- 최신
- 최다 투표
- 가장 많은 댓글
You will see those sorts of flow log entries when one instance (somehow) resolves the IP of the other instance as a public IP. The traffic in that case will go from (say) Instance A to the Internet Gateway (because it is destined for a public IP address that isn't in the VPC address space so it must go outside the VPC and that's where the default route points to); then it will return to Instance B with the source IP address being the public IP of instance A. Because neither instance A nor B are aware of the other's public IP address they think they're communicating with something external to the VPC.
So pretty normal. The question is: How is one of the instances (maybe both) resolving the public IP of the other instance? That, I don't know. You've said that the instances always use the private DNS name but my guess is there is something that isn't.
You might try logging DNS queries inside your VPC to see what is being resolved and when. That might help you track down what is happening.
관련 콘텐츠
AWS 공식업데이트됨 일 년 전
Hi ! thanks for your answer. I'm Ok with your analysis when trying to resolve a public IP through IGW (and yes maybe we have something using it). But it's more strange for the case "public IP of instance A to private IP of instance B" ... how can a public IP can contact a private one ?
If instance A resolves the public IP of instance B the outbound packet from instance A will have a source IP of the private address of A and the destination will be the public IP of B. As that leaves the VPC through the IGW and comes back in the source will now be the public IP of A and the destination will be the private IP of B (which it has to be in order to get to the instance). If you have an instance with a public IP assigned to it then there traffic to it will always appear to be from a public IP (on the Internet) but to the private IP (because the iGW does NAT on your behalf). In this case, even though the instances are in the same VPC the IGW doesn't know that - it's the same as if instance A and B were in different VPCs communicating via their public IP addresses.
Hi ! So, Instance A public IP is linked to a A record on our DNS and some of our features calls this DNS leading I think to the described behavior.