A SysOps administrator is troubleshooting connectivity issues between an Amazon EC2 instance in a VPC and an on-premises data center connected via AWS Direct Connect. The EC2 instance can reach other instances in the same VPC but cannot reach the on-premises network. The virtual private gateway (VGW) is attached to the VPC and the Direct Connect virtual interface is up. Which configuration step should the administrator verify first?
This is required for traffic to flow from the VPC to on-premises via Direct Connect.
Why this answer
Option D is correct because for Direct Connect to work, the on-premises CIDR must be added to the VPC route table pointing to the virtual private gateway. Without this route, traffic from the VPC to on-premises is dropped. Option A is wrong because the security group controls inbound/outbound traffic but does not affect routing.
Option B is wrong because network ACLs are stateless and would need to allow both inbound and outbound; but the primary issue is routing. Option C is wrong because the VGW is already attached and the virtual interface is up, indicating the physical connection is fine.