How do I troubleshoot issues with VPC route tables?

Last updated: 2022-06-14

I have configured my route table, but my Amazon Virtual Private Cloud (Amazon VPC) can't communicate with the destination. How do I troubleshoot issues with VPC route tables?

Short description

Each subnet in an Amazon VPC is associated with a route table that controls the routing for the subnet. The routing options for your Amazon VPC depend on the gateway or connections that you're using, such as:

  • Public subnets
  • Subnets using NAT instances or NAT gateways
  • Subnets using VPC peering connections
  • Subnets using AWS VPN
  • Subnets using AWS Direct Connect
  • Subnets using gateway VPC endpoints
  • Subnets using virtual interface VPC endpoints

Resolution

To identify the source of the issue, check the route tables of the subnets with the resources that are impacted.

Public subnets

  1. Open the Amazon VPC console.
  2. In the navigation pane, under Subnets, choose your public subnet.
  3. Choose the Route Table view.
  4. Confirm that the route table destination has a default route (0.0.0.0/0 for IPv4 and ::/0 for IPv6) that points to an internet gateway.

For more information, see Why can't I connect to an Amazon EC2 instance within my Amazon VPC from the internet?

Subnets using NAT instances or NAT gateways

  1. Open the Amazon VPC console.
  2. In the navigation pane, under Subnets, choose your private subnet.
  3. Choose the Route Table view, and confirm that the route table has a default route that points to a NAT instance or gateway.
  4. Confirm that the NAT device is launched in a public subnet. Then, perform the checks required for public subnets listed in the previous section.
    Note: If you're using a NAT instance, be sure that you disabled the source destination check.
  5. To configure your VPC with IPv6, and to prevent traffic from the internet routing to your instances in a private subnet, use egress-only internet gateways. For more information about configuring an egress-only internet gateway, see Egress-only internet gateways.

For more information about troubleshooting VPC peering connection issues, see Troubleshoot NAT gateways.

Subnets using VPC peering connections

  1. Open the Amazon VPC console.
  2. In the navigation pane, choose Peering Connections, and then choose your peering connection.
  3. Confirm that its status is Active.
  4. From the navigation pane, choose Subnets, and then choose the subnets of the Amazon VPC that you want to connect using a peering connection.
  5. Choose the Route Tables view, and then confirm that the route tables have one of the following:
    Routes to CIDR with specific subnets.
    Routes to the entire CIDR of the peered Amazon VPC, including the peering connection noted in step 2.
  6. Confirm that the route tables include all the subnets for the peered Amazon VPC.
    Note: Confirm that there are no invalid VPC peering connection configurations.

For more information, see How do I troubleshoot problems establishing communication over VPC Peering?

Subnets using AWS VPN

  1. Open the Amazon VPC console.
  2. In the navigation pane, choose VPN Connections, and then choose the VPN connection.
  3. Confirm that the VPN status is available and at least one of the tunnels' status is UP.
    Note: If you are using a dynamic VPN, be sure that BGP routes are received by AWS VPN. You can turn on route propagation to confirm that the BGP routes are being propagated to the virtual private gateway.
  4. Note the virtual private gateway used for this VPN connection.
  5. Choose Subnets from the navigation pane, and then select the subnet of the Amazon VPC that you want to connect to the VPN.
  6. Choose the Route Table view, then confirm the following:
    The route destination is your network.
    The target is the virtual private gateway noted in step 4.

For more information, see How do I troubleshoot connection problems between an AWS VPN endpoint and a policy-based VPN?

Subnets using AWS Direct Connect

  1. Open the AWS Direct Connect console.
  2. In the navigation pane, choose Virtual Interfaces, and then choose the private virtual interface.
  3. Confirm that the BGP status is UP.
  4. Note the virtual private gateway used for the private virtual interface.
  5. Open the Amazon VPC console.
  6. In the navigation pane, under Subnets, select the subnets of the Amazon VPC that you want to connect using AWS Direct Connect.
  7. Choose the Route Table view, and then confirm the following:
    There is a route with the destination of your network.
    There is a route to a target of the virtual private gateway as noted in step 4.
    Note: If you are using BGP, be sure that the routes are received by AWS. You can turn on route propagation to confirm that the BGP routes are being propagated to the virtual private gateway.

For more information, see Troubleshooting AWS Direct Connect.

Subnets using gateway VPC endpoints

  1. Open the Amazon VPC console.
  2. In the navigation pane, choose Endpoints, and then choose the endpoint.
  3. Confirm that its status is available, and then note the Endpoint ID.
  4. In the navigation pane, under Subnets, select the subnet of the Amazon VPC that you want to connect to an AWS service using an endpoint.
  5. Choose the Route Tables view, and then confirm the following:
    There is a route added to the route table with a destination that specifies the prefix list ID of the service.
    There is a target with the endpoint ID obtained in step 3.
  6. Confirm that the VPC endpoint policy allows communication to an AWS service for the resources in the subnets of your Amazon VPC.

For more information, see Why can’t I connect to an S3 bucket using a gateway VPC endpoint?

Subnets using virtual interface VPC endpoints

  1. Open the Amazon VPC console.
  2. In the navigation pane, choose Endpoints, and then choose the endpoint.
  3. Choose the Subnets column, and then confirm that an endpoint network interface has been created in the subnet associated with service you want to connect.
  4. In the navigation pane, under Endpoints, choose the Policy view.
  5. Confirm that the security group allows access to the AWS service.

For more information, see Access an AWS service using an interface VPC endpoint.