2개 답변
- 최신
- 최다 투표
- 가장 많은 댓글
1
This sort of subnet isolation is a common pattern when using a Shared VPC across AWS Accounts, so yes it can also be done within a single account. Typically you'd want better separation between Stage & Prod via separate Accounts and/or VPCs but what you're doing is technically feasible.
How are your NACLs set up? Note that each row has a "Rule #" which defines the order they are checked, smallest number first, stopping on a first match. You'll need a Deny rule for the other subnet that matches early.
0
Subnets are not the best boundary to separate or isolate traffic within VPC. Your best option is to create another VPC for complete separation.
Hello,
I apologize for the delay in my response. I'd like to clarify the configuration of my Network Access Control Lists (NACLs). They are set up with a deny policy having a lower rule number than the allow policy. Here's an example to illustrate this:
Rule 101: Deny all traffic to the destinaton IP range 10.250.3.XX/27. Rule 110: Allow all traffic to any destination IP (0.0.0.0/0).
These rules pertain specifically to my outbound traffic policy.
That sounds fine, and this sort of setup definitely works. I guess the next thing to do is double-check everything. Make sure it's your 10.250.3.0 subnet that has the Deny rule for 10.250.3.32, and vice-versa. Make sure there's no other NACL rules with lower rule numbers. Make sure the the NACL assignments to subnets is correct.
skinsman,
You were correct. Upon reviewing the reachability analyzer, I was able to confirm that my destination IP was set to an IP range that was not included in my NACL deny policy. fixing that, my Stage subnet was unable to reach my production subnet. thank you! =)