Diagnosing traffic disruption using AWS Transit Gateway Network Manager Route Analyzer

Diagnosing problems in your network traffic or fixing routing issues between your AWS Transit Gateways can be complex. The new Route Analyzer feature for AWS Transit Gateway Network Manager is designed to diagnose and resolve network disruptions quickly. With Network Manager, you can centrally manage networks built around AWS Transit Gateways. You are able to visualize and monitor your global network across AWS Regions and on-premises locations through the geographic view, and view your overall network topology.

In May 2020, a new feature called Route Analyzer was added to the AWS Transit Gateway Network Manager console. With Route Analyzer, you are able to validate new and existing routes within your AWS Transit Gateway route table. This helps reduce the amount of work needed to diagnose route issues or missing routes, between AWS Transit Gateways. It does this by providing a visual layout of your network traffic between AWS Transit Gateway VPCs.

Using Route Analyzer

Whether you have multiple peered AWS Transit Gateways, on premises VPN connections, or AWS Direct Connects, we show how to use Route Analyzer to resolve network connectivity issues. We also discuss an architecture that highlights a common use case.

Within our reference architecture, we have three Transit Gateways. These are located in: US-West-2 (Oregon), US-East-1 (North Virginia), and EU-Central-1 (Frankfurt). All of these AWS Transit Gateways are connected with one another in a hub and spoke configuration. Within this architecture, the North Virginia Region acts as the primary, and the Oregon Region acts as disaster recovery (DR). The Frankfurt Region acts as an expansion into the European markets to serve content to local users. Within each Region, we have created at least two VPCs, with the primary North Virginia Region containing three VPCs:

Using Route Analyzer to troubleshoot

To help demonstrate the capabilities of the Route Analyzer feature, the route to the EU-Central-1 VPCs (10.0.2.0/24) was removed from the US-West-2 AWS Transit Gateway route table. In addition, the route to the US-West-2 VPCs (10.0.0.0/24) was also removed from the EU-Central-1 AWS Transit Gateway route table:

To begin using Route Analyzer, you must first configure a global network with Network Manager. After completing this step, navigate to the Route Analyzer dashboard within your global network:

To run the route analysis, select both a sourceand destination AWS Transit Gateway, AWS Transit Gateway attachment, and IP address. The Route Analyzer runs a route analysis between the source and the destination to verify the path, or shows if the path is incomplete. If you have a VPC configured to act as a middlebox appliance for inspecting traffic, you can indicate the location of the appliance in the route analysis.

The naming convention I use is AWS Transit Gateway (TGW), followed by the AWS Region (W for US-West-2 | F for Frankfurt) the gateway was created in. For example, TGW – W is an AWS Transit Gateway created in the US West Region. Each of the AWS Transit Gateway attachments represents VPCs within a unique Availability Zone associated with an AWS Transit Gateway in its Region. The goal is to confirm that the EC2 instance living in the US-West-2 Region (the source) can communicate with the EC2 instance in the Frankfurt Region (the destination), using peered AWS Transit Gateways to communicate. Once a source and destination are chosen, select “Run route analysis.” If you would only like to run the route analysis path one way, uncheck “include return path in results.”

After running the route analysis, we can confirm that the route is not connected past the US-West-2 AWS Transit Gateway route table. By using Route Analyzer, we can reduce the time needed to troubleshoot by easily identifying where the problem with our route is located. In this case, it informs us that there is no matching route for the destination in our US-West AWS Transit Gateway route table:

To fix the missing route, locate the route table identified in the route analysis and provide the path from US-West-2 to EU-Central-1 that it is missing. The EC2 instance in US-West-2 must be able to communicate out to the EC2 instance in Frankfurt, so add a route that sends network traffic destined for 10.0.2.0/24 to the Frankfurt AWS Transit Gateway:

After successfully adding the route, a green prompt will appear in the AWS Management Console to verify the creation of the 10.0.2.0/24 route along with an “Active” state:

We can now return to Route Analyzer and re-run the same route analysis as before. The new analysis confirms that the EC2 instance in Frankfurt can be reached. A blue prompt appears with “no matching route” for the destination:

Since we also chose a return path, we can see that our traffic can’t return to US-West-2. We are once again able to take advantage of Route Analyzer’s built-in troubleshooting mechanisms to quickly diagnose the incomplete path. A new route is needed within the EU-Central-1 AWS Transit Gateway route table to complete the communication. To complete our return path, we add a route into the Frankfurt AWS Transit Gateway route table to lead traffic destined for 10.0.0.0/24 to the US-West-2 AWS Transit Gateway:

After successfully adding the route, a green prompt will appear in the AWS Management Console to verify the creation of the 10.0.0.0/24 route along with an “Active” state:

We must run the route analysis one last time to validate a successful connection with the source and destination entered in earlier steps. We can now confirm that traffic can be sent to and from the source and destination EC2 instance living in US-West-2 and EU-Central-1:

Conclusion

In this post, we demonstrated how to diagnose and resolve AWS Transit Gateway route issues using the new AWS Transit Gateway Network Manager Route Analyzer feature. As shown in the preceding image, this feature reduces the time it takes to troubleshoot network traffic disruptions, find missing routes, or confirm new routes. For more information on how to use Route Analyzer or to get started, please see the documentation page.