Reachability Analyzer explanation codes

This component is not in a functional state.

The attachment between these components is not in a functional state.

This route is not in a functional state.

This VPN connection is not in a functional state.

This route can't transmit traffic because its destination CIDR or prefix list does not match the destination address of the packet.

Classic Load Balancers apply network ACLs to outbound traffic, even if it's destined for a target in the same subnet as the load balancer.

This load balancer can send traffic only to targets in Availability Zones that are enabled for the load balancer.

This Classic Load Balancer listener allows only inbound traffic destined for the specified port, and outbound traffic with the specified destination port.

This Classic Load Balancer does not have a listener that accepts the traffic.

This load balancer can't send traffic to some targets because cross-zone load balancing is disabled.

This listener is associated with target groups that have no targets.

This listener does not accept traffic unless it has the specified destination port.

This listener does not have a target group that accepts the traffic.

This load balancer does not have a listener that accepts the traffic.

The load balancer does not have targets in the specified Availability Zones.

If source address preservation is enabled, the outgoing source address is unaltered while traversing the Network Load Balancer.

This network interface does not allow inbound or outbound traffic unless the source or destination address matches its private IP address.

This security group has no inbound or outbound rules that apply.

Network interfaces with source/destination check enabled reject inbound traffic if the destination address does not match one of its private IP addresses, and reject outbound traffic if the source address does not match one of their private IP addresses.

The traffic is blocked by a matching Network Firewall firewall rule.

Gateways reject traffic with spoofed addresses from the VPC.

Traffic between a Gateway Load Balancer and its targets must use port 6081 as the destination port. To analyze connectivity through a Gateway Load Balancer, specify port 6081 in the path definition.

Traffic between a Gateway Load Balancer and its targets must use the GENEVE protocol, which is UDP-based. To analyze connectivity through a Gateway Load Balancer, specify the UDP protocol in the path definition.

This route table contains a route to the destination that can't be used because there is a higher priority route with the same destination CIDR.

Internet gateways accept traffic only if the destination address is within the VPC CIDR block.

Internet gateways reject outbound traffic with destination addresses in the private IP address range (see RFC1918).

Internet gateways reject outbound traffic with destination addresses in the shared IP address range (see RFC6598).

The path has an internet gateway as an intermediate component, which Reachability Analyzer does not support. Instead, analyze the path from the source to the internet gateway and then analyze the path from the internet gateway to the destination.

Internet gateways reject inbound traffic with a destination address that is not the public IP address of a network interface in the VPC with an available attachment.

Traffic can't reach the internet through the internet gateway if the source address is not paired with a public IP address or if the source address does not belong to a network interface in the VPC with an available attachment.

Internet gateways reject inbound traffic with source addresses in the private IP address range (see RFC1918).

Internet gateways reject inbound traffic with source addresses in the shared IP address range (see RFC6598).

A middlebox appliance can't receive traffic from the internet through an ingress route table if it does not have a public IP address.

Subnets whose traffic is redirected to a middlebox appliance can't use a direct route to the internet gateway even when the subnet route table provides one.

The specified route can't be used to transmit traffic because there is a more specific route that matches. You can use filters to require that a path include a specific intermediate component.

NAT gateways do not alter destination addresses.

NAT gateways can only transmit traffic that originates from network interfaces within the same VPC. NAT gateways can't transmit traffic that originates from peering connections, VPN connections, or AWS Direct Connect.

NAT gateways transform the source's addresses in outbound traffic to match its private IP address.

The network component can't deliver the packet to any possible destination, or the network component sent traffic to a destination in another account or Region. If the destination is in another account, enable cross-account analyses.

The route table does not have an applicable route to the destination resource.

Traffic can traverse this peering connection only if the destination or source address is within the CIDR block of the destination VPC.

This component only accepts traffic with specific protocols.

Outbound traffic from a NAT gateway or load balancer has the source port remapped to an ephemeral port in the range [1024–65535].

This security group has no inbound or outbound rules.

The network component discards security group information about forwarded traffic. This prevents traffic from being accepted by security group rules that accept traffic only from a source or destination that belongs to a security group.

The transit gateway VPC attachment does not have security group referencing support enabled. Therefore, we discard security group information about forwarded traffic.

Inbound or outbound traffic for a subnet must be admitted by the network ACL for the subnet.

A load balancer can only route traffic that is destined for the address of one of its targets.

A load balancer can only route traffic to a target using its registered port.

This transit gateway attachment doesn't have a valid transit gateway route table association.

Traffic from a VPC attachment in the default mode can't be forwarded to the network interface in this Availability Zone because it comes from an Availability Zone where the attachment has a different network interface. Traffic from a VPC attachment in appliance mode can't be forwarded to the network interface in this Availability Zone because on the forward path it used a different Availability Zone.

This VPN connection is in a non-functional state.

This transit gateway is not registered in the Availability Zone where the traffic originates. The VPC attachment must have a subnet association in the Availability Zone.

This transit gateway route table has a route to the destination that is in a bad state.

This transit gateway route table has a route to the intended destination, but the route does not match the packet destination address.

This transit gateway route table contains a route to the intended destination that can't be used because there is a higher-priority route with the same destination CIDR.

This transit gateway route table has a route to the destination, but there is a more specific route.

This transit gateway route table has no route to this transit gateway attachment.

The routes of this transit gateway route table are not known. This might be due to an internal error or because the transit gateway route table does not belong to the account running the analysis.

The path can't be extended because the information about the destination is insufficient.

One of the VPCs in the VPC peering connection is unknown. This is typically because the VPC is in a different account. Access controls referencing security groups are treated as inaccessible and deny traffic crossing this peering connection.

Reachability Analyzer can't analyze this resource because it can't describe the resource.

Virtual private gateways can't accept outbound traffic if the source address does not belong to a network interface in the VPC with an available attachment.

Virtual private gateways can't accept inbound traffic if the destination address is not the private IP address of a network interface in the VPC with an available attachment.

Internet traffic is blocked because VPC Block Public Access (BPA) is enabled.

Local routes apply only to packets with a destination address within the VPC CIDR block.

VPC gateway endpoints emit only traffic with source addresses within the CIDRs of their corresponding prefix lists.

VPC gateway endpoints accept only TCP or ICMP ECHO traffic, and emit only TCP or ICMP ECHO reply traffic.

A VPC endpoint can't initiate connections to resources in the same VPC where it is deployed. Instead, analyze the path in the reverse direction.

The VPC endpoint service is not installed in the specified Availability Zone.

The source and destination are in separate VPCs that are not connected by a supported resource.

Reachability Analyzer was unable to find a path from the source to the destination. The following are the most common causes:

The source or destination resource does not exist.

The component is not associated with a VPC in your account (for example, a recently terminated instance), or none of its network interfaces has an IPv4 address.

The component is not supported by Reachability Analyzer.

There is no path that traverses the specified component.

There is no path that traverses the specified component because of an intermediate component filter.

There is no path that matches the specified destination IP address at the destination.

There is no path that matches the specified destination port range at the destination.

There is no path that matches the specified destination protocol.

There is no path that matches the specified source address at the destination.

There is no path that matches the specified source port range at the destination.

There is no path that matches the specified destination IP address at the source.

There is no path that matches the specified destination port range at the source.

There is no path that matches the specified protocol.

There is no path that matches the specified source IP address at the source.

There is no path that matches the specified source port range at the source.

IP addresses must be public IP addresses when the resource is an internet gateway.