4

I am trying to setup a barebones VPC connection within the same AWS account.

  • VPC-A and Subnet-A have CIDR: 10.200.1.0/24
  • VPC-B and Subnet-B have CIDR: 10.200.2.0/24

Each VPC contains one EC2 instance

  • 10.200.1.17 (in VPC-A, Subnet-A), let's call it EC2-A
  • 10.200.2.67 (in VPC-B, Subnet-B), let's call it EC2-B

I have added the following route to the route table that is associated with both VPC-A and Subnet-A, which should route traffic from VPC-A to VPC-B based on the CIDR range of VPC-B

  • (Dest | Target): 10.200.2/24 | PCX-123

(where PCX-123 is the ID of the VPC Peering Connection)

The security group associated with EC2-A and EC2-B allow all inbound and outbound traffic.

NACL for both networks are allowing all traffic

When I SSH into EC2-A, and try to ping EC2-B, I get timeout.

ping 10.200.2.67 ... ... ... timeout

What am I missing?

FYI

  1. I tried asking in stackoverflow, but it was deemed off topic
  2. Yes, it in conceptually the same question as cannot ping ec2 in another vpc through peer connection, but this question is dead, the asker never responded or followed up.
Improve this question
8
  • 1
    When you say the security groups allow "all inbound and outbound traffic", have you specifically allowed ICMP traffic, not just TCP/UDP? Commented Apr 24, 2019 at 23:38
  • @ceejayoz I've enabled both ICMP and TCP for all ports and IPs. Also, I tried other methods of verifying connectivity (I tried to SSH from EC2-A to EC2-B, and still no luck) Commented Apr 24, 2019 at 23:45
  • 1
    "I have added the following route to the route table" ...but did you a similar route in the other VPC to handle the traffic in the other direction? You need symmetric route table entries. Commented Apr 25, 2019 at 13:19
  • 2
    @JamesWierzba that's true from a packet perspective. And on the other side of the peering connection, the reply traffic is egress traffic and needs to know how to find its destination (the original source). Commented Apr 25, 2019 at 20:55
  • 1
    @JamesWierzba thanks for the confirmation. Answer posted. Welcome to Server Fault. Commented Apr 26, 2019 at 20:14

1 Answer 1

Reset to default
5

VPC peering requires symmetrical route table entries -- the tables on each side of the peering connection need a route pointing across the peering connection to the other side.

To send traffic from your instance to an instance in a peer VPC using private IPv4 addresses, you must add a route to the route table that's associated with the subnet in which the instance resides.

...

The owner of the other VPC in the peering connection must also add a route to their subnet's route table to direct traffic back to your VPC.

http://docs.aws.amazon.com/AmazonVPC/latest/PeeringGuide/vpc-peering-routing.html

(This still holds true when the same account is the owner of both VPCs.)

Improve this answer

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.