How do I resolve the "Network Error communicating with endpoint" error in API Gateway?

Short description

If the number of API requests is significantly greater than the number of errors that you receive, then these are likely transient network issues. To resolve these issues, follow the steps in the Resolve low-frequency network errors section.

If you frequently or continuously experience errors, then follow the steps in the Resolve high-frequency network errors section.

Resolution

Resolve low-frequency network errors

• Use retries with exponential backoff for failed requests.
• To activate access logging, see Setting up Amazon CloudWatch API logging. Then, view the API Gateway log events in the CloudWatch console. To debug, analyze the context variables $context.integration.error, $context.integration.latency, and $context.integrationStatus.

Resolve high-frequency network errors

Set up Amazon CloudWatch logging. Be sure to choose the Log full requests/responses data option. This option allows you to log full API requests and responses to troubleshoot errors.

Consider these resolutions:

• If your load balancer has multiple target groups, then use cross-zone load balancing to reduce latency. To reduce latency, distribute incoming traffic evenly across all activated Availability Zones. Don't route requests to Availability Zones without targets.
• Confirm that there are registered healthy instances in all your activated Availability Zones that use a Network Load Balancer and Application Load Balancer.
  Note: Your load balancer is most effective when each activated Availability Zone has at least one registered target. Your Availability Zone must have at least one healthy instance per target group. This healthy instance must reach healthy status in a Network Load Balancer or Application Load Balancer.
• Don't exceed the integration timeout quota of API Gateway. Instead, confirm that your target group instances serve a response to the API within 29 seconds.
• Activate access logging on the Network Load Balancer and the Application Load Balancer only if you have a TLS listener.
• If you use a Network Load Balancer, then check the IP addresses allowed reach the instance in Amazon Elastic Compute Cloud (Amazon EC2) security groups. You must allow traffic from all sources or from the private IP address of the Network Load Balancer.
• If you use an Application Load Balancer, then confirm that the security group for your Application Load Balancer allows traffic from all sources.
  Note: Target instances can restrict access to only the Application Load Balancer. For stricter security, limit access from API Gateway IP addresses reserved for the AWS Region where the API is located. To receive a notification whenever the IP range list changes, subscribe to AWS IP address range notifications.
• Activate Amazon Virtual Private Cloud (Amazon VPC) Flow Logs. Then, capture the traffic information to and from network interfaces for the Network Load Balancer and Application Load Balancer.
• If a Network Load Balancer is attached to the Amazon VPC link, check the TCP_Target_Reset_Count metric. A spike in this metric indicates the total number of reset (RST) packets sent from a target to a client. These resets are generated by the target and forwarded by the load balancer.

Related information

How do I troubleshoot issues when connecting to an API Gateway private API endpoint?