How do I troubleshoot VPC-to-VPC connectivity through a transit gateway?

Last updated: 2020-10-08

My virtual private clouds (VPCs) are attached to the same AWS Transit Gateway. However, I'm experiencing connectivity issues between the VPCs. How can I troubleshoot this?

Short description

To troubleshoot connectivity between VPCs attached to the same AWS Transit Gateway, check the following:

  1. Confirm that the VPCs are attached to the same transit gateway.
  2. Confirm that the VPC attachments are associated with the correct transit gateway route table.
  3. Confirm that the routes for the remote VPCs are in the VPC route table with the gateway set to "Transit Gateway".
  4. Confirm that the Amazon Elastic Compute Cloud (Amazon EC2) instance's security group and network access control list (ACL) allows the traffic.
  5. Confirm that the network ACL associated with the transit gateway network interface allows the traffic.

Resolution

Confirm that the VPCs are attached to the same transit gateway

  1. Open the Amazon Virtual Private Cloud (Amazon VPC) console.
  2. From the navigation pane, choose Transit Gateway Attachments.
  3. Verify that the VPC attachments are associated with the same Transit Gateway ID.

Confirm that the VPC attachments are associated with the correct transit gateway route table

  1. Choose Transit Gateway Route Tables.
  2. Select the Route table from the list.
  3. Choose the Routes tab.
  4. Verify that there are routes for the VPC CIDR block.

Confirm that the routes for the remote VPCs are in the VPC route table with the gateway set to "Transit Gateway"

  1. Open the Amazon VPC console.
  2. From the navigation pane, choose Route Tables.
  3. Select the route table used by the instance.
  4. Choose the Routes tab.
  5. Verify that there's a route for the remote VPC CIDR block under Destination. Then, verify that Target is set to Transit Gateway ID.

Confirm that the Amazon EC2 instance's security group and network access control list (ACL) allows the traffic

  1. Open the Amazon EC2 console.
  2. From the navigation pane, choose Instances.
  3. Select the instance where you're performing the connectivity test.
  4. Choose the Security tab.
  5. Verify that the Inbound rules and Outbound rules allow the traffic.
  6. Open the Amazon VPC console.
  7. From the navigation pane, choose Network ACLs.
  8. Select the network ACL associated with the subnet where you have the instance (Source/Destination).
  9. Select the Inbound rules and Outbound rules to verify that the rules allow the traffic.

Confirm that the network ACL associated with the transit gateway network interface allows the traffic

  1. Open the Amazon EC2 console.
  2. From the navigation pane, choose Network Interfaces.
  3. In the search bar, enter Transit Gateway. All network interfaces of the transit gateway appear. Note the subnet ID associated with where the transit gateway interfaces were created.
  4. Open the Amazon VPC console.
  5. From the navigation pane, choose Network ACLs.
  6. Provide the subnet ID that you noted in step 3. This shows the network ACL associated with the subnet.
  7. Check the Inbound rules and Outbound rules of the network ACL to verify that it allows the remote VPC traffic.

Did this article help?


Do you need billing or technical support?