TCP Keepalive
AWS NAT drops a TCP connection if the connection is idle for 350 seconds: https://docs.aws.amazon.com/vpc/latest/userguide/nat-gateway-troubleshooting.html#nat-gateway-troubleshooting-timeout
Linux systems usually have these TCP keepalive defaults:
net.ipv4.tcp_keepalive_time = 7200
net.ipv4.tcp_keepalive_intvl = 75
net.ipv4.tcp_keepalive_probes = 9
Therefore the linux kernel starts sending keepalive probes after 7200 seconds = 2 hours. This is too late for AWS NAT.
You need to set a lower net.ipv4.tcp_keepalive_time value when using AWS NAT.
Example for a docker-compose file entry:
services:
myservice:
sysctls:
- net.ipv4.tcp_keepalive_time=274
curl
The command line tool curl
has built-in TCP keepalive support that by default starts sending keepalive probes after 60 seconds, for details see https://curl.se/docs/manpage.html#--keepalive-time