6.2.3 Troubleshooting an Egress PrivateLink

Table 6-1 lists some common issues and their resolutions when setting up an Egress PrivateLink, and Troubleshooting Connectivity in your AWS Account Using the AWS Reachability Analyzer for an Egress PrivateLink gives further help for troubleshooting.

Note:

The error messages might read differently, as HeatWave on AWS gets updated.

Table 6-2 Egress PrivateLink: Common Issues and Resolutions

Deployment Step	Error Summary	Steps to Resolve
Create Egress PrivateLink	Could not Create PrivateLink. Unable to connect to Endpoint Service.	Ensure your Endpoint Service is in the correct Availability Zone, and you have added the HeatWave on AWS account ARN to the list of Allowed Principals. See Configuring the Network Infrastructure for an Egress PrivateLink for details.
	Could not Create PrivateLink. DB Systems <dbsystem-ids> do not share a single physical Availability Zone with the endpoint service. Please ensure the physical Availability Zone(s) provided by your endpoint service include az-id1, az-id2, az-id3 for these DB System(s) and then retry your request.	Your VPC Endpoint Service, Network Load Balancer, and HeatWave on AWS DB System must share the same AWS Availability Zone ID(s). Add Network Mappings to your Network Load Balancer for all the Availability Zone ID(s) mentioned in the error summary and ensure Cross-Zone Load Balancing is enabled for your Network Load Balancer (see Configuring the Network Infrastructure for an Egress PrivateLink and Billing for PrivateLinks), or create a new DB System with the same Availability Zone ID(s) of your VPC Endpoint Service.
Create Replication Channel, when using Egress PrivateLink for Inbound Replication	Could not create MySQL Channel. PrivateLink does not have an Egress Endpoint to provide connectivity to the channel.	Ensure the values for Hostname and Port match exactly one of the Egress PrivateLink’s Egress Endpoints. If you have left the Egress Endpoint hostname blank, use the Default hostname of the Egress PrivateLink.
	Channel enters Needs Attention state. Click on the (i) tooltip near the Channel State on the Channel Details page.	Ensure you have accepted the endpoint connection in your AWS account. See Creating an Egress PrivateLink. Validate that your account allows connectivity between your Network Load Balancer and replication source. See Configuring the Network Infrastructure for an Egress PrivateLink.
	Other messages that indicate a problem with the replication process (for example, The Channel is not receiving transactions due to error(s): Cannot connect to MySQL server…. )	See Trouble Shooting Replication
Update Egress Endpoints	Could not Update Egress PrivateLink. DB System(s) <dbsystem-ids> cannot be connected to Egress PrivateLink <privatelink-id> because they have Availability Zone(s) az-id1, az-id2, az-id3 and the PrivateLink was created in Availability Zone(s) az-id1, az-id4, az-id5. Please create a new PrivateLink linked to these DB System(s).	The DB System(s) <dbsystem-id> cannot be added as an Egress Endpoint to Egress PrivateLink <privatelink-id>, because the Egress PrivateLink's Availability Zone(s) do not match the Availability Zone(s) of the DB System(s). Create a new Egress PrivateLink with this DB System(s) as an Egress Endpoint(s). See Creating an Egress PrivateLink.

Troubleshooting Connectivity in your AWS Account Using the AWS Reachability Analyzer for an Egress PrivateLink

To identify any components in your account that may be preventing your Egress PrivateLink from working, we recommend using the AWS Reachability Analyzer:

• Navigate to AWS Console > Network Manager > Reachability Analyzer and click Create analyze path.
• Under Path Source, put in an optional Name tag if you want, and set:
  • Source type as Network Interfaces or IP Addresses
  • Source as the Network Interface ID or IP address of your Network Load Balancer. See this article on how to find the Network Load Balancer's network interface IDs or IPs.
• Under Path Destination, put in an optional Name tag, set:
  • Destination type as Network Interfaces or IP Addresses
  • Destination as the Network Interface ID or IP address of your service (for example, the source database for replication).
• For Protocol choose TCP
• Add optional Tags if you want.
• Click Create analyze path, and wait for the analysis to complete. The network components that forward traffic between the Network Load Balancer and your service are displayed. If traffic is blocked, the problematic component(s) are identified.