• Traffic to/from AWS intermittently blocks.
• Connectivity is temporarily restored by manually disabling and re-enabling the associated NSX-T Gateway (Tier-0/Tier-1).
• The issue is non-persistent; it recurs intermittently.
  
  Two critical NSX-T Data Center network segments, xxx.xx.xx.1/27 and xxx.xx.x.1/24, are experiencing intermittent connectivity disruptions. At various times, both segments lose inter-segment connectivity, becoming unreachable from other logical segments and potentially external networks. Connectivity is consistently restored by manually accessing the NSX Manager UI, disabling the gateway connectivity for the associated Tier-1 (T1) Gateway, and then re-enabling it.

VMware NSX

Communication between these NSX-T segments and AWS occurs via a Site-to-Site IPsec VPN tunnel with BGP for dynamic routing, connecting an NSX-T Edge Node to an AWS Virtual Private Gateway (VGW) or Transit Gateway (TGW). Two VPN tunnels are configured for redundancy.

Just as in NSX-T, where Tier-0 and Tier-1 Gateways (analogous to Distributed Logical Routers or DLRs) handle Layer 3 routing for logical segments, AWS VPC Route Tables are fundamental for Layer 3 forwarding. Each subnet within an AWS VPC is explicitly associated with a route table, which dictates the forwarding rules for traffic originating from that subnet. Intermittent issues with BGP route propagation into these route tables, or dynamic changes within the route table itself (e.g., due to route conflicts or propagation delays), can directly lead to the observed intermittent connectivity issues, even if the underlying VPN tunnel appears up.
Our NSX-T side observations point to an issue external to our DFW and BGP session health, making the AWS routing plane a critical area for investigation.

References:

• AWS: Understanding Amazon VPC from a VMware NSX Engineer’s Perspective: https://aws.amazon.com/blogs/apn/understanding-amazon-vpc-from-a-vmware-nsx-engineers-perspective
• AWS: Expanding Amazon Elastic VMware Service (Amazon EVS) Global Connectivity with AWS Cloud WAN: https://repost.aws/articles/ARBDCSPP3bS0-dlqdE-TDFeg/expanding-amazon-elastic-vmware-service-amazon-evs-global-connectivity-with-aws-cloud-wan
• Broadcom TechDocs: AWS Hybrid Connectivity (NSX-T): https://techdocs.broadcom.com/us/en/vmware-cis/nsx/nsxt-dc/3-1/aws-hybrid-connectivity.html