Reputation: 2266
AWS TransitGateway VPN Routes Remain in Blackhole State
Has someone here succeeded in implementing an AWS VPN Connection with AWS TransitGateway service?
I've created and configured my transit gateway and attachement of type VPN, with a transit gateway route table and association. I've downloaded the resulting vpn connection with static routing configuration and configured my on-prem routers, and my tunnels are up.
However :
- I can reach my tunnels' public IP addresses from the on-prem network and AWS VPC
- I can reach my tunnels' public IP addresses from my on-prem network
- I can't reach my on-prem router's public IP address
- I can't reach any host from my on-prem network to AWS VPC, and inversely
When I look at the corresponding transit gateway route table, I can see all VPN routes are in blackhole state. If I set them to the active state, but they still come back to blackhole state. In this blackhole state the TransitGateway drops packets silently...
Any help?
Upvotes: 3
Views: 6407
Answers (1)
Reputation: 2266
I've also added the route to the onpremise network 10.0.0.0/8 in the transit gateway route associated to the VPC attachement (not the VPN attachement) attached to the concerned aws VPC , and now I can reach the onpremise network through the TGW from aws.
I think packets first leaves the VPC they belong to, and need a route to get to the VPN, this route is the VPN attachement (the route I've added to the tgw VPN attachment route table, has the VPN attachment as the target), and then from the VPN attachment, the rest of the flow is handled by the VPN attachment through VPN connection.
So to conclude, in order your AWS TGW achieving VPN connection, you need a VPN attachment to establish VPN connections, and a VPC attachement associated to the AWS VPC you want to connect to your onpremise network, and then route to onpremise network in both VPN and VPC attachments related transit gateway route tables.
The above disposition is in the case you don't work with transit gateway default route table, and make specific transit gateway route table for each attachment
Upvotes: 1
Related Questions
- AWS.ApiGatewayManagementApi() postToConnection is not working
- AWS Transit Gateway Cross Account VPC Access using AWS Client VPN Endpoint
- Routing to a NAT instance across VPCs through a Transit Gateway
- AWS Transit Gateway Routing
- Connecting On-Prem network via transit gateway in the other aws account?
- VPN connection to Amazon RDS with openvpn suddenly fails
- AWS Transit Gateway
- Terraform AWS Transit Gateway and VPN Static Routes
- Issue while hitting a websocket api gateway route
- AWS: Can't ping from VPN to instance in other region