How can I troubleshoot Direct Connect gateway routing issues?

2 minute read

I want to I troubleshoot routing issues between my Amazon Virtual Private Cloud (Amazon VPC) and on-premises network that involve a private virtual interface and AWS Direct Connect gateway with a virtual private gateway.


To troubleshoot issues with your virtual private gateway, take the following actions:

  • Confirm that the Amazon VPC subnet route table has a static or propagated route entry for the on-premises network that points to the virtual private gateway.
  • Make sure that the Direct Connect gateway is associated with the correct virtual private gateway.
  • Make sure that the virtual private gateway has the allowed prefixes for the Direct Connect gateway that's entered as the entire VPC CIDR. Or, make sure that the virtual private gateway has a CIDR that's wider than the VPC CIDR.
    Note: If you specify a CIDR that's less than the VPC CIDR, then you don't receive the route on your gateway router. For more information, see Allowed prefixes.
  • Make sure that your router is advertising the on-premises prefix to AWS over the Border Gateway Protocol (BGP) session of the private virtual interface.
  • Verify that the security group rules and the network access control lists (network ACLs) allow traffic to and from the on-premises network.
  • Verify that the firewall rules on your router allow traffic from the Amazon VPC subnet CIDR.

To troubleshoot transit virtual interfaces, see Why can't I connect to VPC resources over a transit virtual interface using a Direct Connect connection?

Related information

How do I configure routing for my Direct Connect private virtual interface?

How can I use BGP communities to control the routes advertised and received over the AWS public virtual interface with Direct Connect?

AWS OFFICIALUpdated 5 months ago