1 Answer
- Newest
- Most votes
- Most comments
2
All instances in your VPC, regardless of the subnet, have private IP addressed from the CIDR range of the subnet they are in. When an instance wants to communicate with another instance within the VPC, the traffic goes directly. This is what the LOCAL route in all route tables is for. All communication within the VPC is using the private IPs.
The NAT Gateway is only used when an instance is trying to access an IP address which the route table forwards to the NAT device, e.g., the internet.
Relevant content
- Accepted Answerasked 2 years ago
- Accepted Answerasked 10 months ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated 7 months ago
This is astonishing to me. That means that if a malicious actor can get into the public subnet, they have LOCAL routes to anything in the entire VPC, private or public - or? I would have thought that any communication with addresses in the RFC 1918 range have to first get the public IP (from the IGW) of the NAT Server (if there is one) so that the NAT Server can conduct its mapping procedure and return the private IP to the pertinent private resource. Why have DMZ networks and Jumpboxes and such if you can just access private resources from anywhere inside a VPC or VNet? (Obviously there "should" also be SGs / firewalls etc setup, but...)
My answer was about routing. You still need to use Network ACLs and Security groups to limit access between different instances in the same or different subnets.