How can I troubleshoot Direct Connect gateway routing issues?

Last updated: 2021-12-08

How do I troubleshoot routing issues between my VPC and on-premises network involving Private VIF and AWS Direct Connect gateway with Virtual Private Gateway as the association?

Short description

I can't connect from an on-premises data center to Virtual Private Cloud (Amazon VPC) resources over a private virtual interface associated with a Direct Connect gateway and virtual private gateway.

Resolution

Follow these troubleshooting steps for your virtual private gateway.

  • Check the Amazon VPC subnet route table. Make sure that it has a static or propagated route entry for the on premises network pointing to the virtual private gateway.
  • Be sure that the Direct Connect gateway is associated with the correct virtual private gateway.
  • Make sure that the virtual private gateway has the allowed prefixes for the Direct Connect gateway entered as the entire VPC CIDR, or a CIDR wider than the VPC CIDR.
    Note:
    If you specify a CIDR less than the VPC CIDR, you won't receive a route on your gateway router.
  • Make sure that your router is advertising the on premises prefix to AWS over the Border Gateway Protocol (BGP) session of the private VIF.
  • Verify that the security group rules and the network ACLs allow traffic to and from the on premises network.
  • Verify that the firewall rules on your router allow traffic from the Amazon VPC subnet CIDR.

To troubleshoot transit virtual interfaces, see Why can't I connect to VPC resources over a transit virtual interface using a Direct Connect connection?