IGW_PUBLIC_IP_ASSOCIATION_FOR_EGRESS result for VPC Reachability Analyzer

0

Hi, Sorry, I'm still new on AWS.

I've got this error [IGW_PUBLIC_IP_ASSOCIATION_FOR_EGRESS] & [IGW_PRIVATE_IP_ASSOCIATION_FOR_INGRESS] when I did VPC Reachability Analyzer.

Although I already define private & public subnet for this VPC & define route tables from private subnet to NAT Gateway to Public subnet.

Can help me to suggest what I need to check.

Thanks

4 Answers
3

Without knowing exactly how the route tables are configured it's hard to provide advice. My generic suggestions are:

Make sure that the default route in the public subnet points to the Internet Gateway. Make sure that the default route in the private subnets point to the NAT Gateway(s) (you may have more than one).

I know this looks like really simple advice but it's also really easy to get route tables the wrong way around.

profile pictureAWS
EXPERT
answered 2 years ago
2

Hi,

You mentioned you see below 2 error codes in VPC Reachability Analyzer.

According to the VPC Reachability Analyzer explanation codes

IGW_PRIVATE_IP_ASSOCIATION_FOR_INGRESS

Internet gateways reject inbound traffic with a destination address that is not the public IP address of a network interface in the VPC with an available attachment.

IGW_PUBLIC_IP_ASSOCIATION_FOR_EGRESS

Traffic can't reach the internet through the internet gateway if the source address is not paired with a public IP address or if the source address does not belong to a network interface in the VPC with an available attachment.

Resolution

Verify that the instance meets all prerequisites

The instance must meet the following conditions:

  • The route table that's associated with your instance’s subnet has a default route to an internet gateway (0.0.0.0/0).
  • The internet gateway that's associated with the route isn't deleted.
  • The security group that's attached to the instance’s elastic network interface has rules allowing outbound internet traffic (0.0.0.0/0) for your ports and protocols.
  • The network access control list (network ACL) that is associated with the instance's subnet has rules allowing both outbound and inbound traffic to the internet.

Verify that the instance has a public IP address

If the instance in a public subnet doesn't have a public IP address, then the instance isn't accessible outside the virtual private cloud (VPC) where it resides in. This is true even if the instance has an internet gateway.

To allow the instance connectivity to the internet, allocate an Elastic IP address, and then associate this Elastic IP address with the instance.

Refer:

Why can't my Amazon EC2 instance connect to the internet using an internet gateway?

profile pictureAWS
EXPERT
answered 2 years ago
2

Hi,

I understand that you are getting the following errors below using VPC Reachability Analyzer. The descriptions of these errors can be seen in the documentation here https://docs.aws.amazon.com/vpc/latest/reachability/explanation-codes.html

For convenience I have pasted these descriptions along with the errors below:

IGW_PUBLIC_IP_ASSOCIATION_FOR_EGRESS

Traffic can't reach the internet through the internet gateway if the source address is not paired with a public IP address or if the source address does not belong to a network interface in the VPC with an available attachment.

IGW_PRIVATE_IP_ASSOCIATION_FOR_INGRESS

Internet gateways reject inbound traffic with a destination address that is not the public IP address of a network interface in the VPC with an available attachment.

In testing in my own test environment I confirmed that both of these codes are returned when the source in my test is a instance with only a private IP and the destination is an IGW and destination IP is a public IP outside of my VPC e.g "1.1.1.1".

As a next steps towards resolving this issue kindly check the following:

If testing via IGW from Public Subnet: Does the source instance have a public IP Does source instance subnet have default route via IGW

If you do not have a public IP you can associate an Elastic IP following the steps here https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/elastic-ip-addresses-eip.html#using-instance-addressing-eips-associating

If I want to connect to a public IP from a private subnet then my default route 0.0.0.0/0 on the source subnet should point to the NATGW. The NATGW should be created in a public subnet. The difference between a public and private subnet on AWS is that public subnets have a default route 0.0.0.0/0 pointing to an IGW and Private subnets do not. Even if the private subnet has a default route to a NATGW it is still considered private. NATGW do not allow communications initiated on the Internet inbound to the VPC, hence this is still a private subnet. The NATGW should be created in a public subnet, meaning that the NATGW subnet should have a default route 0.0.0.0/0 pointing to an IGW.

I hope this helps. For any concerns please feel free to reach out.

Thank you.

Phindi
answered 2 years ago
0

Hi Brettski, Tushar, & Phindi,

Thank You for your feedback, you're all correct, there is some misconfiguration on my NAT Gateway. I found out it already.

Thank You.

answered a year ago
  • May I ask what it is you found? I am having the same issues described here but everything mentioned in replies seems to be configured correctly for me. Thanks!

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions