I set up a Transit Gateway to connect multiple VPCs for my hybrid infrastructure, attached the VPCs, and expected traffic to flow between them immediately. But when I tried to ping an instance in VPC-B from VPC-A, the request timed out. The Transit Gateway showed all attachments as “available,” but the routes never appeared in the VPC route tables. In this post, I’ll walk through exactly what causes this and how to fix it.
The Problem
Your Transit Gateway is configured with multiple VPC attachments, all showing as “available” in the console, but traffic between VPCs fails. Instances can’t reach other VPCs even though the TGW appears fully connected. When you check the route tables, you don’t see any routes pointing to the Transit Gateway for other VPCs’ CIDR blocks.
Here’s what happens when you try to reach across VPCs:
Instance A in VPC-1 (10.0.0.100) -> Instance B in VPC-2 (10.1.0.100)
PING 10.1.0.100 (10.1.0.100) 56(84) bytes of data.
--- 10.1.0.100 statistics ---
5 packets transmitted, 0 received, 100% packet loss, time 109ms
| Issue | Description |
|---|---|
| TGW Attachments Available but No Routes | Attachments show “available” but routes don’t propagate to VPC route tables |
| Routes Missing from Route Table | Route table has no entries for destination VPCs connected via TGW |
| Attachment in Pending State | Attachment creation completed but state is pending, not available |
| BGP Not Advertising Routes | For VPN and Direct Connect, BGP routes aren’t propagating to TGW route table |
Why Does This Happen?
-
VPC attachment is in pending state: When you create a TGW attachment, AWS creates it and the attachment must transition to “available” before routes propagate. If it’s stuck in “pending-acceptance,” routes won’t appear. You may need to explicitly accept the attachment or wait for it to transition.
-
TGW route table doesn’t have route propagation enabled: Just because an attachment exists doesn’t mean routes propagate automatically. You must explicitly enable route propagation from each attachment to each TGW route table. Without this, the TGW knows about the attachment but doesn’t advertise routes for it.
-
VPC route tables don’t have a route pointing to the TGW: Even if the TGW has routes, the VPC route tables must also have routes pointing to the TGW for destination CIDRs. These don’t propagate automatically; you must add them or enable auto-propagation.
-
TGW route table has a blackhole route overriding propagated routes: If you manually created a static route to a destination before enabling propagation, the static route might take precedence, potentially to a blackhole.
-
For VPN/Direct Connect: BGP not advertising routes: If you’re using Border Gateway Protocol (BGP) to advertise routes from on-premises or through VPN, ensure BGP is correctly configured and routes are being advertised to the TGW route table.
The Fix
First, check the status of all TGW attachments:
aws ec2 describe-transit-gateway-attachments \
--filters "Name=transit-gateway-id,Values=tgw-0a1b2c3d4e5f6g7h8" \
--query 'TransitGatewayAttachments[*].[TransitGatewayAttachmentId,State,Association.TransitGatewayRouteTableId]' \
--output table
If any attachment is in pending state, wait a few minutes or manually accept it (if it requires acceptance):
aws ec2 accept-transit-gateway-peering-attachment \
--transit-gateway-attachment-id tgw-attach-0a1b2c3d4e5f6g7h8
Check the TGW route table to see what routes exist:
aws ec2 describe-transit-gateway-route-tables \
--filters "Name=transit-gateway-id,Values=tgw-0a1b2c3d4e5f6g7h8" \
--query 'TransitGatewayRouteTables[0].TransitGatewayRouteTableId' \
--output text
Get the TGW route table ID, then list routes:
aws ec2 search-transit-gateway-routes \
--transit-gateway-route-table-id tgw-rtb-0a1b2c3d4e5f6g7h8 \
--filters "Name=type,Values=propagated" \
--query 'Routes[*].[DestinationCidrBlock,Type,State,TransitGatewayAttachmentId]' \
--output table
If routes aren’t propagated, enable propagation for each attachment:
aws ec2 enable-transit-gateway-route-table-propagation \
--transit-gateway-route-table-id tgw-rtb-0a1b2c3d4e5f6g7h8 \
--transit-gateway-attachment-id tgw-attach-0a1b2c3d4e5f6g7h8
Repeat for each VPC attachment:
aws ec2 enable-transit-gateway-route-table-propagation \
--transit-gateway-route-table-id tgw-rtb-0a1b2c3d4e5f6g7h8 \
--transit-gateway-attachment-id tgw-attach-0x1y2z3a4b5c6d7e8
Add Routes to VPC Route Tables
Even after TGW propagation, the VPC route tables need routes pointing to the TGW. Add a route in each VPC for other VPCs’ CIDRs:
aws ec2 create-route \
--route-table-id rtb-0a1b2c3d4e5f6g7h8 \
--destination-cidr-block 10.1.0.0/16 \
--transit-gateway-id tgw-0a1b2c3d4e5f6g7h8
Or enable automatic route propagation on the route table association:
aws ec2 describe-transit-gateway-attachments \
--transit-gateway-attachment-ids tgw-attach-0a1b2c3d4e5f6g7h8 \
--query 'TransitGatewayAttachments[0].Association'
If your TGW uses auto-propagation, verify the VPC’s route table association includes propagation:
aws ec2 associate-transit-gateway-route-table \
--transit-gateway-route-table-id tgw-rtb-0a1b2c3d4e5f6g7h8 \
--transit-gateway-attachment-id tgw-attach-0a1b2c3d4e5f6g7h8
Check for Blackhole Routes
Look for any static routes that might override propagated routes:
aws ec2 search-transit-gateway-routes \
--transit-gateway-route-table-id tgw-rtb-0a1b2c3d4e5f6g7h8 \
--filters "Name=state,Values=blackhole"
Delete blackholed routes:
aws ec2 delete-transit-gateway-route \
--transit-gateway-route-table-id tgw-rtb-0a1b2c3d4e5f6g7h8 \
--destination-cidr-block 10.1.0.0/16
How to Run This
- Verify all TGW attachments are in available state — wait or accept pending attachments.
- Check the TGW route table for propagated routes — if missing, enable propagation.
- Add routes in each VPC route table pointing to the TGW for destination CIDRs.
- Delete any blackhole routes that might conflict.
- For BGP: verify ASN configuration and that routes are being advertised.
- Test traffic: ping across VPCs, check TGW route table metrics.
Is This Safe?
Yes, enabling route propagation and adding TGW routes is safe. These are standard networking operations. Just ensure you understand your CIDR blocks and route priorities.
Key Takeaway
Transit Gateway routing requires three things: attachments in available state, route propagation explicitly enabled, and routes in VPC route tables pointing to the TGW. The TGW route table and VPC route tables must both have entries. Don’t assume routes propagate automatically—always verify them with the describe and search commands above.
Have questions or ran into a different networking issue? Connect with me on LinkedIn or X.