From 2203a254615c085430a3b464466241c5f22e267d Mon Sep 17 00:00:00 2001
From: Diana <75819066+cloudjumpercat@users.noreply.github.com>
Date: Tue, 16 Jun 2026 11:57:58 -0500
Subject: [PATCH 1/3] Draft REP security group and troubleshooting content

Signed-off-by: Diana <75819066+cloudjumpercat@users.noreply.github.com>
---
 .../aws-resource-endpoints.md                 | 25 +++++++++++++++++++
 1 file changed, 25 insertions(+)

diff --git a/app/_how-tos/dedicated-cloud-gateways/aws-resource-endpoints.md b/app/_how-tos/dedicated-cloud-gateways/aws-resource-endpoints.md
index a119015390..e22a149ef4 100644
--- a/app/_how-tos/dedicated-cloud-gateways/aws-resource-endpoints.md
+++ b/app/_how-tos/dedicated-cloud-gateways/aws-resource-endpoints.md
@@ -152,3 +152,28 @@ Additionally, you can validate that the resource endpoint connections in {{site.
 ```sh
 curl -i -X GET "http://$RESOURCE_DOMAIN_NAME/anything"
 ```
+
+## Configure VPC security group inbound rules
+
+When using AWS Resource Endpoints with Dedicated Cloud Gateways, traffic flows through AWS VPC Lattice before reaching your backend resources.
+VPC Lattice terminates the connection from your Dedicated Cloud Gateway and opens a new connection to your backend services.
+Because of this, the source IP of this new connection is an AWS-managed Lattice IP, not the original Dedicated Cloud Gateway IP.
+This is why you must configure your inbound VPC security group rules with the managed prefix list to allow this traffic.
+
+1. In AWS, navigate to your VPC console.
+1. From the VPC sidebar, click **Managed prefix lists**.
+1. Search for the region where your backend resources (NLB/target group) are deployed (for example: `com.amazonaws.<backend-resource-region>.vpc-lattice`). 
+1. Copy the prefix list ID. 
+1. From the VPC sidebar, click **Security groups**.
+1. Create a new security group or edit the inbound rules of an existing security group.
+1. In the **Source** field, enter the prefix list IDs, for example `pl-123456...`.
+1. Repeat steps 1-7 for all regions where your backend resources are deployed.
+
+## Troubleshooting timeouts
+
+If requests time out and your NLB shows no incoming traffic:
+* Verify the security group attached to your backend allows the Lattice prefix list.
+* Confirm the correct region-specific prefix list is used in your security group inbound rules.
+* Validate the Resource Endpoint connection is in the `READY` state in {{site.konnect_short_name}}.
+* Confirm the Gateway Service upstream host matches the Resource Endpoint domain name.
+* Check NLB target group health.

From 74d47bfc26ab49678102d060260139ecab017a6a Mon Sep 17 00:00:00 2001
From: Diana <75819066+cloudjumpercat@users.noreply.github.com>
Date: Thu, 18 Jun 2026 09:21:38 -0500
Subject: [PATCH 2/3] Apply suggestions from copilot

Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
---
 .../dedicated-cloud-gateways/aws-resource-endpoints.md        | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/app/_how-tos/dedicated-cloud-gateways/aws-resource-endpoints.md b/app/_how-tos/dedicated-cloud-gateways/aws-resource-endpoints.md
index e22a149ef4..8a48ac791e 100644
--- a/app/_how-tos/dedicated-cloud-gateways/aws-resource-endpoints.md
+++ b/app/_how-tos/dedicated-cloud-gateways/aws-resource-endpoints.md
@@ -150,7 +150,7 @@ Once the resource configuration mapping displays as `Ready`, your resource endpo
 Additionally, you can validate that the resource endpoint connections in {{site.konnect_short_name}} are working correctly by navigating to your [Gateway Service configured in the prerequisites](/dedicated-cloud-gateways/aws-resource-endpoints/#required-entities):
 
 ```sh
-curl -i -X GET "http://$RESOURCE_DOMAIN_NAME/anything"
+curl -i -X GET "$RESOURCE_DOMAIN_NAME"
 ```
 
