Why can't I connect to my VPC when using an AWS Site-to-Site VPN connection that terminates on a virtual private gateway?
3 minute read
0
I'm using an AWS Site-to-Site VPN connection that terminates on a virtual private gateway (VGW). But I can't access resources in the virtual private cloud (VPC).
Resolution
Using the AWS Management Console, check that the Site-to-Site VPN connection's tunnel status is UP. If the connection is DOWN, then follow the troubleshooting steps for resolving connection downtime for phase 1 failures and phase 2 failures.
Verify that the encryption domain that's configured on the customer gateway device is broad enough to cover the local (on-premises) and remote (AWS) network CIDRs. Site-to-Site VPN is a route-based virtual private network (VPN) solution, so by default the local and remote network CIDRs are set to any/any (0.0.0.0/0). AWS limits the number of security associations (SAs) to a single pair for both inbound and outbound security associations. So, if multiple networks are defined to communicate through the tunnel, then multiple security associations are negotiated. This setup can cause a network connectivity failure.
For an active/active setup (where both tunnels are UP), make sure that asymmetric routing is supported and activated on the customer gateway device. If you haven't turned on asymmetric routing, then AWS randomly selects the egress tunnel (AWS to customer gateway traffic). For dynamic VPN, use AS PATH prepending or MED BGP attributes to use a single tunnel for return traffic from the VPC to the customer gateway device.
For dynamic VPN, make sure that the customer gateway device is advertising the local routes to the AWS peers. Also check that the customer gateway device is receiving the VPC network CIDRs.
Verify the routing on the VPC route tables. It's a best practice to turn on VGW route propagation to automatically propagate the VPN routes to the VPC route tables. Or if route propagation is turned off, you can add a static route for the on-premises network to route through the VGW.
Confirm that traffic is allowed (inbound and outbound) on the target host or instance firewall. On Windows OS, check that the Windows firewall allows traffic. For Linux systems, verify that IP tables, firewalls, and other similar host firewalls have allowed the corresponding traffic.
Check if the application that's running on the target server is listening on the expected port and protocol (TCP/UDP). Run the following commands: