How do I troubleshoot issues with VPC route tables?

Issue

I have configured my route table, but my Amazon Virtual Private Cloud (Amazon VPC) can't communicate with the destination. How do I troubleshoot issues with VPC route tables?

Short Description

Each subnet in an Amazon VPC is associated with a route table that controls the routing for the subnet. The routing options for your Amazon VPC depend on the gateway or connections that you're using, such as:

  • Public subnets
  • Subnets using NAT instances or NAT gateways
  • Subnets using VPC peering connections
  • Subnets using AWS VPN
  • Subnets using AWS Direct Connect
  • Subnets using gateway VPC endpoints
  • Subnets using virtual interface VPC endpoints

Resolution

To identify the source of the issue, check the route tables of the subnets with the resources that are impacted.

Public subnets

  1. Open the Amazon VPC console.
  2. In the navigation pane, under Subnets, choose your public subnet.
  3. Choose the Route Table view.
  4. Confirm that the route table destination has a default route (0.0.0.0/0 for IPv4 and ::/0 for IPv6) that points to an internet gateway.

For more information about troubleshooting connectivity issues to an Amazon VPC from the internet, see How do I troubleshoot problems connecting to an Amazon EC2 instance from the internet?

Subnets using NAT instances or NAT gateways

  1. Open the Amazon VPC console.
  2. In the navigation pane, under Subnets, choose your private subnet.
  3. Choose the Route Table view, and confirm that the route table has a default route that points to a NAT instance or gateway.
  4. Confirm that the NAT device is launched in a public subnet and perform the checks required for public subnets listed in the previous section.
    Note: If you're using a NAT instance, be sure you've disabled the source destination check.
  5. If you configure your Amazon VPC with IPv6, and you want to prevent traffic from the internet routing to your instances in a private subnet, use egress-only internet gateways. For more information about configuring an egress-only internet gateway, see Egress-Only Internet Gateways.

For more information about troubleshooting VPC peering connection issues, see Troubleshooting NAT Gateways.

Subnets using VPC peering connections

  1. Open the Amazon VPC console.
  2. In the navigation pane, choose Peering Connections, and choose your peering connection.
  3. Confirm its status is Active.
  4. From the navigation pane, choose Subnets, and choose the subnets of the Amazon VPC that you want to connect using a peering connection.
  5. Choose the Route Tables view, and confirm that they have routes to CIDR with specific subnets or to the entire CIDR of the peered Amazon VPC, including the peering connection noted in step 2.
  6. Confirm that the route tables include all the subnets for the peered Amazon VPC.
    Note: Confirm there are no invalid VPC peering connection configurations.

For more information about troubleshooting VPC peering connection issues, see How do I resolve VPC Peering network connectivity issues?

Subnets using AWS VPN

  1. Open the Amazon VPC console.
  2. In the navigation pane, choose VPN Connections, and then choose the VPN connection.
  3. Confirm that the VPN status is available and at least one of the tunnels' status is UP.
    Note: If you are using a dynamic VPN, be sure that BGP routes are received by AWS VPN. You can enable route propagation to confirm that the BGP routes are being propagated to the virtual private gateway.
  4. Note the virtual private gateway used for this VPN connection.
  5. Choose Subnets from the navigation pane, and select the subnet of the Amazon VPC that you want to connect to the VPN.
  6. Choose the Route Table view, then confirm that the route destination is your network and the target is the virtual private gateway noted in step 4.

For more information about troubleshooting VPN connectivity issues, see How do I troubleshoot VPN tunnel connectivity to Amazon VPC?

Subnets using AWS Direct Connect

  1. Open the AWS Direct Connect console.
  2. In the navigation pane, choose Virtual Interfaces, and then choose the private virtual interface.
  3. Confirm that the BGP status is UP.
  4. Note the virtual private gateway used for the private virtual interface.
  5. Open the Amazon VPC console.
  6. In the navigation pane, under Subnets, select the subnets of the Amazon VPC that you want to connect using AWS Direct Connect.
  7. Choose the Route Table view, then confirm that there is a route with the destination of your network and a target of the virtual private gateway as noted in step 4.
    Note: If you are using BGP, be sure that the routes are received by AWS. You can enable route propagation to confirm that the BGP routes are being propagated to the virtual private gateway.

For more information about troubleshooting issues with AWS Direct Connect, see My Direct Connect connection state is shown as 'down' in the console. What should I do?

Subnets using gateway VPC endpoints

  1. Open the Amazon VPC console.
  2. In the navigation pane, choose Endpoints, and choose the endpoint.
  3. Confirm its status is available, and note the Endpoint ID.
  4. In the navigation pane, under Subnets, select the subnet of the Amazon VPC that you want to connect to an AWS service using an endpoint.
  5. Choose the Route Tables view, then confirm that there is a route added to the route table with a destination that specifies the prefix list ID of the service and a target with the endpoint ID obtained in step 3.
  6. Confirm that the VPC endpoint policy allows communication to an AWS service for the resources in the subnets of your Amazon VPC.

For more information about troubleshooting gateway VPC endpoints, see Why can’t I connect to an S3 bucket using a Gateway VPC endpoint?

Subnets using virtual interface VPC endpoints

  1. Open the Amazon VPC console.
  2. In the navigation pane, choose Endpoints, and choose the endpoint.
  3. Choose the Subnets column, and confirm that an endpoint network interface has been created in the subnet associated with service you want to connect.
  4. In the navigation pane, under Endpoints, choose the Policy view.
  5. Confirm that the security group is allowing access to the AWS service.

For more information on troubleshooting Interface VPC endpoints, see Interface VPC Endpoints.

The VPN tunnel between my customer gateway and my virtual private gateway is Up, but no traffic is passing through it. What can I do?

Route Tables

Working with VPCs and Subnets

How do I troubleshoot problems connecting to an Amazon EC2 instance from the Internet?

How should I connect to my Amazon virtual private cloud?

Did this page help you? Yes | No

Back to the AWS Support Knowledge Center

Need help? Visit the AWS Support Center

Published: 2017-12-14