How do I troubleshoot on-premises to VPC connectivity through Transit Gateway?

Last updated: 2022-07-27

I have an AWS Direct Connect or AWS Site-to-Site VPN Connection ending on AWS Transit Gateway with Amazon Virtual Private Cloud (Amazon VPC) attached to same transit gateway. However, I'm experiencing connectivity issues between my on-premises connections and the Amazon VPC. How can I troubleshoot this?

Short description

To troubleshoot connectivity between AWS Direct Connect or AWS Site-to-Site VPN Connection ending on AWS Transit Gateway with Amazon Virtual Private Cloud (Amazon VPC) attached to same transit gateway, you can:

  • Check the routing configuration for the transit gateway, VPC, and the Amazon EC2 instance.
  • Use Route Analyzer in AWS Network Manager

Resolution

Confirm your routing configurations

Verify the Amazon VPC subnet route table configuration

  1. Open the Amazon VPC console.
  2. From the navigation pane, choose Route Tables.
  3. Select the route table that is used by your source Amazon Elastic Compute Cloud (Amazon EC2) instance.
  4. Choose the Routes tab.
  5. Verify that there is a route with Destination set to on-premises network.
  6. Verify that there is a Target with the value of Transit Gateway ID.

Check the Availability Zones for the Transit Gateway VPC attachment

  1. Open the Amazon VPC console.
  2. Choose Transit Gateway Attachments.
  3. Select VPC attachment.
  4. Under Details, verify the Subnet IDs. Confirm that a subnet from your EC2 instance's Availability Zone is selected.
  5. If a subnet from the source EC2 instance isn't selected, choose Actions. Then, modify your VPC attachment, and select a subnet from your EC2 instance's Availability Zone.
    Note: Adding or modifying a VPC attachment subnet can impact data traffic while the attachment is in a Modifying state.

Check the Transit Gateway route table associated with the VPC attachment

  1. Open the Amazon VPC console.
  2. Choose Transit Gateway Route Tables.
  3. Select the route table associated with the VPC attachment.
  4. In Routes tab, confirm that there is a route for on-premises network with a Target value of DXGW/VPN attachment.
  5. If you’re using a Site-to-Site VPN with Static routing: add a static route for on-premises network with target of VPN attachment.

Check the Transit Gateway route table associated with the AWS Direct Connect gateway attachment or VPN attachment

  1. Open the Amazon VPC console.
  2. Choose Transit Gateway Route Tables.
  3. Select the route table that's associated with the AWS Direct Connect gateway attachment
    -or-
    Select the route table that's associated with the VPN attachment.
  4. In the Routes tab, confirm that there's a route for Source VPC IP range with a Target of TGW VPC attachment that corresponds to the source VPC.

Check the Allowed Prefixes configured on the Direct Connect gateway to Transit Gateway association

  1. Open the AWS Direct Connect console.
  2. From the navigation pane, choose Direct Connect Gateways.
  3. Select the AWS Direct Connect Gateway associated with Transit Gateway.
  4. Under Gateway Association, verify that the Allowed Prefixes has a Source VPC IP Range.

Confirm that the Amazon EC2 instance's security group and network access control list (ACL) allows the appropriate traffic

  1. Open the Amazon EC2 console.
  2. From the navigation pane, choose Instances.
  3. Select the instance where you're performing the connectivity test.
  4. Choose the Security tab.
  5. Verify that the Inbound rules and Outbound rules allow traffic to and from your on-premises network.
  6. Open the Amazon VPC console.
  7. From the navigation pane, choose Network ACLs.
  8. Select the network ACL associated with the subnet where you have the instance (Source/Destination).
  9. Select the Inbound rules and Outbound rules. Verify that traffic is allowed to and from your on-premises network.

Confirm that the network ACL associated with the transit gateway network interface allows the appropriate traffic

  1. Open the Amazon EC2 console.
  2. From the navigation pane, choose Network Interfaces.
  3. In the search bar, enter Transit Gateway. All network interfaces of the transit gateway display. Note the subnet ID that's associated with the location where the transit gateway interfaces were created.
  4. Open the Amazon VPC console.
  5. From the navigation pane, choose Network ACLs.
  6. In the search bar, enter the subnet ID that you noted in step 3. The results show the network ACL that's associated with the subnet.
  7. Check the Inbound rules and Outbound rules of the network ACL to verify that it allows the Source VPC IP range and on-premises network.

Confirm that on-premises firewall devices allow traffic from Amazon VPC

Verify that your on-premises Firewall devices have an ingress and egress allow rule for the Source VPC IP range. Refer to your vendor's documentation for specific instructions.

Use Route Analyzer

Prerequisite: Complete the steps in Getting started with AWS Network Manager for Transit Gateway networks before continuing.

After you create a global network and registered your transit gateway:

  1. Access the Amazon VPC console.
  2. From the navigation pane, choose Network Manager.
  3. Choose the global network where your transit gateway is registered.
  4. From the navigation pane, choose Transit Gateway Network. Then, choose Route Analyzer.
  5. Fill in the Source and Destination information as needed. Make sure that both Source and Destination have the same Transit Gateway.
  6. Choose Run route analysis.

Route Analyzer performs routing analysis and indicates a status of Connected or Not Connected. If the status is Not Connected, then Route Analyzer gives you a routing recommendation. Use the recommendations to fix the routing issues and then re-run the test to confirm the connectivity. If the connectivity issue continues, see the Confirm your routing configurations section for more troubleshooting steps.