How can I troubleshoot Direct Connect gateway routing issues?

2 minute read

How do I troubleshoot routing issues between my VPC and on-premises network involving Private VIF and AWS Direct Connect gateway with Virtual Private Gateway as the association?

Short description

I can't connect from an on-premises data center to Virtual Private Cloud (Amazon VPC) resources over a private virtual interface associated with a Direct Connect gateway and virtual private gateway.


Follow these troubleshooting steps for your virtual private gateway.

  • Check the Amazon VPC subnet route table. Make sure that it has a static or propagated route entry for the on premises network pointing to the virtual private gateway.

  • Be sure that the Direct Connect gateway is associated with the correct virtual private gateway.

  • Make sure that the virtual private gateway has the allowed prefixes for the Direct Connect gateway entered as the entire VPC CIDR, or a CIDR wider than the VPC CIDR. Note: If you specify a CIDR less than the VPC CIDR, you won't receive a route on your gateway router.

  • Make sure that your router is advertising the on premises prefix to AWS over the Border Gateway Protocol (BGP) session of the private VIF.

  • Verify that the security group rules and the network ACLs allow traffic to and from the on premises network.

  • Verify that the firewall rules on your router allow traffic from the Amazon VPC subnet CIDR.

To troubleshoot transit virtual interfaces, see Why can't I connect to VPC resources over a transit virtual interface using a Direct Connect connection?

Related information

How do I configure routing for my Direct Connect private virtual interface?

How can I control the routes advertised and received over the AWS public virtual interface with Direct Connect?

AWS OFFICIALUpdated a year ago