Why can't I connect to my resources over a Transit Gateway peering connection?

Resolution

Verify VPC transit gateway attachments for source and destination VPC

Complete the following steps:

1. Open the Amazon Virtual Private Cloud (Amazon VPC) console.
2. In the navigation pane, choose Transit gateway attachments.
3. Confirm that the transit gateway IDs for your VPC attachments match the IDs that you used for the peering connection.
4. Confirm that the source VPC and its transit gateway are in the same AWS Region.
5. Confirm that the destination VPC and its transit gateway are in the same Region.

Check transit gateway route table with VPC and peering attachments

Complete the following steps:

1. On the Amazon VPC console, choose Transit gateway attachments.
2. Select the VPC attachment. Then, note the transit gateway route table ID in the Associated route table ID column.
3. Select the peering attachment. Then, note the transit gateway route table ID in the Associated route table ID column.

Repeat the steps for the source and destination transit gateway.

Verify source VPC attachment route configuration

Complete the following steps:

1. On the Amazon VPC console, choose Transit gateway route tables.
2. Select the route table that you noted for the source VPC attachment.
3. Choose the Routes tab.
4. Check whether a route exists for the CIDR block of the destination VPC and that it points to the transit gateway peering attachment.

Note: Traffic between peered transit gateways requires a static route in the transit gateway route table that points to the transit gateway peering attachment.

Check source peering attachment route configuration

Complete the following steps:

1. On the Amazon VPC console, choose Transit gateway route tables.
2. Select the route table that you noted for the source VPC attachment.
3. Choose the Routes tab.
4. Check whether a route exists for the CIDR block of the source VPC and that it points to the source VPC attachment.

Verify destination VPC attachment route configuration

Complete the following steps:

1. On the Amazon VPC console, choose Transit gateway route tables.
2. Select the route table that you noted for the destination VPC attachment.
3. Choose the Routes tab.
4. Check whether a route exists for the CIDR block of the source VPC and that it points to the transit gateway peering attachment.

Check destination peering attachment route configuration

Complete the following steps:

1. On the Amazon VPC console, choose Transit gateway route tables.
2. Select the route table that you noted for the peering transit gateway attachment.
3. Choose the Routes tab.
4. Check whether a route exists for the CIDR block of the destination VPC and that it points to the destination VPC attachment.

Check VPC subnet route tables

Complete the following steps:

1. On the Amazon VPC console, choose Route tables.
2. Select the route tables for your source and destination instances.
3. Choose the Routes tab.
4. Under Destination, verify that a route exists for the CIDR block of the other VPC. Then, verify that Target shows the local VPC's transit gateway ID.

Check instance security group and network ACL settings

Complete the following steps:

1. Open the Amazon Elastic Compute Cloud (Amazon EC2) console.
2. In the navigation pane, choose Instances.
3. Select the source Amazon EC2 instance for the connectivity test.
4. Choose the Security tab.
5. Verify that Outbound rules for the source EC2 instance allow traffic.
6. Open the Amazon VPC console.
7. In the navigation pane, choose Network ACLs.
8. Select the network access control list (network ACL) for your instance's subnet.
9. Check if Inbound rules and Outbound rules allow the test traffic.
10. Repeat steps 1-9 for the destination instance. For the destination instance, check Inbound rules instead of Outbound rules in the security group.

Check transit gateway network ACL settings

Complete the following steps:

1. Open the Amazon EC2 console.
2. In the navigation pane, choose Network Interfaces.
3. In the search bar, enter Transit gateway.
4. Note the Subnet IDs for the transit gateway network interfaces.
5. Open the Amazon VPC console.
6. In the navigation pane, choose Network ACLs.
7. In the Filter network ACLs search bar, enter the subnet ID that you noted in step 4.
8. Check whether Inbound rules and Outbound rules allow traffic between the source and destination VPC.
9. Repeat steps 7-8 for each subnet.

Note: It's a best practice to maintain transit gateway network ACLs in an open state.

Test connectivity with Reachability Analyzer

Use Reachability Analyzer to verify that you correctly configured the security groups, network ACLs, and route tables components. For instructions, see How do I use Amazon VPC Reachability Analyzer to troubleshoot connectivity issues with an Amazon VPC resource?

Note: For cross-Region destinations, Reachability Analyzer only checks the path to the first transit gateway.

When you use Reachability Analyzer, create paths for source to destination and destination to source. It's a best practice to test both paths because return traffic might fail even if forward traffic succeeds.

If you receive the "TGW_ROUTE_AZ_RESTRICTION" error during reachability analysis, then check your subnet configuration. Your transit gateway VPC attachment must use a subnet in the same Availability Zone as your source instance.

Use Route Analyzer to verify transit gateway connectivity

Prerequisite: Before you begin, create a global network and register your transit gateways. For instructions, see Get started with AWS Global Networks for transit gateways.

Then, complete the following steps:

1. Open the Amazon VPC console.
2. In the navigation pane, choose Network Manager.
3. Choose Global Networks, and then choose the global network where you registered the transit gateway.
4. In the navigation pane, choose Transit Gateway Network, and then, choose Route Analyzer.
5. Fill in the Source and Destination information.
6. Choose Run route analysis.

Route Analyzer performs routing analysis and shows a status of Connected or Not Connected. If the status is Not Connected, then Route Analyzer provides a routing recommendation. Use the recommendations, and then run the route analysis again to confirm connectivity.

Note: Route Analyzer supports inter-Region peering but doesn't support intra-Region peering.

Check flow logs for routing issues

Check your VPC flow logs and transit gateway flow logs to verify that traffic flows through your VPC and transit gateway peering attachments. Also confirm that traffic flows in both ingress and egress directions.

Then, check your transit gateway flow logs for increments in packets-lost-no-route and packets-lost-blackhole fields.

Note: The packets-lost-no-route packet loss shows packets lost because no route exists, and packets-lost-blackhole show packets lost to black hole routes from the attachment. If you still can't connect VPC resources over the Transit Gateway peering connection, then contact AWS Support.