How do I troubleshoot issues with Amazon VPC route tables?

8 minute read
0

I want to troubleshoot issues that I have with my Amazon Virtual Private Cloud (Amazon VPC) route tables.

Short description

Each subnet in an Amazon VPC is associated with a route table that controls the subnet routing. The routing options for your Amazon VPC depend on the type of gateway or connection that you use. A public subnet has a direct route to an internet gateway. Resources in a public subnet access the public internet. A private subnet doesn't have a direct route to an internet gateway. Resources in a private subnet require a NAT device to access the public internet.

Troubleshoot your subnet and route tables based on the types of gateways or connections that your subnet has:

  • Public subnets that use an internet gateway as the target for the default route (0.0.0.0/0 for IPv4 and ::/0 for IPv6)
  • Private subnets that use NAT instances or NAT gateways
  • Private subnets that use VPC peering connections
  • Private subnets that use AWS Virtual Private Network (AWS VPN)
  • Private subnets that use AWS Direct Connect
  • Private subnets that use Amazon VPC gateway endpoints
  • Private subnets that use Amazon VPC virtual interface endpoints
  • Private subnets that use AWS Transit Gateway

Also, to understand your Amazon VPC resources and how traffic flows from your subnets to gateways and connections, use the resource map. The following resources are visible in the resource map:

  • VPCs
  • Subnets
  • Route tables
  • Internet gateways
  • Egress-only internet gateways
  • NAT gateways
  • Gateway endpoints

Resolution

Public subnets

Public subnets that use an internet gateway as the target for the default route

  1. Open the Amazon VPC console.
  2. In the navigation pane, under Subnets, choose your public subnet.
  3. Choose the Route Table view.
  4. Confirm that the route table destination has a default route (0.0.0.0/0 for IPv4 and ::/0 for IPv6) that points to an internet gateway.

For more information, see How do I troubleshoot connectivity issues from the internet to Amazon EC2 instances within my VPC?

Private subnets

Private subnets that use NAT instances or NAT gateways

  1. Open the Amazon VPC console.
  2. In the navigation pane, under Subnets, select your private subnet.
  3. Choose the Route Table view. Confirm that the route table has a default route (0.0.0.0/0) that points to a NAT instance or gateway.
  4. Confirm that the NAT device is created in a public subnet. Then, perform the checks that are required for public subnets in the preceding Public subnets section.
    Note: If you're using a NAT instance, then make sure that you turn off the source destination check.
  5. To configure your Amazon VPC with IPv6 so that internet traffic doesn't route to your instances in a private subnet, use egress-only internet gateways. For more information, see Turn on outbound IPv6 traffic using an egress-only internet gateway.

Private subnets that use VPC peering connections

  1. Open the Amazon VPC console.
  2. In the navigation pane, choose Peering Connections, and then choose your peering connection.
  3. Confirm that the status is Active.
  4. From the navigation pane, choose Subnets, and then select the subnets of the Amazon VPC.
  5. Choose the Route Tables view, and then confirm that the route tables have one of the following routes:
    To the CIDR with specific peered Amazon VPC subnets.
    To the entire CIDR of the peered Amazon VPC. This includes the peering connection that you choose in step 2.
  6. Confirm that the route tables include all the subnets for the peered Amazon VPC.
  7. Perform the same checks on the peered Amazon VPC.

Note: Make sure that the VPC peering connection configurations are valid.

For more information, see How do I troubleshoot problems establishing communication over VPC peering?

Private subnets that use AWS VPN

  1. Open the Amazon VPC console.
  2. In the navigation pane, choose VPN Connections, and then select the VPN connection.
  3. Confirm that the VPN status is Available and at least one of the tunnels' status is UP.
    Note: If you're using a dynamic VPN, then make sure that AWS VPN receives the BGP routes. Turn on route propagation to confirm that the BGP routes are propagated to the virtual private gateway.
  4. Note the virtual private gateway for this VPN connection.
  5. In the navigation pane, choose Subnets, and then select the subnet of the Amazon VPC.
  6. Choose the Route Table view, and then confirm the following:
    Your network is the route destination.
    The virtual private gateway in step 4 is the target.

