- Más nuevo
- Más votos
- Más comentarios
My guess is that there is some firewall (or other network security or NAT process) happening between the NLB and the client (perhaps a host firewall?) which is denying the inbound packet to the client (which is the reply packet from the server). Because that reply packet comes from a different IP address to the NLB (it comes from the NAT Gateway address) the client is unlikely to allow it. Again, this is a guess. You can probably confirm this by enabling VPC Flow Logs and seeing if the packet goes from the server to NAT Gateway and then to Internet Gateway.
I'm not sure why you are sending the reply packet directly to the client from the server though. Why not send the reply back via NLB? If you were using an instance target group then this would happen automatically. As you are using an IP target group you should send the packet back to the NLB IP address and it will then send it back to the client.
The server can still use the NAT Gateway to access other resources on the internet regardless of how it is configured with the NLB.
Contenido relevante
- OFICIAL DE AWSActualizada hace un año
- OFICIAL DE AWSActualizada hace 3 años
Thanks for the answer. I verified the client network, he accept all UDP inbound packets. About the ports, they are the same ( client port inbound = client port outbound ). In VPC flow logs, we only have the requests below logged : client -> nlb nlb -> server client -> server server -> nat gateway nat gateway -> client
I don't see a request : nat gateway -> internet gateway
Maybe the client didn't recognize the response to the the request he made to server, because its coming from a nat gateway. I'm using the NAT gateway because I have to communicate with internet in other use cases , but how to prevent the coap response from going through the nat gateway ? ( go via nlb instead )
Is it because of the route table associated to the subnet of the ec2 task ?
Is in coap traffic from the nlb to server we lose the nlb IP address to preserve the source IP address ?
You're correct - what you should be doing is replying to the client request via the NLB. Note that it is much simpler if you're not using an IP target; but even if you are sending the response back via the NLB means that the client is much more likely to receive it. And as above, if you have a NAT Gateway then the server can still access other resources external to the VPC.
Hello Brettski, I've also encountered similar issues, and I'm interested in following your suggested approach to resolve the matter. I greatly appreciate your assistance in this regard. Could you please provide some guidance on how to implement the steps you mentioned
Replying via the NLB will happen automatically unless you are specifically creating a new UDP socket in your application code to send the reply back to the client - you don't need to do anything to make that work. If you are creating a new socket I'd suggest (as above) that you don't do that.