- Newest
- Most votes
- Most comments
AWS VPC is not like your traditional on-prem routers & switches.
Behind the scenes packets are encapsulated with additional layer containing the information required to know that the packet needs to be steered back to the NLB (you will not be able to see this encapsulation layer when you take packet capture in your EC2 instance).
I highly recommend you watch the session called AWS re:Invent 2017: Another Day, Another Billion Flows where some of this "magic" called the HyperPlane is explained .
Hello,
When we create a vpc, AWS creates a local router by default. A local router will be responsible for the communication in the vpc, so for the communication between the different subnets. This local router cannot be deleted. The local router will be associated with the default route table, which cannot be deleted and is created by default. The default route table is a "table" which specifies the destination and the path the traffic has to take to reach the destination. An example of this would be
| Destination | Route |
|---|---|
| Internet (0.0.0.0/0) | Internet Gateway |
In this route table, we are specifying that anything that wants to go to the Internet should be routed to the IGW.
The local router has a bit more complex route table, which just connects all the subnets together and enables them to communicate with each other.
| Destination | Route |
|---|---|
| 10.10.0.0/16 | local |
| 10.10.1.0/24 | local |
| 10.10.2.0/24 | local |
With your architecture, the NLB will be placed in a public subnet, which is actually just a normal subnet, but with an independent route table that enables traffic to the IGW and the local router. Your other private subnet will only have a route to the local router, and this local router will forward the request to the public subnet -> to the NLB.
The preserve client IP for the NLB is a option which we can enable on the NLB which is (by default) not going to affect the routing. We use this option to gain data for analytics or for security reasons.
If you have any further questions, don't hesitate to ask
Thank you for your reply. I was not using a default VPC and my understanding is that for my intra subnet, since I created a custom route table for it and only the local route is present, that return traffic would only be evaluated using that route table. The intra subnet route:
Destination Target 10.166.24.0/22 local
So say the syn packet for my ssh inbound connection looked like this (from the instance on the intra segment once passed the nlb): 84.182.56.119:60544 --> 10.166.24.23:22. Then, with only the local route in the subnet, it still looks magic the return packet makes it back to 84.182.56.119 no ?
If the packet comes from the NLB subnet, it will be forwarded to the local router, which will then forward it again to the target subnet (target instance IP address). The packet has a target IP address as a header so routers (of all sorts) know where to route the packet and where the final destination is. The instance then processes the data from the packet, and if it is finished, it will be routed back to the local router, which will route it to the NLB, where it does its thing.
So yes, the packet will be evaluated against the local route table and only because of the route table we can forward packets to destinationons.
Relevant content
- asked a year ago
- Accepted Answerasked 2 years ago
AWS OFFICIALUpdated 6 months ago- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated 3 months ago
