Why can instances in my VPC still ping instances in different subnet? - amazon-ec2

I have a VPC. In it I have two sub-nets (subnet-1, subnet-2).
Subnet-1 has these EC2 instances: 10.0.0.66, 10.0.0.83
Subnet-2 has these EC2 instances: 10.0.0.203, 10.0.0.208
I would expect to be able to ping from 10.0.0.66 to 10.0.0.83 and I can.
However, I would not expect to be able to ping from 10.0.0.203 to 10.0.0.83 but I can. I thought the whole point of a subnet was to keep instances in it isolated from other subnets? Why then can I ping across subnets?

Yes, You can able to Ping/SSH all your instance within your VPC.
When you create your VPC with your preferred CIDR range,Your main Route table will be created automatically and which will allow you to reach whole CIDR range. It does not matter how many subnets you have created under the VPC. This is default behavior in AWS.
If you want to block the access from one subnet to another subnet you can restrict.Select VPC associated Network ACL and edit the Inbound rule. By default source will be 0.0.0.0/0 ,You Mention the subnet which you want to access. You can restrict based on protocol/Port also.Post changes You can't reach from the subnet which you have not allowed.
For Reference : https://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_Subnets.html

Related

How do I look up the IP address range used by my AWS load balancer for creating instances?

My API accesses a service that wants to know what the possible IP address range is for the API so they can whitelist us. How do I know what IP addresses AWS may assign when the load balancer creates new instances?
Direct answer: AWS publishes its IP address ranges in a publicly accessible JSON file. IP ranges are associated with a region and a service, and as you can imagine, there are a lot of them. At the current moment there are 71 CIDR blocks associated with EC2 in us-west-2, for example. That's as specific as you can get, though. So you'd have to supply your partner with all of the EC2 IP address ranges for your region in order to guarantee that they would permit any IP address assigned to an instance your autoscale group might start up. Oh, and they do change periodically, so your partner would have to maintain that list.
Suggestion: Sounds like you have your EC2 instances in public subnets and are assigning public IPs to them. Instead, you can create your EC2 instances in private subnets and use a NAT Gateway to allow them to access the Internet. If you do this, the source IP for outbound traffic will the be the elastic IP address you assign to the NAT gateway. So you can give your partner a definite IP address they can permit to access their service.
Using a private subnet for your EC2 instances also reduces your attack surface area, since the EC2 instances won't have individual public IP addresses.

Amazon - can't connect to instance behind VPC

For testing purposes, I set up a VPC on Amazon and created an instance within the VPC. I've added a gateway for the 0.0.0.0/0 address to the attached routing table, and given the instance an elastic IP address. I'm unable to ssh or ping it, even when I set the security group to allow all traffic. I must be missing something obvious. What am I doing wrong?
It turns out that when I created the instance, I accepted the default security group, which only allows access from a specific IP address. When I added another instance, I created it with a security group which allowed all traffic, and I was able to ping it.

Can EC2 instances in different regions communicate over their private IP addresses?

I have two EC2 instances from an Ubuntu image, they are located in different regions.
I just want to ask, whether they can communicate over the private IP addresses?
I have opened the required ports with a security group. I use netcat to test the communication, but it only works, when I use the public IP addresses.
It is not possible to communicate between Amazon EC2 regions via the private IP addresses (except if you setup a VPN and respective routing for this, see section VPN Solution below), traffic between regions is in fact passing the public internet and is not distinguishable from any other internet traffic, see e.g. the following FAQs from the Region and Availability Zone FAQ:
Can instances use group-based firewall rules across Regions? - No. Group-based firewall rules only work within a Region. If you need instances to communicate with each other across Regions, you should use CIDR based firewall rules. [...]
What is the cost for data transfer between Regions? - Data transferred from one Region to another is charged at both sides at the Internet data transfer rate.
This applies to an Amazon VPC as well, see e.g. the FAQ Can Amazon EC2 instances within a VPC in one region communicate with Amazon EC2 instances within a VPC in another region?:
Yes, as long as all communication takes place over the Internet
Gateway of each VPC and uses the Elastic IP addresses assigned to the
instances in each VPC. Please note: security groups cannot span
regions. All traffic filtering between instances in one VPC and
instances in another VPC must use the Elastic IP addresses as the
specified source or destination address. [emphasis mine]
VPN Solution
AWS has meanwhile released two walkthroughs describing a solution for Connecting Multiple VPCs with EC2 Instances based on either IPsec or OpenVPN:
Connecting Multiple VPCs with EC2 Instances (IPSec)
please note that this tutorial facilitates Openswan, but you can achieve the same with strongSwan (or even the Linux IPsec stack built in as of kernel 2.6+, see e.g. IPsec L2TP VPN server)
Connecting Multiple VPCs with EC2 Instances (SSL)
Now you can do it with AWS VPC peer connection.
It enables the resources in two VPCs that are in different regions, even in different accounts, to be able to communicate with the private IP address, just like in the same LAN.
One thing you need to know is the CIDR blocks you choose for your both VPCs, they must not be in conflict. Otherwise, the peer connection can't be made successfully.
See the official doc about VPC peer connection.

