Saltar al contenido
Al usar AWS re:Post, aceptas las AWS re:Post Términos de uso
AWS re:Postre:Post
Acerca de re:Post

Changing the local route target for a subnet impacts intra-subnet traffic from endpoints?

0

I'm trying to achieve a simple hub & spoke topology involving a firewall running on an EC2 instance in an "inspection" subnet, without a more complex topology involving multiple VPC's and TGW's.

I am referencing the following documentation for VPC: https://docs.aws.amazon.com/vpc/latest/userguide/route-table-options.html#route-tables-appliance-routing

According to this

Direct traffic between two subnets to a middlebox appliance. You can do so by creating a route for one subnet route table that matches the subnet CIDR of the other subnet and specifies a Gateway Load Balancer endpoint, NAT gateway, Network Firewall endpoint, or the network interface for an appliance as a target. Alternatively, to redirect all traffic from the subnet to any other subnet, replace the target of the local route with a Gateway Load Balancer endpoint, NAT gateway, or network interface.

To simplify the configuration and have it secure by default, I am trying to implement the bolded portion. I set the target of the default local route of the spoke subnets to the interface of the inspection EC2 instance, and voila, my ping traffic between EC2 instances in the spoke subnets are flowing through the firewall as I intended!

The problem... I have noticed that my EC2 Instance Connect endpoints are working intermittently. Upon investigation, I find that sometimes but not always, traffic from the EC2 Instance Connect endpoint, to the EC2 endpoint within the same subnet, is being forwarded to the firewall in the inspection subnet! Then, the firewall apparently sees the same exact packet again, and drops it due to replay detection, implying that there is a forwarding loop.

The strange thing is this is intermittent, other times the instance connect will succeed, granting me CLI access to the EC2 instance in the same subnet, without a single frame being forwarded to the firewall in the other subnet, without changing a thing.

I would expect that this route would not apply to intra-subnet traffic and such traffic would never be sent outside this subnet... any ideas?

Temas
Redes y entrega de contenido
Etiquetas
Amazon VPC
Idioma
English
preguntada hace 10 meses314 visualizaciones
1 Respuesta
0

Your observation about the intermittent behavior of EC2 Instance Connect endpoints is interesting and points to some complexities in how local routes work in VPC subnets.

When you replace the target of the local route with a network interface (in this case, your firewall EC2 instance), you are indeed changing how traffic within the subnet is handled. Contrary to what you might expect, this can affect intra-subnet traffic.

The local route in a VPC subnet typically allows communication between resources within the same subnet without leaving the subnet. However, when you change the target of this local route to point to a network interface in another subnet, you're essentially telling the VPC to send all traffic, including intra-subnet traffic, to that interface.

The intermittent nature of the issue you're experiencing could be due to several factors:

  1. Race conditions in route propagation
  2. Caching of routing information at various levels
  3. How the EC2 Instance Connect service interacts with the VPC networking stack

The forwarding loop you've observed (where traffic is sent to the firewall, then back to the subnet, and to the firewall again) is a side effect of this configuration. When the firewall receives traffic, it likely tries to forward it back to the destination in the original subnet, but because of the modified local route, it gets sent back to the firewall again.

To achieve your goal of a hub and spoke topology with a central firewall, you might want to consider alternative approaches:

  1. Instead of modifying the local route, create more specific routes for inter-subnet communication that point to your firewall.

  2. Use AWS Network Firewall or a third-party firewall solution that integrates more seamlessly with VPC routing.

  3. Implement security groups and network ACLs to control traffic flow, which might be sufficient for your security needs without modifying routing.

  4. If you need to keep your current setup, you may need to add specific routes or firewall rules to handle EC2 Instance Connect traffic separately.

Remember, modifying the local route is a powerful but potentially disruptive change to your VPC's networking behavior. It's generally recommended to use more granular routing rules or purpose-built security services to achieve network security goals.
Sources
Replace or restore the target for a local route - Amazon Virtual Private Cloud
VPC route table configuration for AWS Network Firewall - AWS Network Firewall
Inspect traffic between subnets - Amazon Virtual Private Cloud

respondido hace 10 meses
EXPERTO
revisado hace 10 meses
  • Brad
    hace 10 meses

    I realize this is an AI post, but for others reading this... how would the functionality described in the AWS documentation (changing the local route to achieve subnet<->subnet inspection) ever work if AWS is evaluating the route table even for traffic destined for the same subnet? It seems this would always result in a routing loop as when packet gets routed back to the original subnet, it would seem the same route table would be consulted again and it would be sent right back out. I do understand that I can specify routes for every other subnet within each subnet, but this is not very elegant as existing subnets will automatically have paths to newly created subnets that bypass the inspection subnet, so adding a new subnet requires updating many route tables if you have many subnets.

No has iniciado sesión. Iniciar sesión para publicar una respuesta.

Una buena respuesta responde claramente a la pregunta, proporciona comentarios constructivos y fomenta el crecimiento profesional en la persona que hace la pregunta.

Contenido relevante