By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

EC2 Information Required

0

Dear All

I am fairly new to AWS so please bare with me :)

I have two EC2 instances in 2 availability zones. I have enables ICMP in my security groups to ping each other (Private IP's). I am able to ping (Private IP's) between the two instances which are in different availability zones. Why is this possible? I am not supposed to ping them because they are on two different networks (subnets). Will I be charged for the pings across two AZ?

Also, how can I setup an instance in one region and ping another instance in region? VPC Peering?

Thank you

Topics
Compute
Tags
Amazon EC2
Language
English
Kaiz
asked 4 years ago266 views
4 Answers
0
Accepted Answer

First off, I was mis-typed with regards to AZ data charges...it's .01/gb between azs. your pings will do nothing to your bill..it's inconsequential.

Within a VPC, there are, generally, speaking, four dimensions that determine traffic flow:
On-instance firewall/proxies (e.g. iptables...Usually not relevant for most amis out of the box)
NACLS (stateless firewall). By default, these allow any traffic to flow in both directions, and many people leave it that way, as these can be hard to manage.
Subnet routing: WITHIN A VPC, ALL SUBNETS CAN ROUTE TO EACH OTHER. Look at any subnet route table, notice the local entry. Also notice you can't change that.
Security Group: aka stateful firewall. This is the primary mechanism by which you would control traffic into/out of EC2 that reside within the same vpc.

If this isn't clear to you and you want to understand it further, you should really take a look at the AWS VPC documentation. There's a lot of great diagrams, etc that help explain the basics.

cloudbutton
answered 4 years ago
0

There should be no intra-region data charges.

They are pingable..because you made them pingable. if you want to share your security group rules, it will be more clear, but perhaps they are in the same security group and you created an inbound rule for that security group, or you used the ip of the VPC (often a /16, whereas your subnets are usually smaller, say a /24).
By default in routing tables for a single vpc, traffic will route among all availability zones in the vpc (see the local entry in the routing tables), and it's up to the security groups (typically) to allow specific types of traffic.

Between regions, if you are using private subnets..yes, you need peering or transit gateway..or an EC2-based VPN solution.

cloudbutton
answered 4 years ago
0

Hey

Many thanks for the response. I am super confused, if two instance are in separate AZ's then they should not ping because each AZ is a network and since they are in different AZ's they are in different networks. I can share my security group but it wont help as I have enabled SSH and ICMP for pings and nothing more. I think I do not understand the concept of VPC correctly. I have even attached two different security groups with ICMP and SSH enabled for the two instances. So in a nutshell, I have two instances in different AZ's with two different security groups. Awaiting your positive response

Kaiz
answered 4 years ago
0

Hey

Many thanks for the response, really appreciate it. I checked the local entry and the local entry for the VPC is 172.31.0.0./16 means for the entire subnet. My machines have a private IP of 172.31.39.178 and 172.31.28.255. So they fall under the 172.31.0.0./16. Thank for the note that all subnets can route to each other in a VPC.

Kaiz
answered 4 years ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content