Certified Security - Specialty

Sign Up Free or Log In to participate!

Hub-Spoke (Multi VPC) Egress via Nat Gateway or Nat Instance

Dear All,

I have questions related to the subject "Hub-Spoke (Multi VPC) Egress via Nat Gateway or Nat Instance".

I have Spoke A,Spoke B, Connected via Transit Gateway which is connected to SECVPC. 

All the routes of VPC SpokeA and SpokeB are directed to TransitGateway and Transit Gateway routes to SECVPC. 

In SECVPC , I have route to NAT Gateway or NAT Instance. [disabled src/dst for NAT Instance] I am able to send traffic from SECVPC to internet without issue. 

But, SpokeA and SpokeB aren’t able to reach Internet via SECVPC NAT Gateway or NAT Instance. 

Any thoughts ?

Akhil Baburaj

Based on the information provided I see you have routing in place to reach Internet(one way). However, is the route in the SECVPC to reach the spoke VPCs? Do you have the route in the private subnet of SECVPC for spoke A and B CIDR towards TGW? The TGW attachment in the SECVPC must be in a non public subnet and this subnet should have towards NAT-G or NAT-I and spoke A & B CIDR towards TGW.

1 Answers


This does sound like it could be a routing issue as mentioned above,

Is this something you are trying to set up in production? If so I would get in touch with AWS and see if they can review your configuration, or at least look at your design?


Sign In
Welcome Back!

Psst…this one if you’ve been moved to ACG!

Get Started
Who’s going to be learning?