I'm working with a VPC in the eu-west-1 region with a CIDR block of `192.168.252.0/22`, which is attached to a Transit Gateway (TGW) also in the same region, with routes propagated. I have another TGW in the eu-west-2 region that peers with this TGW. When I try to access a host with the IP address `192.168.252.168` in my VPC through the TGWs, things work fine if I set a static route for the entire VPC CIDR. However, I wanted to see if I could simplify this by adding a static route just for that host (`192.168.252.168/32`). This doesn't seem to work; it only lets me connect with a route for the whole CIDR. It's also strange because using `192.168.252.0/24` doesn't work either, even though that range includes the host's IP. Am I missing something here? I thought as long as a route matches the destination IP, it should be okay and not necessarily require routing for the whole VPC.
3 Answers
You should be able to use `/32` static routes without any issues if everything's configured correctly. Just confirm that you've got the right routes in both the source and destination VPC subnet route tables, along with the associated TGW route tables. Also, make sure that security groups and subnet ACLs are allowing the traffic through.
That's pretty strange. Remember, TGWs don't have visibility into CIDR blocks across different regions or TGWs, meaning that the other TGW could even be in a different AWS account. Usually, routing will prefer the most specific route available.
Have you tried running the VPC Reachability Analyzer? It often points out any simple configuration issues that could be causing problems.
Interestingly, the Reachability Analyzer did indicate that both setups were reachable with no issues, but I still run into problems when testing in a browser or terminal—they just hang unless I have the `/22` route.
It's odd that having both `192.168.252.168/32` and `192.168.252.0/22` in place lets you access `192.168.252.168`, but removing `192.168.252.0/22` breaks this access. The system should default to the more specific `192.168.252.168/32` route.