- Newest
- Most votes
- Most comments
You have asymmetric route that causes this problem:
Client -> IGW -> Bastion -> NAT GW -> IGW -> Client
Your Bastion receives traffic (TCP SYN) to it's public IP, but when it responds (TCP SYN-ACK) it get routed from the Bastion's private IP to the NAT GW which drops it because it is a stateful device and expects TCP traffic to begin with SYN.
With UDP there there is no indication for start of a session like SYN with TCP, so the response from the Bastion is not dropped by the NAT GW and is being forwarded back to the client.
If your bastion has a public IP, why are you routing it through a NAT GW and not directly to the IGW?
Completely agree
Thanks for the comment. I understand your reasoning there is only one thing that doesn't match with this theory and correct me if I'm wrong. Based on the documentation, for a public IP to receive traffic within a VPC, it has to have a route to the IGW. That is at least my understanding. The subnet where I placed the bastion has a route to the NAT GW ONLY. Unless the previous statement is ONLY valid for outbound traffic?
@JuanBrein can you provide a link to the documentation so I can see the exact wording?
In any case, as long as the VPC has an Internet Gateway associated with it and the EC2 instance has a public IP it will be able to receive inbound traffic from the internet.
The outbound traffic from the EC2 instance is determined by the route table associated with the subnet where the EC2 instance resides.
(If I answered your question I will appreciate if you can accept it)
There’s an issue with your configuration description.
Your bastion host has a public IP. Therefore it must be in a public subnet with a route to an IGW. But you say there’s a route of 0.0.0.0/0 to the NAT gateway. Please confirm as that configuration is invalid.
The route in the public subnet of 0.0.0.0/0 MUST route to the IGw.
The route in the private subnet of 0.0.0.0/0 MUST route to the NAT gateway that’s sat on the Public subnet.
There is no issue in the configuration.
Both management and private subnets have NAT GW routes with destination 0.0.0.0/0 . The public net has IGW route with destination 0.0.0.0/0
Now if I assign a public IP to an instance in the management subnet I still can receive UDP traffic. That should not be possible as per the VPC/NAT/IGW documentation. Is that expected?
Didier_Durand Security Groups do not protect subnets but EC2 Instnaces. Now if that is the case, I can tell you the instance has ALL UDP/TCP Ingress allowed and UDP/TCP ougbound allowed.
Although I don't think this is relevant to my problem. Even with a fully open ACL/SG and a public IP address attached to the instance, it shouldn't be possible for any internet box to send UDP traffic successfully since there is no route to the IGW.
Relevant content
- AWS OFFICIALUpdated 8 months ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated 2 years ago
Hi, can you edit your question and publish the sec group protecting the management subnet?