Best Practices for TCP Connection Management on EC2

This article provides best practices for managing TCP connections on EC2, particularly for Nitro V6 instances which changed the default idle timeout from 5 days to 350 seconds.

• Nitro V6 reduces default TCP idle timeout to 350 seconds to prevent conntrack exhaustion
• Idle connections accumulating can exhaust conntrack allowance, causing connection failures
• Configure explicit ENI timeouts via AWS CLI, Launch Templates, or CloudFormation
• Implement TCP keepalives at kernel or application level to prevent timeout drops
• Set keepalive probes to start at 240 seconds or less for 350-second timeout
• Close idle connections explicitly rather than relying on infrastructure timeouts
• Align timeout values across application, ENI, load balancer, and NAT gateway layers
• Test workloads on Nitro V6 before production migration with realistic idle periods
• Monitor conntrack metrics via ethtool and CloudWatch for capacity and exceeded events

Resilient applications implement TCP keepalives, configure explicit timeouts, close idle connections cleanly, and monitor conntrack usage across all infrastructure layers.