Early access Faultline Teams — organizational memory for recurring CI failures across repos

Outbound network traffic blocked by firewall or security group

An outbound network connection was blocked before reaching its destination.

firewall-egress-blocked high confidence network

Matched signals

  • Network is unreachable
  • ENETUNREACH
  • EHOSTUNREACH
  • Host is unreachable
  • getaddrinfo ENETUNREACH
  • no route to host
  • connect: network is unreachable
  • blocked by firewall

Outbound network traffic blocked by firewall or security group

What this failure means

An outbound network connection was blocked before reaching its destination. A firewall rule, VPC security group, or network policy denied the egress traffic from the CI runner.

Symptoms

Faultline looks for one or more of these log fragments:

Network is unreachable
ENETUNREACH
EHOSTUNREACH
Host is unreachable
getaddrinfo ENETUNREACH
no route to host
connect: network is unreachable
blocked by firewall

Diagnosis

An outbound network connection was blocked before reaching its destination. A firewall rule, VPC security group, or network policy denied the egress traffic from the CI runner.

Fix steps

  1. Verify connectivity from the runner: curl -v https://<host> or nc -zv <host> <port>.
  2. Add the required destination host and port to the egress rules of the security group, firewall policy, or network ACL.
  3. If the runner is in a private VPC subnet: ensure a NAT Gateway or VPC endpoint (e.g., com.amazonaws.*.s3) is configured for the target service.
  4. For self-hosted runners: check the host-level firewall (iptables -L, ufw status) for DROP rules that apply to the runner process user.

Validation

  • Re-run the local reproduction command after the fix.
  • curl -v https://
  • nc -zv

Why it matters

Private CI runners, VPC-isolated build agents, or hardened runner images often restrict outbound traffic by default. Dependency downloads, registry pulls, and external API calls will fail if the destination host or port is not in the egress allowlist. This also occurs when deploying into a security-group-restricted subnet that lacks a NAT gateway or VPC endpoint.

Prevention

  • Document the required external endpoints for each job in the CI runbook and validate them in a network smoke test step.
  • Use VPC endpoints for AWS service traffic (S3, ECR, SSM) to avoid NAT costs and bypass internet egress rules.
  • Run periodic connectivity checks in the base runner image build to catch rule regressions before they block production pipelines.

Try it locally

curl -v https://<destination-host>
nc -zv <destination-host> <port>

How Faultline detects it

Use faultline explain firewall-egress-blocked to see the full playbook.

faultline analyze build.log
faultline explain firewall-egress-blocked

Generated from playbooks/bundled/log/network/firewall-egress-blocked.yaml. Do not edit directly.

Try it on your own failed log

$ faultline analyze failed.log
Install Faultline CLI View on GitHub
Want this across every CI run? Faultline Teams tracks recurring failures across all your repos and surfaces patterns in a shared dashboard.