By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

How to determine if VPC subnet is public or private, EC2 instance cannot access Internet

0

Hey all, I am sorry if this is a silly question but I cannot tell if the VPC subnet I created is public or private. I am not seeing anything in the subnet details to tell me. Also, my EC2 instance cannot access the Internet. I setup a subnet for 10.0.40.0/24. Assuming the subnet was private, I created a NAT gateway attached to VPC and created a route from the NAT gateway to the Internet. The EC2 instance in that VPC still cannot get online. So next I think figured it may have been a public subnet. I created an Internet gateway in that VPC and created a route from the Internet gateway to the Internet. Still no luck, instance still cannot get online. Everything is attached to the same VPC. I do not know what I am missing. It does not seem like this should be this hard but for whatever reason, I cannot figure it out. I read through the documentation at least five times and it still is not working. The NAT gateway is using a primary private IP of 10.0.40.254. The EC2 instance has IP 10.0.40.199, subnet 255.255.255.0, gateway 10.0.40.1, DNS 10.0.41.2. I do not know where it got that ethernet gateway IP from. 10.0.40.1 is reachable but 10.0.40.254 is not reachable. It would not let me set the primary private IP the same as the ethernet gateway. I also do not know where it got the DNS IP 10.0.40.2 from but that too is not reachable. So neither the NAT gateway or the Internet gateway work despite having it in the routing table per the instructions.

Topics
Networking & Content DeliveryCompute
Tags
Amazon VPCAmazon EC2
Language
English
rePost-User-7071130
asked 10 months ago2737 views
2 Answers
1
Accepted Answer

An EC2 instance cannot access the Internet if it does not have a public IP address, even if it is running on a public subnet with a route to the Internet Gateway.
Configure Elastic IP or enable automatic public IP assignment for subnets.
This document describes how to troubleshoot when you cannot connect to the Internet.
https://repost.aws/knowledge-center/ec2-connect-internet-gateway
For private subnets, the following documents can be used for troubleshooting.
https://repost.aws/knowledge-center/ec2-internet-connectivity

I think the private subnet route table and the public subnet route table need to be separated.

profile picture
EXPERT
Riku_Kobayashi
answered 10 months ago
profile picture
EXPERT
Hiroki Takahashi
reviewed 10 months ago
  • rePost-User-7071130
    10 months ago

    Thanks for the reply. I have the EIP allocated but it is attached to the NAT gateway. So I trying to follow article 2 on private subnets so that way multiple EC2 instances in my VPC can use that same EIP. The article says make sure I create the NAT gateway in the public subnet. I still cannot figure out if my subnet is public or private. How do I make that determination?

  • rePost-User-7071130
    10 months ago

    I came to the conclusion that the setup is wrecked so I decided to delete everything and start over. I'll post again if I have more trouble.

  • Riku_Kobayashi EXPERT
    10 months ago

    A public subnet is determined by having a route to the Internet Gateway in the subnet's route table. A private subnet is one that has no route to the Internet Gateway in the subnet's route table. In other words, the criterion for judgment should be to check the subnet's route table.

1

Step 1: I recommend you check out the VPC (resource map) , which visualizes your network architecture. meaning:

  • Public Route table:
    • (1) VPC(eg: 10.0.0.0/16) -> local
    • (2)0.0.0.0/0 -> igw-xxxx
  • Private Route table:
    • (1) VPC(eg: 10.0.0.0/16) -> local
    • (2)0.0.0.0/0 -> nat-xxxxx

Step 2: If you need to create Linux server and access the Internet, please enable Auto-assign public IP in the network settings. If you need a static IP, please apply for an Elastic IP and attach it to the Linux server.

Step 3: Check whether the SSH port and access IP segment are enabled in the security group Finally, if Linux server is placed in the private subnet, please use bastion server to connect it . The Nat gateway can only allow the server to actively initiate requests to the Internet instead of Internet traffic can directly request private subnet servers, such as yum install ...

AWS
keithyu
answered 10 months ago
profile picture
EXPERT
Giovanni Lauria
reviewed 25 days ago
  • rePost-User-7071130
    10 months ago

    Thanks for the reply. So I am supposed to have two routing tables attached to the same VPC? So what I am trying to accomplish is actually with a windows server EC2 instance currently. I want it to be able to access the Internet for windows updates and such, but I don't want it to be public facing. So like a typical intranet server. I have the Elastic IP assigned to the NAT gateway currently.

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content