Hello @Shreya Gupta
“config error” with Application Tunnels (Jira Cloud ↔ Bitbucket DC) is almost always one of a few repeatable misses. In EKS it’s even easier to hit them.
What I’d double-check (in this order), based on Atlassian’s tunnel troubleshooting notes:
Upstream port / connector is not configured correctly
The tunnel needs an HTTP connector + upstream port configured on the DC side.
If this is missing or points to the wrong internal service/port, Cloud will show the tunnel as misconfigured / config error.
Outbound proxy / TLS interception
Atlassian has a KB that the tunnels plugin doesn’t work reliably via outbound proxy (and TLS inspection breaks it in practice too).
In corporate networks/EKS clusters this often happens “silently” via egress proxy, NAT gateway policy, or security tooling.
Firewall / egress allowlist
Your Bitbucket pods/nodes must be able to reach Atlassian Cloud tunnel endpoints over 443 outbound (and whatever domains Atlassian lists for Cloud allowlisting).
If egress is locked down and only *.atlassian.net is allowed, that can still fail because tunnels may use additional Atlassian domains.
Plugin state after upgrade
There’s a known failure mode where the tunnel breaks after a Bitbucket/plugin update and the fix is literally reinstalling the Application Tunnels plugin on Bitbucket.
Cluster / node connectivity
In DC, tunnels can show “limited”/weird states if not all nodes can connect consistently (relevant if you have multiple Bitbucket nodes in EKS).
Quick practical step: enable the extra tunnel logging on the DC side and look for the first concrete failure (auth to tunnel server, upstream connection refused, proxy handshake, DNS/egress blocked). That’s exactly what Atlassian recommends for these cases.
Have a great Day 🤠 ☀️
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.