How do I troubleshoot VPC-to-VPC connectivity through a transit gateway?

Last updated: 2022-07-29

My virtual private clouds (VPCs) are attached to the same AWS Transit Gateway. However, I'm experiencing connectivity issues between the VPCs. How do I troubleshoot this?

Short description

To troubleshoot connectivity between VPCs attached to the same AWS Transit Gateway, you can either:

  • Check the routing configuration for the AWS Transit Gateway, VPC, and the Amazon EC2 instance.
  • Use Route Analyzer in AWS Network Manager.

Resolution

Confirm your routing configurations

Confirm that the VPCs are attached to the same transit gateway

  1. Open the Amazon Virtual Private Cloud (Amazon VPC) console.
  2. From the navigation pane, choose Transit Gateway Attachments.
  3. Verify that the VPC attachments are associated with the same Transit Gateway ID.

Confirm that the Transit Gateway route table is associated with a VPC attachment

  1. Open the Amazon VPC console.
  2. From the navigation pane, choose Transit gateway route tables.
  3. Choose the route tables that are associated with the transit gateway VPC attachment of the source VPC.
  4. Choose the Routes tab.
  5. Verify that there is a route for Remote VPC IP range with Target as TGW VPC attachment that corresponds to the value for Remote VPC.
  6. Choose the route tables that are associated with the transit gateway VPC attachment of the remote VPC.
  7. Choose the Routes tab.
  8. Verify that there is a route for Source VPC IP range with Target as TGW VPC attachment. Verify that the route corresponds to the value for Source VPC.

Confirm that the VPC route table of the source VPC has a route for remote VPC IP range with the gateway set to Transit Gateway.

  1. Open the Amazon VPC console.
  2. From the navigation pane, choose Route Tables.
  3. Select the route table used by the source EC2 instance.
  4. Choose the Routes tab.
  5. Verify that there's a route for the Remote VPC CIDR block under Destination. Then, verify that the Target is set to Transit Gateway ID.
Confirm that the VPC route table of the remote VPC has a route for source VPC IP range with the gateway set to Transit Gateway.
  1. Open the Amazon VPC console.
  2. From the navigation pane, choose Route Tables.
  3. Select the route table that's used by the source EC2 instance.
  4. Choose the Routes tab.
  5. Verify that there's a route for the Remote VPC CIDR block under Destination. Then, verify that the Target is set to Transit Gateway ID.
Check the Availability Zones for the transit gateway VPC attachment for the source and remote VPCs
  1. Open the Amazon VPC console.
  2. From the navigation pane, choose Transit Gateway Attachments.
  3. Choose the source VPC attachment.
  4. Under Details, find the Subnet IDs. Verify that a subnet from the source EC2 instance's Availability Zone is selected.
  5. Return to Transit Gateway Attachments. Then, choose the remote VPC attachment.
  6. Under Details, find the Subnet IDs. Verify that a subnet from the remote EC2 instance's Availability Zone is selected.
  7. To add an Availability Zone to a VPC attachment, choose Actions. Then, modify the Transit Gateway attachment and select any subnet from required Availability Zone.
    Note: Adding or modifying a VPC attachment subnet can impact data traffic while the attachment is in a Modifying state.
Confirm that the Amazon EC2 instance's security group and network access control list (ACL) allows the traffic
  1. Open the Amazon EC2 console.
  2. From the navigation pane, choose Instances.
  3. Select the instance where you're performing the connectivity test.
  4. Choose the Security tab.
  5. Verify that the Inbound rules and Outbound rules allow the traffic.
  6. Open the Amazon VPC console.
  7. From the navigation pane, choose Network ACLs.
  8. Select the network ACL that's associated with the subnet where you have the instance.
  9. Select the Inbound rules and Outbound rules to verify that the rules allow the traffic.

Confirm that the network ACL associated with the transit gateway network interface allows the traffic

  1. Open the Amazon EC2 console.
  2. From the navigation pane, choose Network Interfaces.
  3. In the search bar, enter Transit Gateway. All network interfaces of the transit gateway appear. Note the Subnet ID associated with the location where the transit gateway interfaces were created.
  4. Open the Amazon VPC console.
  5. From the navigation pane, choose Network ACLs.
  6. In the search bar, enter the subnet ID that you noted in step 3. The network ACL associated with the subnet displays.
  7. Confirm that the Inbound rules and Outbound rules of the network ACL allow the remote VPC traffic.

Use Route Analyzer

Prerequisite: Complete the steps in Getting started with AWS Network Manager for Transit Gateway networks before proceeding in this section.

Once you have created a global network and registered your transit gateway:

  1. Access the Amazon VPC console.
  2. From the navigation pane, choose Network Manager.
  3. Choose the global network where your transit gateway is registered.
  4. From the navigation pane, choose Transit Gateway Network. Then, choose Route Analyzer.
  5. Fill in the Source and Destination information as needed. Confirm that both Source and Destination have the same transit gateway.
  6. Choose Run route analysis.

Route Analyzer performs routing analysis and indicates a status of Connected or Not Connected. If the status is Not Connected, then Route Analyzer gives you a routing recommendation. Use the recommendations, then run again the test to confirm connectivity. If connectivity issues continue, see the Confirm your routing configurations section of this article for more troubleshooting steps.