

A load balancer can only route traffic to a target using its registered port.

TGW_ATTACH_MISSING_TGW_RTB_ASSOCIATION

This transit gateway attachment doesn't have a valid transit gateway route table association.

TGW_ATTACH_VPC_AZ_RESTRICTION

Traffic from a VPC attachment in the default mode can't be forwarded to the network interface in this Availability Zone because it comes from an Availability Zone where the attachment has a different network interface. Traffic from a VPC attachment in appliance mode can't be forwarded to the network interface in this Availability Zone because on the forward path it used a different Availability Zone.

TGW_BAD_STATE_VPN

This VPN connections is in a non-functional state.

TGW_ROUTE_AZ_RESTRICTION

This transit gateway is not registered in the Availability Zone where the traffic originates.

TGW_RTB_BAD_STATE_ROUTE

This transit gateway route table has a route to the destination that is in a bad state.

TGW_RTB_CANNOT_ROUTE

This transit gateway route table has a route to the intended destination, but the route does not match the package destination address.

TGW_RTB_HIGHER_PRIORITY_ROUTE

This transit gateway route table contains a route to the intended destination that can't be used because there is a higher-priority route with the same destination CIDR.

TGW_RTB_MORE_SPECIFIC_ROUTE

This transit gateway route table has a route to the destination, but there is a more specific route.

TGW_RTB_NO_ROUTE_TO_TGW_ATTACHMENT

This transit gateway route table has no route to this transit gateway attachment.

TGW_RTB_ROUTES_ARE_UNKNOWN

The routes of this transit gateway route table are not known. This might be due to an internal error or because the transit gateway route table does not belong to the account running the analysis.

UNKNOWN_DESTINATION

The path can't be extended because the information about the destination is insufficient.

UNKNOWN_PEERED_SGS

One of the VPCs in the VPC peering connection is unknown. This is typically because the VPC is in a different account. Access controls referencing security groups are treated as inaccessible and deny traffic crossing this peering connection.

VGW_PRIVATE_IP_ASSOCIATION_FOR_EGRESS

Virtual private gateways can't accept outbound traffic if the source address does not belong to a network interface in the VPC with an available attachment.

VGW_PRIVATE_IP_ASSOCIATION_FOR_INGRESS

Virtual private gateways can't accept inbound traffic if the destination address is not the private IP address of a network interface in the VPC with an available attachment.

VPC_LOCAL_ROUTE_CIDR_RESTRICTION

Local routes apply only to packets with a destination address within the VPC CIDR block.

VPCE_GATEWAY_EGRESS_SOURCE_ADDRESS_RESTRICTION

VPC gateway endpoints emit only traffic with source addresses within the CIDRs of their corresponding prefix lists.

VPCE_GATEWAY_PROTOCOL_RESTRICTION

VPC gateway endpoints accept only TCP or ICMP ECHO traffic, and emit only TCP or ICMP ECHO reply traffic.

Configuration

If you receive one of these explanation codes, no path is possible.

DISCONNECTED_VPCS

The source and destination are in separate VPCs that are not connected by a supported resource.

NO_PATH

Reachability Analyzer was unable to find a path from the source to the destination. The following are the most common causes:

  • The path does not meet the optional configuration details, such as an IP address, port, or filter.

  • The source or destination components are temporarily isolated from the network (for example, a newly started instance that does not yet have a network interface).

  • The source can't initiate traffic to the destination (for example, an interface VPC endpoint or gateway VPC endpoint can't initiate connections with components in the same VPC as the VPC endpoint).

  • The path requires the ability to analyze an unsupported feature (for example, IPv6) or an unsupported network component.

NO_SOURCE_OR_DESTINATION

The source or destination resource does not exist.

UNASSOCIATED_COMPONENT

The component is not associated with a VPC in your account (for example, a recently terminated instance), or none of its network interfaces has an IPv4 address.

UNSUPPORTED_COMPONENT

The component is not supported by Reachability Analyzer.