Route Analyzer basics Performing a route analysis Example: Route analysis for peered transit gateways Example: Route analysis with a middlebox configuration

Route Analyzer

In your global network, you can use the Route Analyzer to perform an analysis of the routes in your transit gateway route tables. The Route Analyzer analyzes the routing path between a specified source and destination, and returns information about the connectivity between components. You can use the Route Analyzer to do the following:

Verify that the transit gateway route table configuration will work as expected before you start sending traffic.
Validate your existing route configuration.
Diagnose route-related issues that are causing traffic disruption in your global network.

Note

Route Analyzer does not work with intra-Region peering.

Route Analyzer basics
Performing a route analysis
Example: Route analysis for peered transit gateways
Example: Route analysis with a middlebox configuration

Route Analyzer basics

To use the Route Analyzer, you indicate the path for the traffic from a source to a destination. For the source, you specify the transit gateway, the transit gateway attachment from which the traffic originates, and a source IPv4 or IPv6 address. The Route Analyzer analyzes the routes in the associated transit gateway route table for the transit gateway attachment. For the destination, you specify a target IPv4 or IPv6 address, and the destination transit gateway and transit gateway attachment.

If you've configured a middlebox appliance in your VPC, you can indicate the location of the appliance in the route analysis. This enables you to specify multiple network hops in a route between a source and destination, to help you analyze the route of the traffic. We store this information for use in future analyses. You can update your middlebox appliances later on as needed.

You can also analyze the return path for traffic from the specified destination back to the source.

The following rules apply when using the Route Analyzer:

The Route Analyzer analyzes routes in transit gateway route tables only. It does not analyze routes in VPC route tables or in your customer gateway devices.
The transit gateways must be registered in your global network.
The Route Analyzer does not analyze security group rules or network ACL rules. To capture information about accepted and rejected IP traffic in your VPC, you can use VPC flow logs.
The Route Analyzer only returns information for the return path if it can successfully return information for the forward path.

Performing a route analysis

To use the Route Analyzer, you must use the AWS Global Networks for Transit Gateways console.

To analyze your routes

Access the Network Manager console at https://console.aws.amazon.com/networkmanager/home/.
Under Connectivity, choose Global Networks.
On the Global networks page, choose the global network ID.
In the navigation pane, choose Transit Gateway network.
The Overview page opens by default, showing information about your transit gateways.
Choose the Route Analyzer tab.
Under Source, do the following:
- Choose the transit gateway and the transit gateway attachment.
- For IP address, enter a source IPv4 or IPv6 address.
Under Destination, do the following:
- Choose the transit gateway and the transit gateway attachment.
- For IP address, enter a target IPv4 or IPv6 address.
(Optional) To analyze the return path, ensure that you enable Include return path in results. If enabled, you must specify an IP address under Source.
To specify middlebox appliances in the routing path, choose Middlebox appliance?. We store this information for use in future analyses. You can update your middlebox appliances later on as needed.
Choose Run route analysis.
The results are displayed under Results of route analysis. If you specified Middlebox appliance?, choose Yes or No for each of the attachments to indicate the location of the appliances and to complete the route analysis.

You can choose the ID of any of the resources in the path to view more information about the resources.

Example: Route analysis for peered transit gateways

In the following example, transit gateway 1 has two VPC attachments, and a peering attachment to transit gateway 2. Transit gateway 2 has a Site-to-Site VPN attachment to your on-premises network. You want to use the Route Analyzer to ensure that the VPCs and Site-to-Site VPN connections can route traffic to each other through the transit gateways.

In the Route Analyzer, do the following:

Under Source, specify transit gateway 1 and the transit gateway attachment for VPC A. Specify an IP address from the CIDR block of VPC A, for example, 10.0.0.7.
Under Destination, specify transit gateway 2 and the VPN attachment. Specify an IP address from the range of the on-premises network, for example, 172.31.0.8.
Ensure that Include return path in results is selected.
Run the route analysis. In the results, verify the path between the source and destination. For example, the following results indicate that there is a forward path from transit gateway 1 to transit gateway 2, but no return path. Check the route table for transit gateway 2, and ensure that there is a static route that points to the peering attachment.
To run the analysis between VPC B and the VPN connection, modify the information under Source. Choose the transit gateway attachment for VPC B, and specify an IP address from the CIDR block of VPC B, for example, 10.2.0.9.
Reload the results and verify the path between the source and destination.

For more information about the routing configuration for this scenario, see the transit gateway peering example.

Example: Route analysis with a middlebox configuration

If you've configured a VPC to act as a middlebox appliance for inspecting traffic that flows to other parts of your network, you can indicate the location of the appliance in the route analysis. In the following example, the transit gateway has two VPC attachments and a VPN attachment. VPC A runs a firewall appliance (middlebox) that inspects the traffic that flows between the VPN connection and VPC B.

In the Route Analyzer, you can specify the location of the middlebox appliance as follows:

Under Source, specify the transit gateway and the VPN attachment. Specify an IP address from the range of the on-premises network, for example, 10.0.0.7.
Under Destination, specify the transit gateway and the attachment for VPC B. Specify an IP address from the CIDR block of VPC B, for example, 172.31.0.8.
For Middlebox appliance?, choose Include.
Run the route analysis.
For the Middlebox appliance? sections for the transit gateway attachment for VPC A, choose Yes.

You can choose the ID of any resource in the path to view more information about that resource.

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Monitoring with CloudWatch Events

Manage multiple accounts