Using AWS transit gateway to access the internet

Question

My requirement is I have VPC-A with private subnet (and one EC2) and VPC-B with a public subnet (which has IGW attached). How do I route my internet traffic from EC2 on VPC-A to use the IGW of VPC-B using Transit Gateway? What are the arch designs and route table entries to acheive this.

Answer 1

I am not sure why you would want to encurr TGW attachment and data processing charges just for IGW access. Having said that, you cannot directly use a second VPC's IGW to route the traffic to the internet and the IGW has to be attached to the VPC-A. In such cases you might want to use a common exit VPC and launch a NAT Gateway in that. https://aws.amazon.com/blogs/networking-and-content-delivery/creating-a-single-internet-exit-point-from-multiple-vpcs-using-aws-transit-gateway/ has some architectural reference diagram.

Answer 2

@bhaskar-j-banerjee, your issue might be that in the public route table of the Egress-VPC (VPC-B), you don't have a route to reach VPC-A. This happens because in a TCP or ICMP connection (when using Telnet or ping to test connectivity and latency), an initial packet is sent and another one is expected in return. If there's no route from VPC-B to VPC-A, the return packet won't be able to notify that the connection is active, therefore ping and telnet will always be in timeout even if all the other route tables and TGW route tables are correctly set up.

Answer 3

I have the exact problem and I have tried the link from AWS but no luck. I am able to ping VM in VPC-B public subnet as well as Pvt. Subnet from VPC A. Also, the reverse direction. But no luck for 0.0.0.0/0 route. NAT and IGW working fine while testing from within VPC B

https://aws.amazon.com/blogs/networking-and-content-delivery/creating-a-single-internet-exit-point-from-multiple-vpcs-using-aws-transit-gateway/

I am guessing that might be we are doing small mistake in the routing which is not allowing the 0.0.0.0 traffic.