0

I have a subnet router on an EC2 instance (let's call it "subnet-router). Its private IP is 10.50.0.148 and its tailscale IP is 100.80.128.14. It is advertising [10.50.0.0/16, 10.60.0.0/16,10.70.0.0]/16, which are the blocks of, respectively, the VPC subnet and the two other VPC subnets to which the subnet has peering connections.

I also have a test EC2 instance at 10.50.1.95, which accepts inbound connections from the "subnet-router" security group. Let's call this one "test".

I can ssh to "subnet-router": ssh -i ~/.ssh/my-ec2-key.pem ubuntu@100.80.128.14

From my "subnet-router" I can ping "test":

> ping 10.50.1.95

PING 10.50.1.95 (10.50.1.95) 56(84) bytes of data.
64 bytes from 10.50.1.95: icmp_seq=1 ttl=64 time=0.584 ms
64 bytes from 10.50.1.95: icmp_seq=2 ttl=64 time=0.669 ms

From my local computer, I can not ping "test":

> ping 10.50.1.95

PING 10.50.1.95 (10.50.1.95) 56(84) bytes of data.
--- 10.50.1.95 ping statistics ---
4 packets transmitted, 0 received, 100% packet loss, time 3042ms

I can tailscale ping "test". Sometimes it looks like:

> tailscale ping 10.50.1.95

pong from subnet-router (100.80.128.14) via DERP(nyc) in 382ms
pong from subnet-router (100.80.128.14) via DERP(nyc) in 110ms
pong from subnet-router (100.80.128.14) via DERP(nyc) in 93ms
pong from subnet-router (100.80.128.14) via 34.200.221.190:41641 in 100ms

and other times I only get:

> tailscale ping 10.50.1.95

pong from subnet-router (100.80.128.14) via 34.200.221.190:41641 in 100ms

I guess I'm pretty confused about:

  • why I cannot ping the "test" instance
  • why I still need to use the AWS .pem key to SSH to the "subnet-router" if it's on Tailscale
  • how to configure the subnet router to route to all private IPs on my VPC

I also asked this question: Subnet routing to AWS VPC doen't appear to work

Edit: further info

ACLs are configured to allow all IPv4 traffic (default config).

There are several route tables, but the main table is configured:

Destination: 10.50.0.0/16
Target: local

And the remaining tables (one per subnet) are configured:

Destination     Target
pl-63a5400a vpce-0c05cef6b54d3092a  
0.0.0.0/0           igw-0d0a2554a92ec6086   
10.50.0.0/16    local   
10.70.0.0/16    pcx-06a67665fe560414e

routing to local, a peered VPC, this VPCs endpoint, and its prefix list.

Gerrit Egnew
  • 13
  • 4
  • How is your TailScale ACL looks like? If you have not allowing port 22 for example in TS's ACL, you won't be able to connect to your subnet router directly. SSH key should be required as this is how SSH works – tom10271 Apr 15 '23 at 07:10

0 Answers0