I have an AWS Transit Gateway Connect attachment to establish connectivity between Transit Gateway and SD-WAN (Software-defined Wide Area Network) instances in my virtual private cloud (VPC). However, I am unable to connect my remote network from the VPC over the Transit Gateway Connect attachment. How can I troubleshoot this?
Short description
To troubleshoot connectivity between the source and remote networks connected by a Transit Gateway Connect attachment, check the following:
- Connect attachment setup
- Availability Zones
- Route tables
- Network security settings
Resolution
Troubleshoot Transit Gateway and Connect attachment setup
Confirm the Transit Gateway and Connect attachment setup configuration
- Open the Amazon Virtual Private Cloud (Amazon VPC) console.
- From the navigation pane, choose Transit gateway attachments.
- Select the source VPC attachment where you have resources that need to communicate with remote or on-premises hosts. Verify that this attachment is associated with the correct Transit Gateway ID.
- Repeat step 3 for the Connect attachment, which is the attachment used to establish the connection between the transit gateway and the third-party virtual appliance running in your VPC.
- Repeat step 3 for the transport VPC attachment, which is the attachment used as the transport mechanism to establish the Generic Routing Encapsulation (GRE) setup between your transit gateway and SD-WAN.
- From the navigation pane, choose Transit gateway Route Tables.
- Select the Transit Gateway Route Table for each time of attachment and confirm that:
The source and SD-WAN VPCs are attached to a transit gateway. This can be same or different transit gateway or Region.
The source and SD-WAN VPC attachments are associated with the correct transit gateway route table.
The Connect attachment is attached to correct transit gateway.
The Connect attachment uses the correct VPC Transport Attachment (the VPC attachment of the SD-WAN appliance) and is in an Available state.
Confirm that the Connect peers are configured correctly
- Open the Amazon VPC console.
- From the navigation pane, choose Transit gateway attachments.
- Select the connect attachment.
- Choose Connect Peers. Verify that:
The peer GRE address is the private IP address of the SD-WAN instance that you want to create the GRE tunnel to.
The Transit Gateway GRE address is one of the available IP addresses from the Transit Gateway CIDR.
The BGP inside IPs are part of a /29 CIDR block from the 169.254.0.0/16 range for IPv4. Optionally, you can specify a /125 CIDR block from the fd00::/8 range for IPv6. See Transit Gateway Connect peers for a list of CIDR blocks that are reserved and can't be used.
Confirm your third-party appliance configuration
Verify that your third-party appliance configuration matches all requirements and considerations. If your appliance has more than one interface, make sure that OS routing is configured to send GRE packets out on the correct interface.
Confirm that there is Transit Gateway Attachment in same Availability Zone as the SD-WAN appliance
- Open the Amazon VPC console.
- From the navigation pane, choose Subnets.
- Select the subnets used by the VPC attachment and SD-WAN instance.
- Verify that the Availability Zone ID of both the subnets are the same.
Troubleshoot route tables and routing
Confirm the VPC route table for the source instance and SD-WAN instance
- Open the Amazon VPC console.
- From the navigation pane, choose Route tables.
- Select the route table used by the instance.
- Choose the Routes tab.
- Verify that there's a route with the correct Destination CIDR block and with the Target as Transit Gateway ID. For the source instance, the Destination CIDR block is the Remote Network CIDR. For the SD-WAN instance, the Destination CIDR block is the Transit Gateway CIDR block
Confirm the Transit Gateway attachment and source VPC attachment’s routing tables
- Open the Amazon VPC console.
- Choose Transit gateway route tables.
- Confirm that the source VPC attachment's associated route table has a route propagating from the Connect attachment for the remote network.
- Confirm that the Transit Gateway Connect attachment's associated route table has a route for the source VPC and SD-WAN Appliance's VPC.
Troubleshoot Network security
Confirm that the Network ACLs allow traffic
- Open the Amazon VPC console.
- From the navigation pane, choose Subnets.
- Select the Subnets used by the VPC attachment and SD-Wan Instance.
- Choose the Network ACL tab. Verify that:
The SD-WAN instance's Network ACL allows GRE traffic.
The Source instance's Network ACL allows traffic.
The network ACL associated with the transit gateway network interface allows traffic.
Confirm that the source and SD-WAN EC2 instance's security group allows traffic
- Open the Amazon EC2 console.
- From the navigation pane, choose Instances.
- Select the appropriate instances.
- Choose the Security tab.
- Confirm that the SD-WAN instance's security group allows GRE traffic either in inbound rules to accept GRE Initiations, or in Outbound rule to initiate GRE Session. Confirm that the Source instance's security group allows the traffic.