 ## Configure VPC security group inbound rules
@@ -167,7 +167,7 @@ This is why you must configure your inbound VPC security group rules with the ma
 1. From the VPC sidebar, click **Security groups**.
 1. Create a new security group or edit the inbound rules of an existing security group.
 1. In the **Source** field, enter the prefix list IDs, for example `pl-123456...`.
-1. Repeat steps 1-7 for all regions where your backend resources are deployed.
+1. Repeat steps 1-8 for all regions where your backend resources are deployed.
 
 ## Troubleshooting timeouts
 

From 6c4872be4181d3a30da6de983a8c8e41fbe07831 Mon Sep 17 00:00:00 2001
From: Diana <75819066+cloudjumpercat@users.noreply.github.com>
Date: Thu, 18 Jun 2026 09:49:32 -0500
Subject: [PATCH 3/3] apply PM feedback

Signed-off-by: Diana <75819066+cloudjumpercat@users.noreply.github.com>
---
 .../dedicated-cloud-gateways/aws-resource-endpoints.md   | 9 ++++++---
 1 file changed, 6 insertions(+), 3 deletions(-)

diff --git a/app/_how-tos/dedicated-cloud-gateways/aws-resource-endpoints.md b/app/_how-tos/dedicated-cloud-gateways/aws-resource-endpoints.md
index 8a48ac791e..a2260e675c 100644
--- a/app/_how-tos/dedicated-cloud-gateways/aws-resource-endpoints.md
+++ b/app/_how-tos/dedicated-cloud-gateways/aws-resource-endpoints.md
@@ -158,16 +158,17 @@ curl -i -X GET "$RESOURCE_DOMAIN_NAME"
 When using AWS Resource Endpoints with Dedicated Cloud Gateways, traffic flows through AWS VPC Lattice before reaching your backend resources.
 VPC Lattice terminates the connection from your Dedicated Cloud Gateway and opens a new connection to your backend services.
 Because of this, the source IP of this new connection is an AWS-managed Lattice IP, not the original Dedicated Cloud Gateway IP.
-This is why you must configure your inbound VPC security group rules with the managed prefix list to allow this traffic.
+
+To allow this traffic, you must configure the inbound security group rules for whatever resource is acting as your backend target (for example, EC2 instances, Application Load Balancers, Network Load Balancers, or target Elastic Network Interfaces).
 
 1. In AWS, navigate to your VPC console.
 1. From the VPC sidebar, click **Managed prefix lists**.
 1. Search for the region where your backend resources (NLB/target group) are deployed (for example: `com.amazonaws.<backend-resource-region>.vpc-lattice`). 
 1. Copy the prefix list ID. 
-1. From the VPC sidebar, click **Security groups**.
+1. Navigate to the security group for your backend target resource.
 1. Create a new security group or edit the inbound rules of an existing security group.
 1. In the **Source** field, enter the prefix list IDs, for example `pl-123456...`.
-1. Repeat steps 1-8 for all regions where your backend resources are deployed.
+1. Repeat steps 1-7 for all regions where your backend resources are deployed.
 
 ## Troubleshooting timeouts
 
@@ -177,3 +178,5 @@ If requests time out and your NLB shows no incoming traffic:
 * Validate the Resource Endpoint connection is in the `READY` state in {{site.konnect_short_name}}.
 * Confirm the Gateway Service upstream host matches the Resource Endpoint domain name.
 * Check NLB target group health.
+* Confirm backend subnet network access control lists (NACLs) allow inbound and outbound to the Lattice prefix. Security groups are stateful; a restrictive NACL silently drops the return path.
+* Confirm the NLB listener protocol and port matches the resource configuration's accepted listener.