Why can't I connect to my resources over a Transit Gateway peering connection?

Last updated: 2022-07-07

I have inter-Region AWS Transit Gateway peering set up between my source virtual private cloud (VPC) and remote VPC. However, I am unable to connect my VPC resources over the peering connection. How can I troubleshoot this?

Resolution

Confirm that the source and remote VPCs are attached to the correct transit gateway

Use the following steps at the source VPC and the remote VPC:

  1. Open the Amazon Virtual Private Cloud (Amazon VPC) console.
  2. From the navigation pane, choose Transit gateway attachments.
  3. Confirm that:
    The VPC attachments are associated with the correct Transit gateway ID that you used to set up peering.
    The source VPC and the transit gateway that it's attached to are in the same Region.
    The remote VPC and the transit gateway that it's attached to are in the the same Region.

Find the transit gateway route table that the source and the remote VPC attachments are associated with

  1. Open the Amazon VPC console and choose Transit gateway attachments.
  2. Select the VPC attachment.
  3. In the Associated route table ID column, note the transit gateway route table ID.

Find the transit gateway route table that the source and the remote peering attachments are associated with

  1. Open the Amazon VPC console and choose Transit gateway attachments.
  2. Select the Peering attachment.
  3. In the Associated route table ID column, note the value transit gateway route table ID.

Confirm that source VPC attachment associated with a transit gateway has a static route for remote VPC that points to the transit gateway peering attachment

  1. Open the Amazon VPC console and choose Transit gateway route tables.
  2. Select the Route table. This is the value that you noted in the section Find the transit gateway route table that the source and the remote VPC attachments are associated with
  3. Choose the Routes tab.
  4. Verify the routes for the remote VPC CIDR block that point to the transit gateway peering attachment.

Confirm that remote VPC attachment associated with a transit gateway route table has a static route for source VPC that points to the transit gateway peering attachment

  1. Open the Amazon VPC console and choose Transit gateway route tables.
  2. Select the Route table. This is the value that you noted in the section Find the transit gateway route table that the source and the remote VPC attachments are associated with.
  3. Choose the Routes tab.
  4. Verify the routes for the source VPC CIDR block that point to the transit gateway peering attachment.

Note: To route traffic between the peered transit gateways, add a static route to the transit gateway route table that points to the transit gateway peering attachment.

Confirm that the source peering attachment associated transit gateway route table has a route for the source VPC that points to the source VPC attachment

  1. Open the Amazon VPC console and choose Transit gateway route tables.
  2. Select the route table. This is the value that you noted in the section Find the transit gateway route table that the source and the remote peering attachments are associated with.
  3. Choose the Routes tab.
  4. Verify the routes for the source VPC CIDR block pointing to source VPC attachment.

Confirm that the remote peering attachment associated transit gateway route table has a route for the remote VPC that points to the remote VPC attachment

  1. Open the Amazon VPC console and choose Transit gateway route tables.
  2. Select the route table. This is the value that you noted in the section Find the transit gateway route table that the source and the remote peering attachments are associated with.
  3. Choose the Routes tab.
  4. Verify that there are routes for the remote VPC CIDR block pointing to the remote VPC attachment.

Confirm that the routes for the source and remote VPCs are in the VPC subnet route table with the gateway set to Transit Gateway

  1. Open the Amazon VPC console.
  2. From the navigation pane, choose Route tables.
  3. Select the route table used by the instance.
  4. Choose the Routes tab.
  5. Under Destination, verify that there's a route for the source/remote VPC CIDR block. Then, verify that Target is set to the Transit Gateway ID.

Confirm that source and remote Amazon EC2 instance's security group and network open control list (ACL) allows traffic

  1. Open the Amazon EC2 console.
  2. From the navigation pane, choose Instances.
  3. Select the instance where you're performing the connectivity test.
  4. Choose the Security tab.
  5. Verify that the Inbound rules and Outbound rules allow traffic.
  6. Open the Amazon VPC console.
  7. From the navigation pane, choose Network ACLs.
  8. Select the network ACL that's associated with the subnet where your instance is located.
  9. Select the Inbound rules and Outbound rules. Verify that the rules allows the traffic needed by your use-case.

Confirm that the network ACL associated with the transit gateway network interface allows traffic

  1. Open the Amazon EC2 console.
  2. From the navigation pane, choose Network Interfaces.
  3. In the search bar, enter Transit gateway. The results show that all network interfaces of the transit gateway appear.
  4. Note the Subnet ID that's associated with the location where the transit gateway interfaces were created.
  5. Open the Amazon VPC console.
  6. From the navigation pane, choose Network ACLs.
  7. In the Filter network ACLS search bar, enter the subnet ID that you noted in step 3. This shows the network ACL associated with the subnet.
  8. Confirm the Inbound rules and Outbound rules of the network ACL allow traffic to or from the source or remote VPC.

Did this article help?


Do you need billing or technical support?