By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

Isolating Subnets Created in the Same VPC

0

I'm encountering an issue with a specific scenario...

In the past, the architect teams created one VPC, let's call it "VPN-COMMON." Then these architects created subnets inside this VPC, and everything is currently functioning correctly. However, the company now wishes to isolate one of these subnets from another subnet. In essence, they want to separate the "Stage" environment subnet from the "Prod" environment subnet.

I've attempted to create another Network Access Control Lists (NACLs) to stage subnet with inbound and outbound blocking policies within the CIDR of the "Prod" subnet. After that, I ran the reachability analyzer, but unfortunately, it was not successful. Communication between these subnets is still occurring, and the blocking policies that I created were disregarded.

Is there a way to isolate these subnets within the same VPC, or will I need to create another VPC and then migrate my "Stage" environment to this new VPC?

Topics
Networking & Content Delivery
Tags
Amazon VPC
Language
English
Matheus
asked 8 months ago440 views
2 Answers
1
Accepted Answer

This sort of subnet isolation is a common pattern when using a Shared VPC across AWS Accounts, so yes it can also be done within a single account. Typically you'd want better separation between Stage & Prod via separate Accounts and/or VPCs but what you're doing is technically feasible.

How are your NACLs set up? Note that each row has a "Rule #" which defines the order they are checked, smallest number first, stopping on a first match. You'll need a Deny rule for the other subnet that matches early.

EXPERT
skinsman
answered 8 months ago
profile picture
EXPERT
Narinder Singh Kharbanda
reviewed 8 months ago
  • Matheus
    8 months ago

    Hello,

    I apologize for the delay in my response. I'd like to clarify the configuration of my Network Access Control Lists (NACLs). They are set up with a deny policy having a lower rule number than the allow policy. Here's an example to illustrate this:

    Rule 101: Deny all traffic to the destinaton IP range 10.250.3.XX/27. Rule 110: Allow all traffic to any destination IP (0.0.0.0/0).

    These rules pertain specifically to my outbound traffic policy.

  • skinsman EXPERT
    8 months ago

    That sounds fine, and this sort of setup definitely works. I guess the next thing to do is double-check everything. Make sure it's your 10.250.3.0 subnet that has the Deny rule for 10.250.3.32, and vice-versa. Make sure there's no other NACL rules with lower rule numbers. Make sure the the NACL assignments to subnets is correct.

  • Matheus
    7 months ago

    skinsman,

    You were correct. Upon reviewing the reachability analyzer, I was able to confirm that my destination IP was set to an IP range that was not included in my NACL deny policy. fixing that, my Stage subnet was unable to reach my production subnet. thank you! =)

0

Subnets are not the best boundary to separate or isolate traffic within VPC. Your best option is to create another VPC for complete separation.

profile pictureAWS
EXPERT
AWS-User-alantam
answered 8 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content