I have created a VPC on EC2 with 3 subnets.
VPC: 172.16.0.0/16
Subnet A: 172.16.1.0/24 (Zone 1b)
Subnet B: 172.16.3.0/24 (Zone 1a)
Subnet C: 172.16.4.0/24 (Zone 1b)
I can ping A <-> B and A <-> C but I cannot ping (or anything else) from B <-> C.
There are different but identical routing tables and network ACLs for the 3 subnets and a really permissive security group. The local routing tables on all the machines look sensible. There are no iptables rules anywhere.
What is going on?
The machines were all built from an AMI and freshly launched. It turns out that the machines needed a reboot to sort out their network settings.
Related
AWS networking question - I have 2 VPCs (A & B) which are peered. I have a Site to Site connected to VPC A. I need to get traffic to VPC B from a device at the other end of the VPN connection.
As you cannot jump across VPC's I'm thinking something like an Nginx proxy on VPC A which is the endpoint the device will forward traffic to, and then the traffic will be pushed onto the final endpoint in VPC B.
Can anyone else think of any other solutions? I cannot put the VPN in VPC B due to compliance issues.
Please use below approach.
1)Use the Transit Gateway which will scale as you add multiple vpcs.
2)Use ELB in vpc A and target server could be in vpc B.
I have 2 servers in different AZones in one region, they make an outgoing connections to my clients. Right now each server have it own Elastic IP, and an IP address from internal subnet for each AZ. (First AZ - 172.30.0.0/20, Second AZ - 172.30.16.0/20)
My goal is: make a NAT gateway, so all outgoing connections from these servers (in two AZones) goes thru NAT with one Elastic IP.
As i understand right now - i can create NAT gateway only in one AZ, since i should choose Subnet.
Question: Is it possibe made a NAT gateway work with two subnets (in my case - two AZ)? Maybe i should create separate Subnet?
Please, help.
Thanks in advance!
You can create a NAT gateway for both AZs. You need a public subnet (e.g. a subnet that has an internet gateway). You put the NAT gateway in that subnet. The subnets that your EC2 instances are in should be part of a route table that routes 0.0.0.0 to the NAT gateway. Look at the diagram, and in fact the whole article, here:
NAT Gateways - Amazon Virtual Private Cloud
I have a VPC. In it I have two sub-nets (subnet-1, subnet-2).
Subnet-1 has these EC2 instances: 10.0.0.66, 10.0.0.83
Subnet-2 has these EC2 instances: 10.0.0.203, 10.0.0.208
I would expect to be able to ping from 10.0.0.66 to 10.0.0.83 and I can.
However, I would not expect to be able to ping from 10.0.0.203 to 10.0.0.83 but I can. I thought the whole point of a subnet was to keep instances in it isolated from other subnets? Why then can I ping across subnets?
Yes, You can able to Ping/SSH all your instance within your VPC.
When you create your VPC with your preferred CIDR range,Your main Route table will be created automatically and which will allow you to reach whole CIDR range. It does not matter how many subnets you have created under the VPC. This is default behavior in AWS.
If you want to block the access from one subnet to another subnet you can restrict.Select VPC associated Network ACL and edit the Inbound rule. By default source will be 0.0.0.0/0 ,You Mention the subnet which you want to access. You can restrict based on protocol/Port also.Post changes You can't reach from the subnet which you have not allowed.
For Reference : https://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_Subnets.html
I'm trying to setup a HA cluster for 2 amazon instances. The OS of my instances is CentOS7.
Hostnames:
master1.example.com
master2.example.com
IP internal:
10.0.0.x1
10.0.0.x2
IP public:
52.19.x.x
52.18.x.x
I'm following this tutorial:
http://jensd.be/156/linux/building-a-high-available-failover-cluster-with-pacemaker-corosync-pcs
[root#master1 centos]# pcs status nodes
Pacemaker Nodes:
Online: master1.example.com
Standby:
Offline: master2.example.com
while my master 2 is showing the following
[root#master2 centos]# pcs status nodes
Pacemaker Nodes:
Online: master2.example.com
Standby:
Offline: master1.example.com
But they should be online, both.
What am I doing wrong?
Which IP do I have to choose as Virtual IP? Because the IP's are not in the same subnet.
Change you security group rules to allow inbound and outbound tcp & https traffic between all cluster nodes. That should do it. (pretty old question but unanswered so thought someone might need it).
I have for a long time a VPC (with 1 subnet) on Amazon Web Services (AWS) with several instances each having an Elastic IP address.
For new needs, I have defined a second VPC (with 1 subnet also) on my same account: for some reasons, I can't associate EIP (which is allocated with no problem) to instances launched in VPC #2: the interactive wizard of the console only presents me the instances of the first VPC.
Is it a known limitation or am I doing something wrong?
Two questions:
How many EIP's do you have on your account?
Is the 2nd VPC using a NAT instance to access the Internet?
EIP addresses should only be used on instances in subnets configured to route their traffic directly to the Internet Gateway. EIPs cannot be used on instances in subnets configured to use a NAT instance to access the Internet. (aws.amazon.com)