By using AWS re:Post, you agree to the Terms of Use

Amazon Linux Routing Challenge


Hi Everyone, I have not worked with AWS for some time so pls bear with me.

I have the following topology:

  • VPC
  • Public subnet containing an Amazon Linux instance (call it the 'Firewall') with a single NIC, IP addr = and EIP = (fictitious)
  • Private subnet with Windows RDS ( and Windows AD DS (
  • Route table applied to the public subnet routes to IGW and to local
  • Route table applied to the private subnet routes to the firewall NIC and to local
  • Kernel routing is enabled (ip_forward=1) and the filter table chains (input/forward/output) are configured to ACCEPT
  • I use iptables on the firewall to DNAT inbound to and masquerade (SNAT) outbound

Basically, any instance in the private subnet routes in/out via the firewall with public IP address I note private instances have a default gateway of I assume this is an IP bound to the VPC?

I recently built a new firewall using Amazon Linux with the same config as the current (old) firewall, except private IP = and EIP = (fictitious). I want to replace this new with the old.

My issue: when I update the target for route to the NIC of the new firewall, I do not see any traffic routing thru it (I am connected via SSH running tcpdump). If I start a repeating PING from Windows RDS to and run tcpdump on the old firewall, I can see the ICMP flow, but when I flip the target for 0/0 route to the new firewall I see no packet flow. Both the old and new firewall have a default route to I assume this is the VPC router?

Packets from the private subnet do not appear to be reaching the new firewall and I do not know why. How do I troubleshoot further - is there a way to examine packet flow within the VPC? Thank you.

asked 2 months ago43 views
3 Answers
Accepted Answer

You don't mention this but just in case: Make sure that the source/destination check for your firewall instance is disabled as per our documentation for NAT instances.

Second: You can see where packets are being routed in a VPC by using VPC Flow Logs.

Third: VPC is an overlay network so doesn't necessarily behave quite the way that an on-premises network will. A good thing to watch here is Another Day Another Billions Flows but because that takes time - one of the things that happens in a VPC is that the flow path is cached so when you change routes you may not see the packets flow along that "new" route immediately. You might try stopping the existing ping or try sending ICMP echo requests to another destination.

answered 2 months ago

Thank you for the response. The NAT instances link is helpful. On the old FW I have src/dst check stopped, however, on the new FW it is not stopped (like I said, it's been a while!). I will stop the src/dst check and try tomorrow morning AEST as I have a handful of users now logged on. Thanks again! :-)

answered 2 months ago

For testing purposes I added a new route for my public home IP address with target of the new firewall and deployed a new Windows instance. It is working! Happy days.

answered 2 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions