- Newest
- Most votes
- Most comments
This should technically work. See below from the FAQ, I suggest check the end-to-end forward and reverse routing:
https://aws.amazon.com/vpn/faqs/
Q: What are the VPN connectivity options for my VPC?
A: You may connect your VPC to your corporate data center using a Hardware VPN connection via the virtual private gateway.
Q: How do instances without public IP addresses access the Internet?
A: Instances without public IP addresses can access the Internet in one of two ways:
Instances without public IP addresses can route their traffic through a network address translation (NAT) gateway or a NAT instance to access the internet. These instances use the public IP address of the NAT gateway or NAT instance to traverse the internet. The NAT gateway or NAT instance allows outbound communication but doesn’t allow machines on the internet to initiate a connection to the privately addressed instances.
For VPCs with a hardware VPN connection or Direct Connect connection, instances can route their Internet traffic down the virtual private gateway to your existing datacenter. From there, it can access the Internet via your existing egress points and network security/monitoring devices.
Hi,
Considering you are seeing the ICMP/Ping request/reply pair in your VTI on your firewall, I would start by confirming that your VPC route for 172.16.1.0/24 does indeed route towards AWS over VPN to your Virtual Private Gateway. I would next check the NACL at the border of your VPC. If traffic is flowing outbound correctly, the NACL may need an entry for the return traffic. NACLs are stateless by nature so you must account for the return traffic, in this case the ICMP/Ping reply. Please let us know how it goes. Hope this helps!
Thanks for your comment. Like I mentioned, NACL and Security Group are Allowed all traffic. I double checked NACL and recreated new NACL for testing. However, result is still the same. I also run Reachability Analyzer. Status is Reachable and state is Succeeded (both forward and reverse path). Is any other setting blocking the EC2 instance ? I created new instance and tested, too.
Relevant content
- Accepted Answerasked 3 months ago
- AWS OFFICIALUpdated 3 months ago
- AWS OFFICIALUpdated 10 months ago
- AWS OFFICIALUpdated 2 years ago
Thanks for your comment and info. Yes. This should technically work.