1

I have a VPC in AWS with a public and a private subnet. I added an OpenVPN server to it and as long as I'm logged into the VPN I can access everything just fine. I now need to set it up so that a server in the VPC can access an external REST API. My current ACL rules are completely open. Both inbound and outbound look like this:

100 ALL Traffic ALL ALL 0.0.0.0/0 ALLOW
*   ALL Traffic ALL ALL 0.0.0.0/0 DENY

I have my security group setup to only allow internal traffic on these ports:

SSH (22)     TCP (6) 22   10.0.0.0/24
HTTP (80)    TCP (6) 80   10.0.0.0/24
HTTPS (443)  TCP (6) 443  10.0.0.0/24
MySQL (3306) TCP (6) 3306 10.0.0.0/24

My outbound traffic for the security group allows all. So I would think an outbound http request would be allowed by the security group and the ACL. But when I try wget google.com the domain is resolved but it just sits at connecting to google.com. I checked my routing table and any traffic thats not local goes to the gateway:

Destination Target       Status Propagated
10.0.0.0/24 local        Active No
0.0.0.0/0   igw-912ddaf4 Active No

Can someone point me in the right direction of how this should be set up. Or tell me why I don't have outbound traffic. Maybe at least list any other places where network traffic could be restricted on AWS's VPC. Thanks

Jason Neumann
  • 245
  • 1
  • 5
  • 13
  • Is the server in the vpc on the public or private subnet? Does it have a public elastic IP, if on the public subnet? – Michael - sqlbot May 17 '14 at 02:02
  • Check this answer https://stackoverflow.com/a/44438699/3495031 . You will an Internet Gateway, and your VM needs a public IP address. – forzagreen Jun 09 '17 at 10:42

3 Answers3

3

You need a NAT instance so that systems on your private subnets can have Internet access.

Ben Whaley
  • 32,811
  • 7
  • 87
  • 85
  • For reference, http://stackoverflow.com/questions/10243833/how-to-connect-to-outside-world-from-amazon-vpc goes into this in a little more detail. – jufemaiz Jan 27 '15 at 02:09
0

enter image description here

When we configure the Private Sub network we have to configure in the pub through nats and redirect it from Private.

Makyen
  • 31,849
  • 12
  • 86
  • 121
shravan
  • 1
-1

It seems to me there might be some race conditions: I've been having trouble with frequent internet connection issues, I checked the docs, and tried lots of things. Just now I restarted the EC2 instance, checked that it wasn't working, then I re-applied the same network security groups by right clicking on the instance in the EC2 management console, then restarted the instance again and it suddenly started working. Perhaps someone from AWS could look into reproducing it? I will post again if I can reproduce it myself.

Adam Ratcliff
  • 1
  • 2