Whether you're taking your first steps with Kubernetes or you're an experienced practitioner looking to sharpen your skills, our Amazon EKS workshop series delivers practical, real-world experience that moves you forward. Learn directly from AWS solutions architects and EKS specialists through hands-on sessions designed to build your confidence with Kubernetes. Register now and start building with Amazon EKS!
How do I troubleshoot and resolve asymmetric routing and return traffic issues in my transit gateway?
When traffic routes through my Inspection virtual private cloud (VPC) and transit gateway in AWS Transit Gateway, the traffic drops or loses connectivity.
Resolution
For traffic to correctly route, both request and response network traffic must route to the same firewall endpoint. Transit Gateway routes traffic through the Availability Zone where traffic enters. Asymmetric routing happens when request and response network traffic use different paths. Then, stateful firewalls drop the return traffic.
Review your network setup and traffic flow
Take the following actions:
- Identify all resources that are involved in the traffic flow.
- Map out the complete packet flow path.
- Document all route tables including the Availability Zones.
Check the transit gateway routing table
Complete the following steps:
- Open the Amazon Virtual Private Cloud (Amazon VPC) console.
- In the navigation pane, under Transit Gateways, choose Transit gateway route tables.
- Select your route table.
- Choose Routes.
- Confirm that routes exist from the source VPC, Inspection VPC, and all other attachments involved in the traffic path.
Create transit gateway flow logs
Create an AWS Transit Gateway Flow Logs record that publishes to Amazon CloudWatch Logs or Amazon S3.
Then, view your flow log records in CloudWatch Logs or Amazon S3.
Note: To narrow your results when you view your flow log records, filter by your transit gateway attachments.
Check whether asymmetric routing occurs
Take the following actions:
- Confirm that your source and destination resources are in the same or different Availability Zones.
- Identify the Availability Zones where Inspection VPC subnets route traffic between the source and destination attachments. Note these Availability Zones for both request and response network traffic.
- Confirm that your firewall endpoints and NAT gateway exist in all Availability Zones where traffic flows.
Turn on appliance mode
Turn on appliance mode for your Inspection VPC attachment. When you turn on appliance mode, traffic routes through the same firewall endpoint in both directions. For more information about appliance mode for the VPC attachment, see the Example: Appliance in a shared services VPC section in Example transit gateway scenarios.
To turn on appliance mode, complete the following steps:
- Open the Amazon VPC console.
- In the navigation pane, choose Transit gateway attachments.
- Select your Inspection VPC attachment.
- Choose Modify, and then choose Enable appliance mode support.
- Language
- English
Relevant content
- asked 8 months ago
- asked 24 days ago
- AWS OFFICIALUpdated a month ago
