Introduction

Transit Gateway routing only works when the right attachment is associated with the right route table and propagation is enabled where routes need to be learned. Teams often see an attachment in available state and assume routing is complete, but the Transit Gateway still cannot forward traffic if propagation never happened or happened in the wrong route table.

Symptoms

  • VPC-to-VPC or on-prem connectivity through Transit Gateway fails
  • The expected CIDR is missing from the Transit Gateway route table
  • Attachments exist, but searches of propagated routes return nothing
  • Network traffic dies at the TGW boundary even though the attachments are healthy

Common Causes

  • The attachment is associated with the wrong Transit Gateway route table
  • Propagation is not enabled for the attachment
  • VPC route tables do not actually point traffic toward the Transit Gateway
  • Teams assume association alone is enough without checking propagation state

Step-by-Step Fix

  1. 1.Inspect attachment state and IDs
  2. 2.Confirm the attachment is actually available and identify the exact attachment you expect to propagate routes.
bash
aws ec2 describe-transit-gateway-attachments \
  --filters Name=transit-gateway-id,Values=tgw-abc123
  1. 1.Check route table association and propagation separately
  2. 2.These are distinct relationships and both matter.

```bash aws ec2 get-transit-gateway-route-table-associations \ --transit-gateway-route-table-id tgw-rtb-abc123

aws ec2 get-transit-gateway-route-table-propagations \ --transit-gateway-route-table-id tgw-rtb-abc123 ```

  1. 1.Enable propagation if it is missing
  2. 2.If the attachment is healthy but not propagating, the TGW will never learn the route automatically.
bash
aws ec2 enable-transit-gateway-route-table-propagation \
  --transit-gateway-route-table-id tgw-rtb-abc123 \
  --transit-gateway-attachment-id tgw-attach-abc123
  1. 1.Verify VPC-side route tables
  2. 2.Propagation in the TGW does not help if the VPC route tables do not send traffic toward the Transit Gateway.

Prevention

  • Model TGW association and propagation explicitly in infrastructure as code
  • Audit propagated routes after network changes, not only attachment state
  • Keep route table purpose and attachment intent documented
  • Validate both TGW and VPC route tables during connectivity incidents