Why can't I connect to Amazon VPC when I use a Site-to-Site VPN that terminates on a transit gateway?

5 minute read
1

I want to use an AWS Site-to-Site VPN that terminates on a transit gateway to connect to resources in Amazon Virtual Private Cloud (Amazon VPC).

Resolution

To troubleshoot errors that prevent a Site-to-Site VPN that terminates on a transit gateway from connecting to Amazon VPC resources, take the following actions:

Troubleshoot the Site-to-Site VPN connection

Verify that the Site-to-Site VPN connection's tunnels are UP. If the connection is DOWN, then troubleshoot Internet Key Exchange (IKE)/phase 1 and IKE/phase 2 failures. For more information, see How do I troubleshoot AWS VPN tunnel inactivity or tunnel down on my customer gateway device?

Troubleshoot the transit gateway connection

Use the Amazon VPC console to activate propagation, and then define a static route. Make sure that the associated subnets cover the Availability Zone (AZ) that contains the destination resource.

Activate propagation

On the transit gateway route tables, activate propagation from the Site-to-Site VPN attachment and the source Amazon VPC attachment. To propagate routes, complete the following steps:

  1. On the navigation pane, choose Transit Gateway Route Tables.
  2. Select the route table that's associated with the source Amazon VPC attachment.
  3. Choose Actions, Create propagation.
  4. On the Create propagation page, choose the Site-to-Site VPN attachment.
  5. Choose Create propagation.
    Note: After the propagation is created, the transit gateway automatically adds the on-premises routes to the route table that's associated with the source attachment.
  6. On the navigation pane, choose Transit Gateway Route Tables.
  7. Select the route table that's associated with the Site-to-Site VPN attachment, and then repeat steps 3 through 5 for the source Amazon VPC attachment.
  8. Verify that a subnet is associated with the transit gateway VPC attachment.

Define a static route

On the Amazon VPC route table, define a static route for the on-premises CIDRs that point to your transit gateway. To update the routes for a VPC route table, complete the following steps:

  1. In the navigation pane, choose Route tables, and select the route table.
  2. Choose Actions, Edit routes.
  3. To add a route, choose Add route. For Destination enter the destination on-premises CIDR block, a single IP address, or the ID of a prefix list.
    To modify a route, for Destination, replace the destination on-premises CIDR block or single IP address. For Target, choose a target gateway.
    To delete a route, choose Remove.
  4. Choose Save changes.

Check the associated subnet

Use the Amazon VPC console to verify that the associated subnet covers the AZ in the VPC that contains the destination resource. If the subnet doesn't cover necessary AZ, then complete the following steps:

  1. On the navigation pane, choose Transit Gateway Attachments.
  2. Select the VPC attachment, and then choose Actions.
  3. Choose Modify transit gateway attachment.
  4. To add or remove a subnet from the attachment, choose or clear Subnet ID next to the subnet that must be added or removed.

Verify that the VPC's security group and subnet network access control list (ACL) allow the necessary traffic. Then, verify that the transit gateway attachment's subnet network ACLs allow the necessary traffic.

Note: Apply the roles for Amazon Elastic Compute Cloud (Amazon EC2) instances that correspond with whether the VPC uses the same subnet or different subnets.

Troubleshoot routing connection errors

Important: It's a best practice to use dynamic routing, also known as Border Gateway Protocol (BGP), instead of static routing. If the customer gateway device supports dynamic routing, then make sure that BGP is configured on the Site-to-Site VPN connection.

Complete the following based on the type of routing that the connection uses.

Dynamic routing

Use Amazon VPC transit gateways flow logs to check if the traffic is routed correctly. If it isn't routed correctly, then verify the following configurations:

  • The customer gateway device is configured with an active/active setup.
  • The prefixes and BGP attributes advertised on the customer gateway device and configured on the Site-to-Site VPN match.
  • Asymmetric routing is active on the customer gateway device.
  • The customer gateway device advertises the on-premises routes to the Site-to-Site VPN endpoints.
  • The customer gateway device receives routes from the Site-to-Site VPN endpoints that are associated with the Amazon VPC CIDRs .
  • The customer gateway device's route table contains a route associated with the Amazon VPC CIDR that points to the AWS peer's virtual tunnel interface.
  • Equal-cost multi-path routing (ECMP) support is active on the transit gateway.

Static routing

verify that the customer gateway device has a static route for the AWS network that points to the virtual tunnel interface. If you're using a policy-based Site-to-Site VPN, then verify that the policies on AWS and the on-premises network match.

Troubleshoot connection errors on the host

On the Amazon Elastic Compute Cloud (Amazon EC2) instance that hosts the Amazon VPC, complete the following steps:

  1. Verify that the target Amazon EC2 instance's OS-level firewall allows both inbound and outbound traffic.
  2. Make sure that the application that's running on the target server listens on the specified port and protocol:
    Windows PowerShell or Command prompt
    netstat -a
    Linux terminal
    netstat -plantu

Related information

How do I configure my Site-to-Site VPN connection to prefer tunnel A over tunnel B?

Monitor AWS Site-to-Site VPN tunnels using Amazon CloudWatch

How do I troubleshoot BGP connection issues over VPN?

AWS Site-to-Site VPN customer gateway devices

AWS OFFICIAL
AWS OFFICIALUpdated 2 months ago