AWS re:Post Knowledge Center Feedback Survey

Help us improve the AWS re:Post Knowledge Center by sharing your feedback in a brief survey. Your input can influence how we create and update our content to better support your AWS journey.

How do I troubleshoot connectivity between on-premises resources and Amazon VPC through Transit Gateway?

6 minute read

I want to troubleshoot connectivity issues between my on-premises resources and Amazon Virtual Private Cloud (Amazon VPC) through AWS Transit Gateway with AWS Direct Connect or AWS Site-to-Site Virtual Private Network (Amazon VPC).

Resolution

To troubleshoot connectivity between on-premises resources and a VPC through Transit Gateway, complete the following actions:

Check instance security group and network ACL rules

Complete the following steps:

Open the Amazon Elastic Compute Cloud (Amazon EC2) console.
In the navigation pane, choose Instances.
Select the Amazon EC2 instance.
Choose the Security tab.
Check whether Inbound rules and Outbound rules allow traffic to and from your on-premises network.
Open the Amazon VPC console.
In the navigation pane, choose Network ACLs.
Select the network access control list (network ACL) for your instance's subnet.
Select Inbound rules and Outbound rules. Then, check if these rules allow traffic to and from your on-premises network.

Check transit gateway attachments

Complete the following steps:

In the navigation pane, choose Transit Gateway Attachments.
Select the VPC attachment.
Under Details, check if the VPC attachment includes a Subnet ID from your Amazon EC2 instance's Availability Zone.
If the VPC attachment doesn't include a subnet from your instance's Availability Zone, then select a subnet from your instance's Availability Zone. For instructions, see Modify a VPC attachment in AWS Transit Gateway.
Note: The modification state might affect data traffic when you add or modify a VPC attachment subnet.

Check network ACLs for transit gateway interfaces

Complete the following steps:

Open the Amazon EC2 console.
In the navigation pane, choose Network Interfaces.
In the search bar, enter Transit Gateway.
Note the subnet IDs where Transit Gateway created the interfaces.
Open the Amazon VPC console.
In the navigation pane, choose Network ACLs.
In the search bar, enter a subnet ID that you noted earlier. The results show the network ACL for the subnet.
Check if the Inbound rules and Outbound rules allow the VPC CIDR block and on-premises network CIDR block.
Repeat steps 6-8 for each transit gateway network interface that's associated with the VPC.

Note: Traffic from a VPN or Direct Connect connection might enter the VPC through a different Availability Zone or subnet than your instance's Availability Zone. Check network ACLs for all subnets that have network interfaces. For more information about network ACL rule application, see Network ACLs for transit gateways in AWS Transit Gateway.

Verify the subnet route table configuration

Complete the following steps:

Open the Amazon VPC console.
In the navigation pane, choose Route Tables.
Select the route table for your source instance.
Choose the Routes tab.
Check if Destination shows on-premises network.
Check if Target shows the transit gateway ID.

Check for a route entry for the destination CIDR block that points to the transit gateway. If you don't see a route entry then add an entry to the respective route table that points to the transit gateway.

Check Transit Gateway route tables for VPC attachments

Complete the following steps:

In the navigation pane, choose Transit Gateway Route Tables.
Select the route table that's associated with the VPC attachment.
On the Routes tab, check if a route exists for your on-premises network. Also check if Target shows DXGW/VPN attachment.
If you use Site-to-Site VPN with a static route, then create a static route for your on-premises network and choose VPN attachment as the target.

Check Transit Gateway route table for a Direct Connect gateway or VPN attachment

Complete the following steps:

In the navigation pane, choose Transit Gateway Route Tables.
Select the route table that's associated with the AWS Direct Connect gateway or VPN attachment.
On the Routes tab, check if a route exists for your VPC CIDR block. Then, check if the route's target is the correct transit gateway VPC attachment.

Check Direct Connect gateways for allowed prefixes

Complete the following steps:

Open the Direct Connect console.
In the navigation pane, choose Direct Connect gateways.
Select the Direct Connect gateway that's associated with the transit gateway.
Under Gateway association, verify that the Allowed prefixes field includes your VPC CIDR block.

Check the Network Firewall configuration or third-party firewall appliance configuration

Verify if you implemented a centralized inspection model to inspect the North-South traffic. If you implemented a centralized inspection model then verify that the AWS Network Firewall has Suricata rules that allow all necessary traffic. For more information about Suricata, see Suricata on the official Suricata website. For more information about centralized inspection models, see Deployment models for AWS Network Firewall and VPC-to-on-premises traffic inspection.

If you use a third-party virtual appliance for inspection, then make sure that the firewall rules allow all necessary traffic.

Check on-premises firewall devices for VPC traffic rules

Verify that your on-premises firewall devices allow all necessary traffic between both networks. For instructions, refer to your firewall vendor documentation.

Check the on-premises server’s firewalls

If the on premises server uses an operating system (OS) firewall, then verify that it allows traffic to and from the VPC CIDR block.

Analyze routes with Route Analyzer

Prerequisite: Create a global network with AWS Global Networks.

To analyze your routes with Route Analyzer for AWS Network Manager, complete the following steps

Open the Amazon VPC console.
In the navigation pane, choose Network Manager.
Choose the global network where you registered your transit gateway.
In the navigation pane, choose Transit Gateway Network. Then, choose Route Analyzer.
For Source and Destination, enter a transit gateway, the transit gateway attachment, and an IP address. Make sure that you use the same transit gateway in both Source and Destination fields.
Choose Run route analysis.

Note: After you run the route analysis, Route Analyzer shows a Connected or Not Connected status. If the status is Not Connected, then apply the routing recommendations that Route Analyzer provides, and then run the analysis again.

Related information

How do I troubleshoot VPC-to-VPC connectivity through a transit gateway?

Diagnosing traffic disruption using AWS Transit Gateway Network Manager Route Analyzer

Topics: Networking & Content Delivery
Tags: AWS Transit Gateway
Language: English

AWS OFFICIALUpdated 2 months ago

No comments

Relevant content

Port forwarding through Direct Connect
Sae
asked a year ago
Enable communication from VPC A to on-premise through VPC B
rgaduputi
asked a year ago
I want to implement multicast through AWS Transit Gatway within the same VPC.
Joon_Dev
asked 2 years ago
How to advertise remote VPC subnets into a local VPC Direct connect connection
Boinpally
asked a year ago
Question about Service VPC through which all the traffic goes ?
gongya
asked a year ago
How do I troubleshoot VPC-to-VPC connectivity through a transit gateway?
AWS OFFICIALUpdated 2 months ago
How do I troubleshoot Transit Gateway and VPC internet connectivity issues through a centralized egress VPC?
AWS OFFICIALUpdated 2 months ago
How do I troubleshoot and resolve cross-account connectivity issues through my transit gateway?
AWS OFFICIALUpdated 3 months ago
How do I troubleshoot routing issues when my transit gateway sends traffic through inspection firewalls?
AWS OFFICIALUpdated 3 months ago
How to troubleshoot connectivity issues between AWS VPC and On-premises via Transit Gateway based AWS Site to Site VPN.
EXPERT
Narinder Singh Kharbanda
published 3 years ago