Skip to content

feat(dcgw): REP security group and troubleshooting content #5603

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
cloudjumpercat wants to merge 3 commits into
base: main
Choose a base branch
from
+29 −1
Open

feat(dcgw): REP security group and troubleshooting content #5603

Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
2203a25
Draft REP security group and troubleshooting content
cloudjumpercat Jun 16, 2026
74d47bf
Apply suggestions from copilot
cloudjumpercat Jun 18, 2026
6c4872b
apply PM feedback
cloudjumpercat Jun 18, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
30 changes: 29 additions & 1 deletion app/_how-tos/dedicated-cloud-gateways/aws-resource-endpoints.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -150,5 +150,33 @@ Once the resource configuration mapping displays as `Ready`, your resource endpo
Additionally, you can validate that the resource endpoint connections in {{site.konnect_short_name}} are working correctly by navigating to your [Gateway Service configured in the prerequisites](/dedicated-cloud-gateways/aws-resource-endpoints/#required-entities):

```sh
curl -i -X GET "http://$RESOURCE_DOMAIN_NAME/anything"
curl -i -X GET "$RESOURCE_DOMAIN_NAME"
```

## Configure VPC security group inbound rules

When using AWS Resource Endpoints with Dedicated Cloud Gateways, traffic flows through AWS VPC Lattice before reaching your backend resources.
VPC Lattice terminates the connection from your Dedicated Cloud Gateway and opens a new connection to your backend services.
Because of this, the source IP of this new connection is an AWS-managed Lattice IP, not the original Dedicated Cloud Gateway IP.

To allow this traffic, you must configure the inbound security group rules for whatever resource is acting as your backend target (for example, EC2 instances, Application Load Balancers, Network Load Balancers, or target Elastic Network Interfaces).

1. In AWS, navigate to your VPC console.
1. From the VPC sidebar, click **Managed prefix lists**.
1. Search for the region where your backend resources (NLB/target group) are deployed (for example: `com.amazonaws.<backend-resource-region>.vpc-lattice`).
1. Copy the prefix list ID.
1. Navigate to the security group for your backend target resource.
1. Create a new security group or edit the inbound rules of an existing security group.
1. In the **Source** field, enter the prefix list IDs, for example `pl-123456...`.
1. Repeat steps 1-7 for all regions where your backend resources are deployed.

## Troubleshooting timeouts

If requests time out and your NLB shows no incoming traffic:
* Verify the security group attached to your backend allows the Lattice prefix list.
* Confirm the correct region-specific prefix list is used in your security group inbound rules.
* Validate the Resource Endpoint connection is in the `READY` state in {{site.konnect_short_name}}.
* Confirm the Gateway Service upstream host matches the Resource Endpoint domain name.
* Check NLB target group health.
* Confirm backend subnet network access control lists (NACLs) allow inbound and outbound to the Lattice prefix. Security groups are stateful; a restrictive NACL silently drops the return path.
* Confirm the NLB listener protocol and port matches the resource configuration's accepted listener.
Loading