When AWS marks a route as blackhole, it means the route target — the NAT Gateway, EC2 instance, VPC endpoint, or network interface the route was pointing to — no longer exists. Any traffic that matches the route is silently dropped.
What Causes a Blackhole Route
The most common causes:
- NAT Gateway deleted — private subnet route
0.0.0.0/0 → nat-xxxxxstill exists after the NAT Gateway was removed. This is by far the most frequent cause. - EC2 instance terminated — instance was used as a NAT instance or VPN endpoint and has since been stopped or terminated.
- VPC endpoint deleted — a Gateway endpoint for S3 or DynamoDB was removed but the route table still has the
pl-xxxxxprefix list route. - Network interface deleted — route pointed to an ENI that was removed.
AWS doesn't clean up routes when you delete the target. The route stays — it just enters blackhole state.
How to Find All Blackhole Routes
This command finds every blackhole route across all route tables in the region:
aws ec2 describe-route-tables \
--query 'RouteTables[*].{ID:RouteTableId,Routes:Routes[?State==`blackhole`]}' \
--output json | jq '.[] | select(.Routes | length > 0)'To check a specific route table:
aws ec2 describe-route-tables \
--route-table-ids rtb-0abc123 \
--query 'RouteTables[*].Routes[?State==`blackhole`]'How to Fix It
Option 1 — Delete the blackhole route (if you no longer need that connectivity):
# Delete the default route pointing to a deleted NAT GW
aws ec2 delete-route \
--route-table-id rtb-0abc123 \
--destination-cidr-block 0.0.0.0/0Option 2 — Replace it with a valid target (if connectivity is still needed):
# Replace blackhole route with a new NAT Gateway
aws ec2 replace-route \
--route-table-id rtb-0abc123 \
--destination-cidr-block 0.0.0.0/0 \
--nat-gateway-id nat-0new123Why This Happens in Multi-VPC Environments
Blackhole routes accumulate quietly. A NAT Gateway gets deleted to save costs. An old test VPC gets torn down but its peering routes remain in the main route table. A VPC endpoint is removed during a refactor. None of these announce themselves — the route just sits there in blackhole state until something breaks.
In environments with many VPCs and route tables, a periodic audit is the only reliable way to catch them. Netway flags blackhole routes automatically as part of its topology scan.
Related Articles
→ AWS VPC Topology Mapping: What the Console Hides → AWS NAT Gateway Cost: Why Your Bill Is Too High [4 Fixes] → AWS TGW Route Tables: Why VPC Isolation Still FailsFrequently Asked Questions
What does "route table entry points to blackhole" mean in AWS?
It means a route in your route table has a target that no longer exists — a deleted NAT Gateway, terminated instance, or removed VPC endpoint. AWS marks the route state as blackhole and silently drops all matching packets.
How do I find blackhole routes in AWS?
Run: aws ec2 describe-route-tables --query 'RouteTables[*].Routes[?State==`blackhole`]' — this returns all blackhole routes across all route tables in the current region.
Does AWS automatically remove blackhole routes?
No. AWS does not clean up routes when you delete the target. The route stays in blackhole state indefinitely until you manually delete or replace it.