1

I have an EC2 instance that connects to a VPN and another instance in the same VPC that emmits traffic to that VPN

So the topology is something like this: network topology

  • The instance at 172.1.0.1 can connect to the remote VPN (192.168.1.0/24) without any issues.
  • The instances within the VPC can connect to each other.
  • Instances i-aaaa and i-bbbb cannot connecto to machines in 192.168.1.0/24

Current configuration looks like this:

  • The route table in the VPC has an entry for 192.168.1.0/24 via i-0000
  • The sec group allows all traffic within the security group
  • All instances in the VPC are in the same security group

I have configured flow logs in the VPC and notice that I can see traffic going out of the ENI at i-bbbb but there is no traffic in the ENI at i-0000

Also, packet capture in i-0000 does not show any packet comming from any of the other instances with dst to 192.168.1.0/24

So this raises some questions:

  • Would AWS drop packets because they are not in the same CIDR as the rest of the VPC? (My guess is not)
  • How can I troubleshoot where are packets being dropped? Everything suggests that packets are dropped within the VPC by AWS
  • What else can I try to make it work?

Thanks!

Improve this question

1 Answer 1

Reset to default
2

What you're looking for is Source / destination check - EC2 instances perform source and destination checks by default. The instance must be the source or destination of all the traffic it sends and receives. That obviously isn't true for gateways like in your case. Hence you have to Stop the Source / destination check

First select your instance:

Source / destination check

Then Stop the check:

Stop the check

Hope that helps :)

Improve this answer
1
  • Awesome!! That was it!! Thank you!! Commented Feb 2, 2021 at 19:08

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.