0

Shorter version of my questions:

  1. If an instance has a public ip but it is located in a private subnet, can it receive inbound traffic? (assume no firewall blocks it)
  2. When there isn’t route for internet gateway in a route table, does this mean (1) it just drops outbound traffic to the internet or (2) there isn't a “connection” between the route table and the internet gateway at all, therefore, it also doesn’t receive inbound traffic from the internet? If (2) is the case, can you elaborate on how this “connection” is established?

Longer version of my question:

I am watching a course on Whizlab where the instructor built the network structure in the image below to demonstrate how transit gateway works for private subnets. I am confused about what stops green ec2_1 from accessing blue ec2_2.

He tested this inaccessibility by:

  1. ssh into green ec_1
  2. then, ping blue ec2_1 private ip, success
  3. then, ping blue ec2_2 private ip, no response

Then he says, the ping to blue ec2_2 private ip won’t work because “we have no route from the green instance to a blue instance in private subnet”.

However, I think the reasons should be “we have no route from the blue instance in the private subnet to a green instance”. Basically, I think what fails the ping is the outbound traffic in blue private subnet, not the inbound.

More of my current understanding:

  1. Any route table in a vpc can receive any traffic being forwarded to it. It sends the traffic to the next hop called target given the destination contained in the packet. If it doesn’t have a given destination, it simply drops the traffic.
  2. The second testing ping can route into blue ec2_2 based on the “20.0.0.0/16=>local” route in blue route_table_2

enter image description here

(Sorry for the small image! Too many details to include, feel free to open it in a new tab!)

I found this post helpful after posting this question. That post explains how NAT and private subnet work in vpc and why it is possible for an instance with public ip inside private subnet to receive internet traffic but not send out useful outbound traffic.

moon
  • 531
  • 1
  • 5
  • 24

2 Answers2

2
  1. If an instance has a public ip but it is located in a private subnet, can it receive inbound traffic?

Not it can't. You can only initiate outbound internet traffic from it if you have NAT. "private" means that instance is not accessible from the internet, with or without public ip.

  1. When there isn’t route for internet gateway in a route table, does this mean (1) it just drops outbound traffic to the internet or (2) there isn't a “connection” between the route table and the internet gateway at all, therefore, it also doesn’t receive inbound traffic from the internet? If (2) is the case, can you elaborate on how this “connection” is established?

If there is no route table to IGW, then there is no inbound nor outbound internet traffic in your VPC. Sadly I don't understand what you are asking regarding the "connection".

Marcin
  • 215,873
  • 14
  • 235
  • 294
  • @moon Btw, your reasoning "what fails the ping is the outbound traffic in blue private subnet, not the inbound" is correct. The ping will work if you add a route in VPC_blue in private subnet (`route_table_2`) back to the TGW attachment. – Marcin Sep 05 '21 at 11:43
  • Hi @Marcin, thank you! What specifically stops the inbound traffic from reaching or passing a `private` route table if there isn't something like a `connection` to be established first? This `connection` idea is just one hypothesis I have trying to understand how the inbound traffic is unable to reach/pass private route table. – moon Sep 05 '21 at 13:38
  • Basically, I am not sure how the internet packets flow from the internet gateway to the route tables. Does the internet gateway **know** that itself is connected to the `public route table` and **not** the `private route table`? If it does know, **how** it knows that? Otherwise, if the internet gateway **doesn't know** which route tables itself are connected to, then it should send packets to all the route tables, then what stops the packets reach and pass the private tables? – moon Sep 05 '21 at 13:47
  • 1
    @moon I don't know exact details how AWS implements this. But probably this falls into Software-Defined Networking (SDN) category. You could maybe lookup how SDN works and it may shed some light on what AWS is doing. – Marcin Sep 05 '21 at 22:38
  • Sorry @Marcin, it's absolutely helpful. I'm reading about SDN now. – moon Sep 06 '21 at 13:04
0

An instance in a private subnet can have internet traffic. Depending on your nat gateway, ACL and security groups.

If there is no nat gateway then I think there will be a timeout when trying to acces internet.

Lucasz
  • 1,150
  • 9
  • 19
  • Thank you Lucasz! Does this mean the ping failure from `green ec2_1` to `blue ec2_2` is because the packet from `blue ec2_2` won't get out, not because the packet from `green ec2_1` won't get in? – moon Sep 05 '21 at 02:30
  • I think so yes. Similar way around, you can send package to other instance but instance won't reply. – Lucasz Sep 05 '21 at 02:39