It is possible to route an IP address via VPC peering with an IP address outside the VPC CIDRs?

0

Hello,

I have this VPC.

VPC A - 10.10.0.0/16

  • EC2 instance with an eni accepting 10.20.1.1 (the source/destination check flag is disable for this eic). Let's call this ec2-eni.
  • Route table:
    • 10.20.1.0/24 ec2-eni

Now I have a VPC B with CIDR 10.11.0.0/16 and some EC2 running in it. I need to make sure 10.20.1.1 is reachable also from this VPC. I tried peering between the twos, and in the route table of VPC B I added:

  • 10.20.1.0/24 A-B-Peering

But it doesn't seem to work. There is a way to make this working in AWS?

Thanks

질문됨 2년 전1.3천회 조회
1개 답변
0

Maybe it's a typo but the way you've written it, your VPC A is the 10.10.x.x block but it contains a 10.20.x.x instance - that doesn't look right.

Assuming VPC A is actually 10.20.0.0/16, you need the following routes:

  • The route table for the subnet in VPC A containing 10.20.1.1 needs a route directing traffic for 10.11.0.0/16 to the peering connection.
  • The route table for the subnet in VPC B containing your other instance needs a route directing traffic for 10.20.0.0/16 to the peering connection.

That way both requests and responses are handled.

In addition you need your subnet ACLs set appropriately (default should do). And the Security Group egress rules on the instance initiating a request, and the Security Group ingress ruled on the instance receiving a request need to be set up allowing the other SG, instance IP, subnet CIDR or VPC CIDR.

전문가
답변함 2년 전
  • Unfortunately not a typo. For legacy reason, I really have a 10.20.1.1 into a 10.10.0.0 subnet. Inside the subnet this works thanks to the eni. Wondering if peering is possible though.

  • Oh I see. In short no, you can't do this with VPC Peering as it's not transitive. The traffic doesn't originate or terminate on a network interface in the VPC so there's no associated route table directing traffic for the next hop, which is looks like is what you need (10.20.1.0/24 ec2-eni). Transit Gateway can do this if that suits your environment. Another option that may be worth exploring is using part of the "Transit VPC" Strategy that pre-dates Transit Gateway. Basically you could put a VGW in one VPC and make a VPN connection between it and VPN software running in an EC2 instance (or preferably two for redundancy) in the other VPC.

로그인하지 않았습니다. 로그인해야 답변을 게시할 수 있습니다.

좋은 답변은 질문에 명확하게 답하고 건설적인 피드백을 제공하며 질문자의 전문적인 성장을 장려합니다.

질문 답변하기에 대한 가이드라인

관련 콘텐츠