Internet GW routing for internal traffic

Please consider two EC2s, A & B.

When I ping/telnet (consider SGs allow this) from A to B with private IPs, IGW doesn't participate, traffic gets sent from private IP as a SRC address of A to the private IP of B (similar to same subnet/VLAN concepts we know from traditional networking).

When I ping the EIP of B, I see traffic originating with the EIP of A as the SRC address, which gets sent to IGW, IGW sees the private IP of A, reroutes it internally (hair pinning?) and delivers to the private IP of B. So, the traffic never leaves the VPC boundary.

I cannot find concrete docs/ links for such a case, are my above observations correct?

Topics

Networking & Content Delivery

Tags

Amazon VPC Network Security

Language

English

Junaid Shahid

asked 21 days ago64 views

1 Answer

Newest
Most votes
Most comments

Accepted Answer

You are correct as the Routing Table for the Subnet has the VPC CIDR as Local.

0.0.0.0/0 default routes to IGW from public Subnet

EXPERT

Gary Mclean

answered 21 days ago

EXPERT

Oleksii Bebych

reviewed 3 days ago

EXPERT

Adeleke Adebowale J

reviewed 21 days ago

EXPERT

Riku_Kobayashi

reviewed 21 days ago

Junaid Shahid
21 days ago
Thanks. If I ping using the private IP, I don't need any rules in the SG (the self-referencing rule is enough), but when I ping B's EIP, traffic must go through IGW (where A's EIP gets mapped to its private IP), so as the traffic appears to be arriving from A's EIP, I do need to whitelist A's EIP in the SG. Looks unnecessary at first but if we look closely that's the right approach!
Gary Mclean EXPERT
21 days ago
You are correct. Ideally internal communication is always via a Private IP only. There are use cases but best practice is that EC2s do not have public IPs and use a Load balancer where needed for accessing EC2s from the internet. https://docs.aws.amazon.com/config/latest/developerguide/ec2-instance-no-public-ip.html

Relevant content

Can I route Internet traffic of EC2 server through AWS virtual private gateway and out from on-premise firewall (Gateway) ?
rePost-User-0430237
asked a year ago
AWS Network FW with NLB and return traffic from EC2 back to NLB private IP via FW?
Shiraz Malik
asked 9 months ago
Why does NAT GW get two IP address EIP and Private IP Address
rePost-User-2987011
asked a year ago
Is internal network traffic sent to private subnets via their NAT Server?
Accepted Answer
jvg
asked 10 months ago
How do I route traffic for an AWS Glue ETL job to a database through a static IP address?
AWS OFFICIALUpdated 9 months ago
I'm seeing inbound traffic in the VPC flow logs for my public NAT gateway. Is my public NAT gateway accepting inbound traffic from the internet?
AWS OFFICIALUpdated 2 years ago
How do I restrict traffic to and from Amazon VPC resources?
AWS OFFICIALUpdated 8 months ago
Why can't I connect to a service when the security group and network ACL allow inbound traffic?
AWS OFFICIALUpdated a year ago
Access a private Amazon Redshift from a local machine via a private EC2 instance
EXPERT
Ziad
published 7 months ago
External Traffic Fails to Reach EKS Pods with NLB Client IP Preservation
EXPERT
Shubham Sharan
published 8 months ago