I have questions related to the subject "Hub-Spoke (Multi VPC) Egress via Nat Gateway or Nat Instance".
I have Spoke A,Spoke B, Connected via Transit Gateway which is connected to SECVPC.
All the routes of VPC SpokeA and SpokeB are directed to TransitGateway and Transit Gateway routes 0.0.0.0 to SECVPC.
In SECVPC , I have route 0.0.0.0 to NAT Gateway or NAT Instance. [disabled src/dst for NAT Instance] I am able to send traffic from SECVPC to internet without issue.
But, SpokeA and SpokeB aren’t able to reach Internet via SECVPC NAT Gateway or NAT Instance.
Any thoughts ?
This does sound like it could be a routing issue as mentioned above,
Is this something you are trying to set up in production? If so I would get in touch with AWS and see if they can review your configuration, or at least look at your design?
Based on the information provided I see you have routing in place to reach Internet(one way). However, is the route in the SECVPC to reach the spoke VPCs? Do you have the route in the private subnet of SECVPC for spoke A and B CIDR towards TGW? The TGW attachment in the SECVPC must be in a non public subnet and this subnet should have 0.0.0.0/0 towards NAT-G or NAT-I and spoke A & B CIDR towards TGW.