Why aren't the subnet network ACLs in my VPC allowing traffic through the transit gateway?

Last updated: 2021-02-09

I allowed inbound SSH traffic on the network access control list (ACL) for the subnet of my destination Amazon Elastic Compute Cloud (Amazon EC2) instance. However, traffic is still blocked. Why aren't the subnet network ACLs in my virtual private cloud (VPC) allowing traffic through the transit gateway?

Resolution

When you create a transit gateway attachment and associate a subnet in your VPC, a transit gateway interface is created in that subnet. The transit gateway interface routes traffic from the Amazon EC2 instance's elastic network interface to the transit gateway. The elastic network interface for the Amazon EC2 instance and the transit gateway might be in the same subnet. However, you must consider them as separate entities when configuring the network ACLs.

  1. In the network ACL associated with the transit gateway interface at the destination's VPC, add an inbound rule to allow custom TCP on the ephemeral port. With this rule configured, return traffic on the ephemeral port is allowed.
  2. Confirm that traffic is flowing as intended by reviewing the VPC Flow Logs on the transit gateway network interface.

Network ACL inbound and outbound rules are applied differently based on whether Amazon EC2 and the transit gateway are in the same subnet or different subnets. For more information, see How network ACLS work with transit gateways.


Did this article help?


Do you need billing or technical support?