Trace route via TGW and VPC

Instead of the default ICMP based traceroute can you try TCP based traceroute and see if it works. Below is just an example of trace over port 22 (SSH), make sure SGs and NACLs allow the TCP port appropriately.

TCP-based traceroute:

sudo traceroute -n -T -p 22 <IP Address>

You also want to make sure forward routing and reverse routing is in place end-to-end for this to work, in other words it could be a routing issue also.

Also see https://serverfault.com/questions/374620/does-traceroute-use-udp-or-icmp-or-both - in particular "All versions of traceroute rely on ICMP type 11 (Time exceeded) responses from each hop along the route ... These packets are inbound, not outbound."

Do you see last hop or not? TGW donot support ICMP trace route on intermediate hops. It will just show you last hop like below ( trace route VPC to VPC across my TGW).

[ec2-user@ip-10-1-5-10 ~]$ traceroute 10.2.5.10 traceroute to 10.2.5.10 (10.2.5.10), 30 hops max, 60 byte packets 1 * * * 2 ip-10-2-5-10.eu-west-1.compute.internal (10.2.5.10) 1.045 ms * 1.024 ms

If its not even showing your last hop then definitely routing or sg/acl issue.

If you are trying to troubleshoot some connectivity issue through trace route then its better to use Reachability analyzer . Much easier to troubleshoot cross TGW connectivity issues.

https://aws.amazon.com/blogs/networking-and-content-delivery/visualize-and-diagnose-network-reachability-across-aws-accounts-using-reachability-analyzer/

Alternatively you can enable Flow logs on TGW ENI and Source/Dest EC2 ENI for possible rejects or absence of packet(routing issu) https://docs.aws.amazon.com/vpc/latest/tgw/tgw-flow-logs.html

Accept answer if that helps