Static routes with target as VM doesn't work

Question

I have two VMs in a VPC and both are in the same availability zones. There is only one route table which is the default route table.

One of the VM is acting as VPN endpoint connecting the private datacenter to VPC. Hence I added static routes of the Datacenter subnets with this VM as a target. The status of the route is "Active". When I ping an IP on this subnet, from the other VM, my expectation is the ping packets will reach this VM. I used tcpdump on this VM to confirm that. I am able to ping this VM's local IP from the other VM and able to see the packets with tcpdump. It seems to me the ping to the data center IP (even though it leaves the other VM - verified by tcpdump on the other VM) doesn't reach this VM as per the route configured and is dropped by the AWS network. I checked the security groups, and it permits ICMP from any source for both the VMs.

Any suggestions would be much appreciated

Answer

Here are some things to validate.

1. Ensure that you have disabled the Source/Dest check on the instance where you are running the VPN.  Instructions to do this are available here.
https://docs.aws.amazon.com/vpc/latest/userguide/VPC_NAT_Instance.html#EIP_Disable_SrcDestCheck

2. Check that your Security Group on the VPN instance allows inbound traffic (probably All Traffic) for the CIDRs in the data center.

3. Enable flowlogs on the VPC (at least temporarily) and validate if your are seeing REJECTs on the VPN instance.

Static routes with target as VM doesn't work

Contenido relevante