EC2 Private IP Address Across Local Zones



I'm trying to access an EC2 instance in one local zone from an instance in another local zone. In us-west-2 I can launch an instance in the Los Angeles local zone and Portland local zone and then run ping from the LA instance to the private ip of the Portland instance. However, in us-east-1 I tried the same thing with the Boston local zone and the Minneapolis and was not able to connect using the instance's private ip. I was able to ping using the public ip address. Is it supported to use private ip addresses of EC2 instances across two local zones in the same region? Why does this only work in us-west-2?


2 Answers

There can be a lot of variables here. start by checking these

  • Security group of Instance where you want to reach allow traffic from instance sending traffic.
  • Check route table for both subnets, generally having a route to local on VPC CIDR is expected to talk with private IPs.
  • Can you confirm using telnet (yum install telnet) => $ telnet <PRIVATE-IP> 22. Generally SSH daemon is running on EC2 machines.
  • For ping ICMP protocol should be checked in Security group.
  • Also, make sure VPC is same.

Also to add to your questions:

1. Is it supported to use private ip addresses of EC2 instances across two local zones in the same region? 

Yes, it is supported to have communication between 2 EC2 machines across different AZs as in us-east-1a and us-east-1b, but there should be a route between them to reach to each other. ( local - in Route Table)

2. Why does this only work in us-west-2? 

From just the description of this question, it is difficult to say this, but looks like in us-west-2, the routes are properly set and in us-east-1 the routes have been fiddled with. Can you try to roughly compare the subnets/route tables.

answered 2 months ago
  • Thanks for the reply! The security group for each subnet is set to allow all ICMP, the VPC is the same, and the route table contains local. Settings between my us-east-1 and us-west-2 setup are the same. I also tried with telnet and could not connect. Telnet and ping do work from an instance in a local zone(us-east-1-bos-1a) to a private ip address in us-east-1a just not from one local zone to another (us-east-1-bos-1a to us-east-1-mia-1a). This is why I thought local zones specifically might not be supported.


Apologies for not asking this earlier.

What response do you get from PING and telnet?

If it is refused that means there is nothing running there. else,

if is connection timed out => there is some network problem which is not allowing communication.

when testing with telnet, you tried port 22 for SSH, during this did you make sure security group on INBOUND had 22 open.

additionally can you try to allow all traffic on instance which you are trying to send packets to from security group attached to instance sending requests?

Thanks. Let us know if this works?

answered 2 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions