- 최신
- 최다 투표
- 가장 많은 댓글
First off, I was mis-typed with regards to AZ data charges...it's .01/gb between azs. your pings will do nothing to your bill..it's inconsequential.
Within a VPC, there are, generally, speaking, four dimensions that determine traffic flow:
On-instance firewall/proxies (e.g. iptables...Usually not relevant for most amis out of the box)
NACLS (stateless firewall). By default, these allow any traffic to flow in both directions, and many people leave it that way, as these can be hard to manage.
Subnet routing: WITHIN A VPC, ALL SUBNETS CAN ROUTE TO EACH OTHER. Look at any subnet route table, notice the local entry. Also notice you can't change that.
Security Group: aka stateful firewall. This is the primary mechanism by which you would control traffic into/out of EC2 that reside within the same vpc.
If this isn't clear to you and you want to understand it further, you should really take a look at the AWS VPC documentation. There's a lot of great diagrams, etc that help explain the basics.
There should be no intra-region data charges.
They are pingable..because you made them pingable. if you want to share your security group rules, it will be more clear, but perhaps they are in the same security group and you created an inbound rule for that security group, or you used the ip of the VPC (often a /16, whereas your subnets are usually smaller, say a /24).
By default in routing tables for a single vpc, traffic will route among all availability zones in the vpc (see the local entry in the routing tables), and it's up to the security groups (typically) to allow specific types of traffic.
Between regions, if you are using private subnets..yes, you need peering or transit gateway..or an EC2-based VPN solution.
Hey
Many thanks for the response. I am super confused, if two instance are in separate AZ's then they should not ping because each AZ is a network and since they are in different AZ's they are in different networks. I can share my security group but it wont help as I have enabled SSH and ICMP for pings and nothing more. I think I do not understand the concept of VPC correctly. I have even attached two different security groups with ICMP and SSH enabled for the two instances. So in a nutshell, I have two instances in different AZ's with two different security groups. Awaiting your positive response
Hey
Many thanks for the response, really appreciate it. I checked the local entry and the local entry for the VPC is 172.31.0.0./16 means for the entire subnet. My machines have a private IP of 172.31.39.178 and 172.31.28.255. So they fall under the 172.31.0.0./16. Thank for the note that all subnets can route to each other in a VPC.
관련 콘텐츠
AWS 공식업데이트됨 일 년 전- AWS 공식업데이트됨 7달 전