For more information, see How do I troubleshoot connection problems between an AWS VPN endpoint and a policy-based VPN?

Private subnets that use AWS Direct Connect

  1. Open the AWS Direct Connect console.
  2. In the navigation pane, choose Virtual Interfaces, and then select the private virtual interface.
  3. Confirm that the BGP status is UP.
  4. Note the virtual private gateway for the private virtual interface.
  5. Open the Amazon VPC console.
  6. In the navigation pane, under Subnets, select the subnets of the Amazon VPC.
  7. Choose the Route Table view, and then confirm the following:
    Your network is the route destination.
    The virtual private gateway in step 4 is the target.

Note: If you use BGP, then make sure that AWS receives the routes. Turn on route propagation to confirm that the BGP routes are propagated to the virtual private gateway.

For more information, see Troubleshooting AWS Direct Connect.

Private subnets that use Amazon VPC gateway endpoints

  1. Open the Amazon VPC console.
  2. In the navigation pane, choose Endpoints, and then choose the endpoint.
  3. Confirm that the status is Available, and then note the endpoint ID.
  4. In the navigation pane, under Subnets, select the subnet of the Amazon VPC.
  5. Choose the Route Table view, and then confirm the following:
    The Amazon VPC endpoint policy allows communication to an AWS service for the subnet resources of your Amazon VPC. For more information, see New - VPC endpoint for Amazon S3
    A route is added to the route table that has a destination that specifies the AWS prefix list ID of the service.
    The endpoint ID in step 3 is the target.

Note: If the subnet's route table doesn't show an entry to an AWS service prefix list and the target endpoint ID, then add the route table. To manually add the route table, navigate to Endpoints, choose the endpoint, choose Route tables, and choose Manage route tables. Then, select the missing route table of the Amazon VPC.

For more information, see Why can't I connect to an S3 bucket using a gateway VPC endpoint?

Private subnets that use Amazon VPC virtual interface endpoints

  1. Open the Amazon VPC console.
  2. In the navigation pane, choose Endpoints, and then choose the endpoint.
  3. Choose the Subnets column, and then confirm that an endpoint network interface is created in the subnet that's associated with the service that you want to connect.
  4. In the navigation pane, under Endpoints, choose the Policy view.
  5. Confirm that the security group allows access to the AWS service.

Note: Amazon VPC resources use the local route to send traffic over the interface endpoints.

For more information, see Access an AWS service using an interface VPC endpoint.

Private subnets that use Amazon Transit Gateway

  1. Open the Amazon VPC console.
  2. In the navigation pane, under Subnets, choose your private subnet.
  3. Choose the Route Table view. Confirm that the route table has the intended destination CIDR and correct Transit Gateway ID.
  4. To further troubleshoot transit gateway routes, see the following resources:
    For Amazon VPC-to-VPC connectivity, see How do I troubleshoot VPC-to-VPC connectivity through a transit gateway?
    For Amazon VPC-to-on-premises connectivity over site-to-site or direct connect VPN, see How do I troubleshoot on-premises to VPC connectivity through Transit Gateway?

Use the resource map to visualize resources in your Amazon VPC

  1. Open the Amazon VPC console.
  2. In the navigation pane, choose VPCs, and select the Amazon VPC.
  3. Choose the Resource map tab to display a visualization of the resources.
  4. Choose Show details to view details, such as the resource IDs and the default zones displayed:
    VPC: The IPv4 and IPv6 CIDR ranges that are assigned to the VPC.
    Subnets: The IPv4 and IPv6 CIDR ranges that are assigned to each subnet.
    Route tables: The subnet associations and the number of routes in the route table.
    Network connections: For public subnets in the Amazon VPC, there's an internet gateway resource with the number of routes and the source and destination subnets. For egress-only internet gateways, there's an egress-only internet gateway resource with the number of routes and the source and destination subnets. For NAT gateways, there's a NAT gateway resource with the number of network interfaces and Elastic IP addresses. For gateway endpoints, there's a gateway endpoint resource with the name of the AWS service that can be connected to.
  5. To view the relationship between resources, hover over a resource. Solid lines represent relationships between resources. Dotted lines represent network traffic to network connections.
AWS OFFICIAL
AWS OFFICIALUpdated 6 months ago