I have an AWS Direct Connect or AWS Site-to-Site VPN Connection ending on AWS Transit Gateway with Amazon Virtual Private Cloud (Amazon VPC) attached to same transit gateway. However, I'm experiencing connectivity issues between my on-premises connections and the Amazon VPC. How can I troubleshoot this?
Short description
To troubleshoot connectivity between AWS Direct Connect or AWS Site-to-Site VPN Connection ending on AWS Transit Gateway with Amazon Virtual Private Cloud (Amazon VPC) attached to same transit gateway, you can:
- Check the routing configuration for the transit gateway, VPC, and the Amazon EC2 instance.
- Use Route Analyzer in AWS Network Manager
Resolution
Confirm your routing configurations
Verify the Amazon VPC subnet route table configuration
- Open the Amazon VPC console.
- From the navigation pane, choose Route Tables.
- Select the route table that is used by your source Amazon Elastic Compute Cloud (Amazon EC2) instance.
- Choose the Routes tab.
- Verify that there is a route with Destination set to on-premises network.
- Verify that there is a Target with the value of Transit Gateway ID.
Check the Availability Zones for the Transit Gateway VPC attachment
- Open the Amazon VPC console.
- Choose Transit Gateway Attachments.
- Select VPC attachment.
- Under Details, verify the Subnet IDs. Confirm that a subnet from your EC2 instance's Availability Zone is selected.
- If a subnet from the source EC2 instance isn't selected, choose Actions. Then, modify your VPC attachment, and select a subnet from your EC2 instance's Availability Zone.
Note: Adding or modifying a VPC attachment subnet can impact data traffic while the attachment is in a Modifying state.
Check the Transit Gateway route table associated with the VPC attachment
- Open the Amazon VPC console.
- Choose Transit Gateway Route Tables.
- Select the route table associated with the VPC attachment.
- In Routes tab, confirm that there is a route for on-premises network with a Target value of DXGW/VPN attachment.
- If you’re using a Site-to-Site VPN with Static routing: add a static route for on-premises network with target of VPN attachment.
Check the Transit Gateway route table associated with the AWS Direct Connect gateway attachment or VPN attachment
- Open the Amazon VPC console.
- Choose Transit Gateway Route Tables.
- Select the route table that's associated with the AWS Direct Connect gateway attachment
-or-
Select the route table that's associated with the VPN attachment.
- In the Routes tab, confirm that there's a route for Source VPC IP range with a Target of TGW VPC attachment that corresponds to the source VPC.
Check the Allowed Prefixes configured on the Direct Connect gateway to Transit Gateway association
- Open the AWS Direct Connect console.
- From the navigation pane, choose Direct Connect Gateways.
- Select the AWS Direct Connect Gateway associated with Transit Gateway.
- Under Gateway Association, verify that the Allowed Prefixes has a Source VPC IP Range.
Confirm that the Amazon EC2 instance's security group and network access control list (ACL) allows the appropriate traffic
- Open the Amazon EC2 console.
- From the navigation pane, choose Instances.
- Select the instance where you're performing the connectivity test.
- Choose the Security tab.
- Verify that the Inbound rules and Outbound rules allow traffic to and from your on-premises network.
- Open the Amazon VPC console.
- From the navigation pane, choose Network ACLs.
- Select the network ACL associated with the subnet where you have the instance (Source/Destination).
- Select the Inbound rules and Outbound rules. Verify that traffic is allowed to and from your on-premises network.
Confirm that the network ACL associated with the transit gateway network interface allows the appropriate traffic
- Open the Amazon EC2 console.
- From the navigation pane, choose Network Interfaces.
- In the search bar, enter Transit Gateway. All network interfaces of the transit gateway display. Note the subnet ID that's associated with the location where the transit gateway interfaces were created.
- Open the Amazon VPC console.
- From the navigation pane, choose Network ACLs.
- In the search bar, enter the subnet ID that you noted in step 3. The results show the network ACL that's associated with the subnet.
- Check the Inbound rules and Outbound rules of the network ACL to verify that it allows the Source VPC IP range and on-premises network.
Confirm that on-premises firewall devices allow traffic from Amazon VPC
Verify that your on-premises Firewall devices have an ingress and egress allow rule for the Source VPC IP range. Refer to your vendor's documentation for specific instructions.
Use Route Analyzer
Prerequisite: Complete the steps in Getting started with AWS Network Manager for Transit Gateway networks before continuing.
After you create a global network and registered your transit gateway:
- Access the Amazon VPC console.
- From the navigation pane, choose Network Manager.
- Choose the global network where your transit gateway is registered.
- From the navigation pane, choose Transit Gateway Network. Then, choose Route Analyzer.
- Fill in the Source and Destination information as needed. Make sure that both Source and Destination have the same Transit Gateway.
- Choose Run route analysis.
Route Analyzer performs routing analysis and indicates a status of Connected or Not Connected. If the status is Not Connected, then Route Analyzer gives you a routing recommendation. Use the recommendations to fix the routing issues and then re-run the test to confirm the connectivity. If the connectivity issue continues, see the Confirm your routing configurations section for more troubleshooting steps.
Related information
How do I troubleshoot VPC-to-VPC connectivity through a transit gateway?
Diagnosing traffic disruption using AWS Transit Gateway Network Manager Route Analyzer