Thursday, February 16, 2017

amazon web services - AWS Private subnet not redirected to NAT Instance

AWS is not setting up properly default gw for instance in private subnet.



NAT address:




ec2din i-ef7f8a3a|grep PRIVATEIPADDRESS
PRIVATEIPADDRESS    172.16.0.31


ROUTING TABLE configuration:



ec2drtb rtb-7c9f3618
ROUTETABLE  rtb-7c9f3618    vpc-43da3455
ROUTE   local       active  172.16.0.0/16           CreateRouteTable
ROUTE       i-ef7f8a3a  active  0.0.0.0/0   eni-4055320a        CreateRoute

ASSOCIATION rtbassoc-cc1764a8   main
ASSOCIATION rtbassoc-51b7c435   subnet-c92429be`


PRIVATE SUBNET configuration:



ec2dsubnet subnet-c92429be
SUBNET  subnet-c92429be available   vpc-43da3455    172.16.1.0/24   250 us-east-1a  false   false
TAG subnet  subnet-c92429be`



Like we see I configured instance i-ef7f8a3a as NAT, and set it in routing table as default gw for all traffic.



When I login to my machine started in private subnet (172.16.1.220) and check the routing table it is not showing default gw as ip of my NAT instance, instead, it redirects to default router:



ip r
default via 172.16.1.1 dev eth0 
default via 172.16.1.1 dev eth0  metric 1024 
172.16.1.0/24 dev eth0  proto kernel  scope link  src 172.16.1.220 
172.16.1.1 dev eth0  scope link  metric 1024`



Default route on NAT is set up as 172.16.0.1 not to igw, so I thought all magic is done on AWS router and it will redirect to my NAT anyway, so I start tests.



I try to ping some outside IP and I start tcpdump on my nat instance but I dont see any incoming packets from my private subnet:



ping 8.8.8.8
PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data.
^C
--- 8.8.8.8 ping statistics ---

20 packets transmitted, 0 received, 100% packet loss, time 19150ms`

tcpdump -n host 8.8.8.8
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
^C
0 packets captured
0 packets received by filter
0 packets dropped by kernel`



Both instances can "see" each other -- I can ssh in both directions, but when I even try to set up default route with my NAT as gw im getting:



ip r add default via 172.16.0.31
RTNETLINK answers: Network is unreachable


Did I miss something? How should the route table look on an instance on private subnet? Should my NAT IP be there, or the default?

-

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)

linux - How to SSH to ec2 instance in VPC private subnet via NAT server

I have created a VPC in aws with a public subnet and a private subnet. The private subnet does not have direct access to external network. S...