AWS re:Post Knowledge Center Feedback Survey

Help us improve the AWS re:Post Knowledge Center by sharing your feedback in a brief survey. Your input can influence how we create and update our content to better support your AWS journey.

How do I troubleshoot Transit Gateway and VPC internet connectivity issues through a centralized egress VPC?

6 minute read

I can't access the internet from my virtual private cloud (VPC) resources that route through a transit gateway and centralized egress VPC.

Short description

Internet connectivity through a centralized egress VPC requires specific routing and security configurations. For information about architecture details, see Using the NAT gateway with AWS Network Firewall for centralized IPv4 egress.

Resolution

Note: This article assumes an Amazon Elastic Compute Cloud (Amazon EC2) instance as the source resource. Before you check resource configurations, identify your resources that connect to the internet. If you use a different resource, then open the AWS Management Console for the AWS service to verify the subnet and security group configuration.

Verify source VPC resources and configuration

Complete the following steps:

Open the Amazon EC2 console.
In the navigation pane, choose Instances.
Identify and select the EC2 instance that can't access the internet.
Choose the Security tab.
Verify that Outbound rules for the source instance allows internet traffic.
On the details pane, choose the Networking tab.
Note the VPC, subnet, and Availability Zone that hosts the instance.
Select the hyperlink of the subnet that's associated with the instance, and then open the link in a new tab.
Open the Amazon Virtual Private Cloud (Amazon VPC) console.
Select the subnet and then confirm the following configurations from the Details pane:
Under Network ACL, confirm that the Inbound rules and Outbound rules allow internet traffic.
Under Route table, verify that the default route 0.0.0.0/0 exists and points to the transit gateway as the next hop. If this route doesn't exist, then add the default route 0.0.0.0/0 to the route table with the transit gateway as the next hop.

Check the VPC transit gateway attachment

Complete the following steps:

Open the Amazon VPC console.
In the navigation pane, under Transit gateways, choose Transit gateway attachments.
Enter the VPC ID that you identified earlier to filter and view the correct VPC attachment.
In the Details pane, check the Subnet IDs field. Then, verify that at least one of the listed subnets is in the same Availability Zone as your instance.

Confirm network ACL association and configuration

Complete the following steps:

Open the Amazon EC2 console.
In the navigation pane, under Network & Security, choose Network Interfaces.
In the search field, use the Interface Type = transit_gateway filter.
From the results, select the subnet ID that's associated with the source VPC transit gateway attachment, and then open the details in a new tab.
From the new tab, select the subnet again.
In the details pane, choose Network ACL.
Check your network ACL rules for the following requirements:
On the Outbound rules tab, verify that outbound rules include the destination public IP address.
On the Inbound rules tab, verify that inbound rules include the NAT gateway's private IP address.

Note: It's a best practice to configure network ACLs with open inbound and outbound rules for transit gateway subnets.

Check transit gateway association and route table propagations

Complete the following steps:

Open the Amazon VPC console.
In the navigation pane, under Transit gateways, choose Transit gateway attachments.
In the search field, enter the VPC ID of the source EC2 instance. Then, select the IDs of the associated route table.
In the Details pane, choose Routes.
Verify that the route table includes the destination public IP address or default route that points to the egress VPC attachment.

Verify egress VPC routing configuration for outbound internet traffic and return routing

Identify transit gateway interface and subnet configuration

Complete the following steps:

Open the Amazon EC2 console from the AWS account that hosts the egress VPC.
In the navigation pane, under Network and Security, choose Network Interfaces.
In the search field, enter the Interface Type = transit_gateway filter.
From the search results, note each subnet that hosts the egress VPC transit gateway attachment.

Verify outbound internet traffic routing

Complete the following steps:

Open the Amazon VPC console.
In the navigation pane, under Virtual private cloud, choose Route tables.
In the search field, enter the subnet ID that you noted earlier to search for the route table that associates with the subnets.
Select the route table, and then in the Details pane, choose Routes.
Verify that the route table contains the default route or destination public prefix and points to the NAT gateway.
Repeat steps 3 through 5 for each subnet ID.

Verify network ACL and NAT gateway configuration

Complete the following steps:

On the Amazon VPC console, in the navigation pane, under Security, choose Network ACLs.
In the search field, enter the subnet ID to search for the network ACL that's associated with each subnet.
Verify that network ACLs have outbound rules that allow traffic to the destination public IP address and inbound rules traffic from the NAT gateway's private IP address.
In the navigation pane, under Virtual private cloud, choose NAT gateway.
Note the route table and the Availability Zone for internet bound traffic for each NAT gateway.

Verify return traffic routing

Complete the following steps:

On the Amazon VPC console, in the navigation pane, under Virtual private cloud, choose Route tables.
For each identified NAT gateway route table, verify that it contains the default route 0.0.0.0/0 or destination public prefix with the internet gateway as the next hop.
For each identified route table, verify that it contains a route that directs return traffic from the internet back to the source instance.

Verify return routing from the transit gateway

Complete the following steps:

On the Amazon VPC console, in the navigation pane, under Transit gateways, choose Transit gateway attachments.
In the search field, enter the egress VPC ID.
Select the route table ID for the egress VPC.
Verify that the route table contains the CIDR block of the original source.

Related information

Using the NAT gateway for centralized IPv4 egress

Introducing VPC Flow Logs for AWS Transit Gateway

Topics: Networking & Content Delivery
Tags: AWS Transit Gateway
Language: English

AWS OFFICIALUpdated 5 days ago

No comments

Relevant content

Centralized Egress with VPC Peering
rePost-User-3819628
asked 9 months ago
AWS Network Firewall as Centralized Egress Proxy
Amit Magare
asked 5 months ago
Route on prem egress traffic to AWS through DX Gateway
Accepted Answer
Martín
asked 2 years ago
How to split NW costs among accounts using Centralized Network architecture
Accepted Answer
estanqua
asked 2 years ago
Utilize S3 Gateway Endpoint in centralized AWS Network Account with AWS Network Firewall
Accepted Answer
Andre
asked 2 years ago
How do I troubleshoot VPC-to-VPC connectivity through a transit gateway?
AWS OFFICIALUpdated 8 days ago
How do I troubleshoot connectivity between on-premises resources and Amazon VPC through Transit Gateway?
AWS OFFICIALUpdated 11 days ago
How do I troubleshoot issues with Amazon VPC route tables?
AWS OFFICIALUpdated 2 years ago
How do I access the internet using Site-to-Site VPN in my on-premises network?
AWS OFFICIALUpdated 3 years ago
Source IP visibility for combined Ingress and Egress inspection Architectures
EXPERT
Scott
published 6 months ago