Amazon ELB in VPC

We're using Amazon EC2, and we want to put an ELB (load balancer) to 2 instances on a private subnet. If we just add the private subnet to the ELB, it will not get any connections, if we attach both subnets to the ELB then it can access the instances, but it often will get time-outs. Has anyone successfully implemented an ELB within the private subnet of their VPC? If so, could you perhaps explain the procedure to me?
Thanks
My teammate and I just have implemented ELB in a VPC with 2 private subnets in different availability zones. The reason you get timeouts is that for each subnet you add to the load balancer, it gets one external IP address. (try 'dig elb-dns-name-here' and you will see several IP addresses). If one of these IP address maps a private subnet, it will timeout. The IP that maps into your public subnet will work. Because DNS may give you any one of the IP addresses, sometimes it works, sometimes it times out.
After some back and forth with amazon, we discovered that the ELB should only be placed in 'public' subnets, that is subnets that have a route out to the Internet Gateway. We wanted to keep our web servers in our private subnets but allow the ELB to talk to them. To solve this, we had to ensure that we had a corresponding public subnet for each availability zone in which we had private subnets. We then added to the ELB, the public subnets for each availability zone.
At first, this didn't seem to work, but after trying everything, we recreated the ELB and everything worked as it should. I think this is a bug, or the ELB was just in an odd state from so many changes.
Here is more or less what we did:
WebServer-1 is running in PrivateSubnet-1 in availability zone us-east-1b with security group called web-server.
WebServer-2 is running in PrivateSubnet-2 in availability zone us-east-1c with security group called web-server.
Created a public subnet in zone us-east-1b, we'll call it PublicSubnet-1. We ensured that we associated the routing table that includes the route to the Internet Gateway (ig-xxxxx) with this new subnet. (If you used the wizard to create a public/private VPC, this route already exists.)
Created a public subnet in zone us-east-1c, we'll call it PublicSubnet-2. We ensured that we associated the routing table that includes the route to the Internet Gateway (ig-xxxxx) with this new subnet. (If you used the wizard to create a public/private VPC, this route already exists.)
Created a new ELB, adding to it PublicSubnet-1 and PublicSubnet-2 (not the PrivateSubnet-X). Also, picked the instances to run in the ELB, in this case WebServer-1 and WebServer-2. Made sure to assign a security group that allows incoming port 80 and 443. Lets call this group elb-group.
In the web-server group, allow traffic from port 80 and 443 from the elb-group.
The key here is understanding, that you are not "Adding subnets/availability zones" to ELB, but rather specifying what subnets to put ELB instances into.
Yes, ELB is a software load balancer and when you create ELB object, a custom loadbalancing EC2 instance is put into the all subnets that you specified. So for the ELB (its instances) to be accessible, they have to be put into the subnets that have default route configured via IGW (most likely you classified these subnets as public).
So as already was answered above, you have to specify "public" networks for ELB, and those networks should be from the AZs where your EC2 instances are running. In this case ELB instances will be able to reach your EC2 instances (as long as security groups are configured correctly)
We've implemented ELB in a private subnet so the statement that all ELB's need to be public isn't completely true. You do need a NAT. Create a private subnet for the private ELB's, turn on VPC DNS and then make sure the private routing table is configured to go through the NAT. The subnet security groups also need to be setup to allow traffic between ELB and App, and App to DB subnets.
Beanstalk health checks won't work as they can't reach the load balancer, but for services that need to be outside of the public reach this is a good compromise.
Suggested reading to get your VPC architecture started: http://blog.controlgroup.com/2013/10/14/guided-creation-of-cloudformation-templates-for-vpc/.
You must add the following settings.
Public subnet zone b = Server NAT
Private subnet zone c = Server Web
Public subnet zone c = ELB
The trick is routing:
The router to NAT is attach with gateway A.
The router to Server Web is attach to NAT.
The router to Public subnet is attach with gateway A.
ELB details:
1.Zone: Public subnet zone c
2.Instance: Server Web
3.Security Groups: enable ports
http://docs.amazonaws.cn/en_us/ElasticLoadBalancing/latest/DeveloperGuide/UserScenariosForVPC.html
Adding a diagram to Nathan's answer. Full medium post here: https://nav7neeet.medium.com/load-balance-traffic-to-private-ec2-instances-cb07058549fd

Why am I unable to associate an Elastic IP to an EC2 instance in a second VPC on AWS?

I have for a long time a VPC (with 1 subnet) on Amazon Web Services (AWS) with several instances each having an Elastic IP address.
For new needs, I have defined a second VPC (with 1 subnet also) on my same account: for some reasons, I can't associate EIP (which is allocated with no problem) to instances launched in VPC #2: the interactive wizard of the console only presents me the instances of the first VPC.
Is it a known limitation or am I doing something wrong?
Two questions:
How many EIP's do you have on your account?
Is the 2nd VPC using a NAT instance to access the Internet?
EIP addresses should only be used on instances in subnets configured to route their traffic directly to the Internet Gateway. EIPs cannot be used on instances in subnets configured to use a NAT instance to access the Internet. (aws.amazon.com)

Resources